Merge branch 'security1'
This commit is contained in:
commit
640911a1e2
3 changed files with 389 additions and 244 deletions
|
@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||||
|
|
||||||
|
|
||||||
|
## [Unreleased]
|
||||||
|
|
||||||
|
- Security hardening changes to plugin queries.
|
||||||
|
- Re-design of ZGo API callback to support WooCommerce 7.8.0
|
||||||
|
|
||||||
## [1.0.0-beta.1] - 2023-01-11
|
## [1.0.0-beta.1] - 2023-01-11
|
||||||
|
|
||||||
- Adjust production server integration
|
- Adjust production server integration
|
||||||
|
|
|
@ -232,9 +232,9 @@ class zpmt_stats_page {
|
||||||
font-weight: 600;">';
|
font-weight: 600;">';
|
||||||
}
|
}
|
||||||
$line++;
|
$line++;
|
||||||
print '<td><a href="https://dev.zgo.cash/invoice/' . $row->pmt_orderid . '" target="_blank">' . $row->pmt_orderid . "</a></td>";
|
print '<td><a href="https://dev.zgo.cash/invoice/' . htmlentities($row->pmt_orderid, ENT_QUOTES) . '" target="_blank">' . htmlentities($row->pmt_orderid, ENT_QUOTES) . "</a></td>";
|
||||||
print "<td>" . $row->pmt_wc_order . "</td>";
|
print "<td>" . $row->pmt_wc_order . "</td>";
|
||||||
print "<td>" . $row->pmt_wc_custname . "</td>";
|
print "<td>" . htmlentities($row->pmt_wc_custname, ENT_QUOTES) . "</td>";
|
||||||
print '<td style="text-align:center;">'. $row->pmt_accepted . "</td>";
|
print '<td style="text-align:center;">'. $row->pmt_accepted . "</td>";
|
||||||
print '<td style="text-align:center;">'.$row->pmt_confirmed ."</td>";
|
print '<td style="text-align:center;">'.$row->pmt_confirmed ."</td>";
|
||||||
print '<td style="text-align:right;">'. number_format($row->pmt_amount,2) . "</td>";
|
print '<td style="text-align:right;">'. number_format($row->pmt_amount,2) . "</td>";
|
||||||
|
|
273
zgopmtgwy.php
273
zgopmtgwy.php
|
@ -3,11 +3,11 @@
|
||||||
* Plugin Name: ZGo Payment Gateway
|
* Plugin Name: ZGo Payment Gateway
|
||||||
* Plugin URI: https://vergara.tech'
|
* Plugin URI: https://vergara.tech'
|
||||||
* Description: ZGo latest payment processing solution for Woocommerce. Accept payments using Zcash.
|
* Description: ZGo latest payment processing solution for Woocommerce. Accept payments using Zcash.
|
||||||
* Version: 1.0.0 beta
|
* Version: 1.0.0
|
||||||
* Requires at least: 5.2
|
* Requires at least: 5.2
|
||||||
* Requires PHP: 7.2
|
* Requires PHP: 7.2
|
||||||
* Author: Vergara Tech LLC
|
* Author: Vergara Tech LLC
|
||||||
* Author URI: https://vergara.tech
|
* Author URI: https://zgo.cash/
|
||||||
* License: GPL v2 or later
|
* License: GPL v2 or later
|
||||||
* License URI: https://www.gnu.org/licenses/gpl-2.0.html
|
* License URI: https://www.gnu.org/licenses/gpl-2.0.html
|
||||||
**/
|
**/
|
||||||
|
@ -93,10 +93,17 @@ function zgopmt_init() {
|
||||||
|
|
||||||
if ( ! $this->is_valid_for_use() )
|
if ( ! $this->is_valid_for_use() )
|
||||||
$this->enabled = false;
|
$this->enabled = false;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add the webhook for payment confirmation from ZGo
|
* Add the webhook for payment confirmation from ZGo
|
||||||
*/
|
*/
|
||||||
add_action( 'woocommerce_api_zpmtcallback', array($this,'zconfirm'));
|
//add_action( 'woocommerce_api_zpmtcallback', array($this,'zconfirm'));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function register_routes() {
|
||||||
|
register_rest_route( 'wc/v3', 'zgocallback', array(
|
||||||
|
'methods' => 'GET',
|
||||||
|
'callback' => array($this,'zgoapicallback')));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function init_form_fields() {
|
public function init_form_fields() {
|
||||||
|
@ -174,7 +181,7 @@ function zgopmt_init() {
|
||||||
if ( isset($this->zgoownerid) &&
|
if ( isset($this->zgoownerid) &&
|
||||||
($this->zgoownerid !== '') ) {
|
($this->zgoownerid !== '') ) {
|
||||||
|
|
||||||
$url = 'https://api.zgo.cash//auth?ownerid=' .
|
$url = 'https://test.zgo.cash/auth?ownerid=' .
|
||||||
$this->zgoownerid . '&token=' .
|
$this->zgoownerid . '&token=' .
|
||||||
$this->zgotoken . '&siteurl=' .
|
$this->zgotoken . '&siteurl=' .
|
||||||
$this->base64url_encode($this->siteURL);
|
$this->base64url_encode($this->siteURL);
|
||||||
|
@ -190,7 +197,7 @@ function zgopmt_init() {
|
||||||
$oid = json_decode($body);
|
$oid = json_decode($body);
|
||||||
$isvalid = $oid->{'authorized'};
|
$isvalid = $oid->{'authorized'};
|
||||||
break;
|
break;
|
||||||
case 202:git
|
case 202:
|
||||||
$body = wp_remote_retrieve_body($response );
|
$body = wp_remote_retrieve_body($response );
|
||||||
$oid = json_decode($body);
|
$oid = json_decode($body);
|
||||||
break;
|
break;
|
||||||
|
@ -213,7 +220,7 @@ function zgopmt_init() {
|
||||||
$wc_order_key = $order->get_order_key();
|
$wc_order_key = $order->get_order_key();
|
||||||
|
|
||||||
|
|
||||||
$url = 'https://api.zgo.cash/woopayment' .
|
$url = 'https://test.zgo.cash/woopayment' .
|
||||||
'?ownerid=' . $this->zgoownerid .
|
'?ownerid=' . $this->zgoownerid .
|
||||||
'&token=' . $this->zgotoken .
|
'&token=' . $this->zgotoken .
|
||||||
'&order_id=' . $order_id .
|
'&order_id=' . $order_id .
|
||||||
|
@ -235,34 +242,37 @@ function zgopmt_init() {
|
||||||
$body = wp_remote_retrieve_body( $response );
|
$body = wp_remote_retrieve_body( $response );
|
||||||
$oid = json_decode($body);
|
$oid = json_decode($body);
|
||||||
$zgoOrderid = $oid->{'order'};
|
$zgoOrderid = $oid->{'order'};
|
||||||
|
$zgoOrderToken = $oid->{'token'};
|
||||||
//
|
//
|
||||||
// Save ZGo Order ID and Cart order
|
// Save ZGo Order ID and Cart order
|
||||||
//
|
//
|
||||||
$sql = "replace into zgo_payments (" .
|
$sql3 = $wpdb->prepare('replace into zgo_payments (pmt_orderid, pmt_wc_order, pmt_wc_custname, pmt_accepted, pmt_confirmed, pmt_amount, pmt_rate, pmt_zec, pmt_wc_paid) values (%s, %s, %s, %s, %s, %f, 0, 0, 0);',
|
||||||
"pmt_orderid," .
|
$zgoOrderid, $order_id, $order->get_billing_first_name() . ' ' . $order->get_billing_last_name(), date('Y-m-d H:i:s'), '', $order->get_total());
|
||||||
"pmt_wc_order," .
|
//$sql = "replace into zgo_payments (" .
|
||||||
"pmt_wc_custname," .
|
//"pmt_orderid," .
|
||||||
"pmt_accepted," .
|
//"pmt_wc_order," .
|
||||||
"pmt_confirmed," .
|
//"pmt_wc_custname," .
|
||||||
"pmt_amount," .
|
//"pmt_accepted," .
|
||||||
"pmt_rate," .
|
//"pmt_confirmed," .
|
||||||
"pmt_zec," .
|
//"pmt_amount," .
|
||||||
"pmt_wc_paid) values ('" .
|
//"pmt_rate," .
|
||||||
$zgoOrderid . "','" .
|
//"pmt_zec," .
|
||||||
$order_id . "','" .
|
//"pmt_wc_paid) values ('" .
|
||||||
$order->get_billing_first_name() . " " .
|
//$zgoOrderid . "','" .
|
||||||
$order->get_billing_last_name() . "','" .
|
//$order_id . "','" .
|
||||||
date('Y-m-d H:i:s') . "','',".
|
//$order->get_billing_first_name() . " " .
|
||||||
$order->get_total() .
|
//$order->get_billing_last_name() . "','" .
|
||||||
",0,0,0)";
|
//date('Y-m-d H:i:s') . "','',".
|
||||||
$wpdb->query($sql);
|
//$order->get_total() .
|
||||||
|
//",0,0,0)";
|
||||||
|
$wpdb->query($sql3);
|
||||||
|
|
||||||
// Remove cart.
|
// Remove cart.
|
||||||
WC()->cart->empty_cart();
|
WC()->cart->empty_cart();
|
||||||
|
|
||||||
return array(
|
return array(
|
||||||
'result' => 'success',
|
'result' => 'success',
|
||||||
'redirect' => 'https://app.zgo.cash/invoice/' . $zgoOrderid,
|
'redirect' => 'https://dev.zgo.cash/invoice/' . $zgoOrderid . '?token=' . $zgoOrderToken,
|
||||||
);
|
);
|
||||||
break;
|
break;
|
||||||
case 202:
|
case 202:
|
||||||
|
@ -279,53 +289,58 @@ function zgopmt_init() {
|
||||||
/**
|
/**
|
||||||
* Confirm payment and complete order
|
* Confirm payment and complete order
|
||||||
*/
|
*/
|
||||||
public function zconfirm() {
|
//public function zconfirm() {
|
||||||
|
|
||||||
global $wpdb;
|
//global $wpdb;
|
||||||
|
|
||||||
$token = $_GET['token'];
|
//$token = $_GET['token'];
|
||||||
$zgoOrderid = $_GET['orderid'];
|
//$zgoOrderid = $_GET['orderid'];
|
||||||
$orderid = $_GET['wc_orderid'];
|
//$orderid = $_GET['wc_orderid'];
|
||||||
$totalzec = $_GET['totalzec'];
|
//$totalzec = $_GET['totalzec'];
|
||||||
$rate = $_GET['rate'];
|
//$rate = $_GET['rate'];
|
||||||
$order = wc_get_order( $orderid );
|
//$order = wc_get_order( $orderid );
|
||||||
|
|
||||||
$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
|
//$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s ;', $orderid);
|
||||||
$result = $wpdb->get_row($sql,OBJECT);
|
////$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
|
||||||
if ( ! is_null($result) ) {
|
//$result = $wpdb->get_row($sql,OBJECT);
|
||||||
|
//if ( ! is_null($result) ) {
|
||||||
|
|
||||||
if ( ( $token == $this->zgotoken )
|
//if ( ($token == $this->zgotoken )
|
||||||
&& ( $result->pmt_orderid == $zgoOrderid )
|
//&& ( $result->pmt_orderid == $zgoOrderid )
|
||||||
&& ( $result->pmt_wc_paid == '0' ) ) {
|
//&& ( $result->pmt_wc_paid == '0' ) ) {
|
||||||
switch ( $order->get_status() ) {
|
//switch ( $order->get_status() ) {
|
||||||
case 'pending':
|
//case 'pending':
|
||||||
case 'failed':
|
//case 'failed':
|
||||||
$order->payment_complete();
|
//$order->payment_complete();
|
||||||
$order->reduce_order_stock();
|
//$order->reduce_order_stock();
|
||||||
//
|
////
|
||||||
// Mark order as completed in ZGo DB
|
//// Mark order as completed in ZGo DB
|
||||||
//
|
////
|
||||||
$sql = "update zgo_payments set " .
|
////$sql = "update zgo_payments set " .
|
||||||
"pmt_confirmed='" . date('Y-m-d H:i:s') .
|
////"pmt_confirmed='" . date('Y-m-d H:i:s') .
|
||||||
"', pmt_rate=" . $rate .
|
////"', pmt_rate=" . $rate .
|
||||||
", pmt_zec=" . $totalzec .
|
////", pmt_zec=" . $totalzec .
|
||||||
", pmt_wc_paid=1 " .
|
////", pmt_wc_paid=1 " .
|
||||||
" where pmt_wc_order='" . $orderid . "';";
|
////" where pmt_wc_order='" . $orderid . "';";
|
||||||
$wpdb->query($sql);
|
//$sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
|
||||||
|
//$wpdb->query($sql2);
|
||||||
|
|
||||||
update_option('webhook_debug', $_GET);
|
//update_option('webhook_debug', $_GET);
|
||||||
break;
|
//break;
|
||||||
default:
|
//default:
|
||||||
// $this->console_log('Order ' . $orderid . ' already paid or cancelled...');
|
////$this->console_log('Order ' . $orderid . ' already paid or cancelled...');
|
||||||
break;
|
//return array("message" => 'Order ' . $orderid . ' already paid or cancelled...');
|
||||||
}
|
//break;
|
||||||
} else {
|
//}
|
||||||
// $this->console_log('Invalid parameters...');
|
//} else {
|
||||||
}
|
////$this->console_log('Invalid parameters...');
|
||||||
} else {
|
//return array("message" => 'Invalid parameters...');
|
||||||
// $this->console_log('Database error...');
|
//}
|
||||||
}
|
//} else {
|
||||||
}
|
////$this->console_log('Database error...');
|
||||||
|
//return array("message" => 'Database error...');
|
||||||
|
//}
|
||||||
|
//}
|
||||||
|
|
||||||
public function thankyou_page () {
|
public function thankyou_page () {
|
||||||
if ( $description = $this->get_description() ) {
|
if ( $description = $this->get_description() ) {
|
||||||
|
@ -346,6 +361,66 @@ function zgopmt_init() {
|
||||||
return $edata;
|
return $edata;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function zgoapicallback($request) {
|
||||||
|
global $wpdb;
|
||||||
|
|
||||||
|
//$token = $_GET['token'];
|
||||||
|
//$zgoOrderid = $_GET['orderid'];
|
||||||
|
//$orderid = $_GET['wc_orderid'];
|
||||||
|
//$totalzec = $_GET['totalzec'];
|
||||||
|
//$rate = $_GET['rate'];
|
||||||
|
$token = $request->get_param('token');
|
||||||
|
$zgoOrderid = $request->get_param('orderid');
|
||||||
|
$orderid = $request->get_param('wc_orderid');
|
||||||
|
$totalzec = $request->get_param('totalzec');
|
||||||
|
$rate = $request->get_param('rate');
|
||||||
|
$order = wc_get_order( $orderid );
|
||||||
|
|
||||||
|
$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s ;', $orderid);
|
||||||
|
//$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
|
||||||
|
$result = $wpdb->get_row($sql,OBJECT);
|
||||||
|
if ( ! is_null($result) ) {
|
||||||
|
|
||||||
|
if ( (hash('sha256',$token) == hash('sha256',$this->zgotoken) )
|
||||||
|
&& ( $result->pmt_orderid == $zgoOrderid )
|
||||||
|
&& ( $result->pmt_wc_paid == '0' ) ) {
|
||||||
|
switch ( $order->get_status() ) {
|
||||||
|
case 'pending':
|
||||||
|
case 'failed':
|
||||||
|
$order->payment_complete();
|
||||||
|
$order->reduce_order_stock();
|
||||||
|
//
|
||||||
|
// Mark order as completed in ZGo DB
|
||||||
|
//
|
||||||
|
//$sql = "update zgo_payments set " .
|
||||||
|
//"pmt_confirmed='" . date('Y-m-d H:i:s') .
|
||||||
|
//"', pmt_rate=" . $rate .
|
||||||
|
//", pmt_zec=" . $totalzec .
|
||||||
|
//", pmt_wc_paid=1 " .
|
||||||
|
//" where pmt_wc_order='" . $orderid . "';";
|
||||||
|
$sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
|
||||||
|
$wpdb->query($sql2);
|
||||||
|
|
||||||
|
//update_option('webhook_debug', $_GET);
|
||||||
|
return array('message' => 'Order '. $orderid . ' mark as paid correctly.');
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
//$this->console_log('Order ' . $orderid . ' already paid or cancelled...');
|
||||||
|
return array("message" => 'Order ' . $orderid . ' already paid or cancelled...');
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
//$this->console_log('Invalid parameters...');
|
||||||
|
return array("message" => 'Invalid parameters...');
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
//$this->console_log('Database error...');
|
||||||
|
return array("message" => 'Database error...');
|
||||||
|
}
|
||||||
|
//return array( 'custom' => 'Data', "request" => $data->get_params() );
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
add_filter( 'woocommerce_payment_gateways',
|
add_filter( 'woocommerce_payment_gateways',
|
||||||
|
@ -371,3 +446,67 @@ function zgopmtlist_plugin() {
|
||||||
$plugin->init();
|
$plugin->init();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function get_custom($data) {
|
||||||
|
global $wpdb;
|
||||||
|
|
||||||
|
//$token = $_GET['token'];
|
||||||
|
//$zgoOrderid = $_GET['orderid'];
|
||||||
|
//$orderid = $_GET['wc_orderid'];
|
||||||
|
//$totalzec = $_GET['totalzec'];
|
||||||
|
//$rate = $_GET['rate'];
|
||||||
|
$token = $data->get_param('token');
|
||||||
|
$zgoOrderid = $data->get_param('orderid');
|
||||||
|
$orderid = $data->get_param('wc_orderid');
|
||||||
|
$totalzec = $data->get_param('totalzec');
|
||||||
|
$rate = $data->get_param('rate');
|
||||||
|
$order = wc_get_order( $orderid );
|
||||||
|
|
||||||
|
$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s ;', $orderid);
|
||||||
|
//$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
|
||||||
|
$result = $wpdb->get_row($sql,OBJECT);
|
||||||
|
if ( ! is_null($result) ) {
|
||||||
|
|
||||||
|
if ( ($token == $this->zgotoken )
|
||||||
|
&& ( $result->pmt_orderid == $zgoOrderid )
|
||||||
|
&& ( $result->pmt_wc_paid == '0' ) ) {
|
||||||
|
switch ( $order->get_status() ) {
|
||||||
|
case 'pending':
|
||||||
|
case 'failed':
|
||||||
|
$order->payment_complete();
|
||||||
|
$order->reduce_order_stock();
|
||||||
|
//
|
||||||
|
// Mark order as completed in ZGo DB
|
||||||
|
//
|
||||||
|
//$sql = "update zgo_payments set " .
|
||||||
|
//"pmt_confirmed='" . date('Y-m-d H:i:s') .
|
||||||
|
//"', pmt_rate=" . $rate .
|
||||||
|
//", pmt_zec=" . $totalzec .
|
||||||
|
//", pmt_wc_paid=1 " .
|
||||||
|
//" where pmt_wc_order='" . $orderid . "';";
|
||||||
|
$sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
|
||||||
|
$wpdb->query($sql2);
|
||||||
|
|
||||||
|
//update_option('webhook_debug', $_GET);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
//$this->console_log('Order ' . $orderid . ' already paid or cancelled...');
|
||||||
|
return array("message" => 'Order ' . $orderid . ' already paid or cancelled...');
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
//$this->console_log('Invalid parameters...');
|
||||||
|
return array("message" => 'Invalid parameters...');
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
//$this->console_log('Database error...');
|
||||||
|
return array("message" => 'Database error...');
|
||||||
|
}
|
||||||
|
//return array( 'custom' => 'Data', "request" => $data->get_params() );
|
||||||
|
}
|
||||||
|
|
||||||
|
function plugin_register_rest_apis() {
|
||||||
|
$zgoPlugin = new WC_ZGopmt_Gateway();
|
||||||
|
$zgoPlugin->register_routes();
|
||||||
|
}
|
||||||
|
add_action( 'rest_api_init', 'plugin_register_rest_apis');
|
||||||
|
|
Loading…
Reference in a new issue