P2-12 — Hosted email verification (opt-in)
Added verify_email() method + /hosting/verify-email endpoint.
When WP_REQUIRE_EMAIL_VERIFY=1:
- Registration returns a verification_token in the response
- User calls POST /hosting/verify-email with the token to activate
- Token expires in 24 hours
Email sending is documented but not automated (caller must wire
core/email_notify.py). For community/self-hosted, verification is
auto-skipped (email_verified=1 by default).
P2-18 — WP plugin AES-CBC → AES-GCM
class-walletpress.php encrypt()/decrypt() was using AES-256-CBC
with no authentication, making stored values vulnerable to
padding-oracle and bit-flipping attacks.
New format: base64(iv[12] || ciphertext || tag[16]) using AES-256-GCM.
decrypt() auto-detects format and falls back to legacy CBC for
backwards compat with existing encrypted values (e.g. the API
key option in wp_options).
P2-10 — register() api_key plaintext note
api_key in response body is intentional (the user MUST save it).
But added a clearer 'warning' note and documented why.
Test results: 80 passed, 5 skipped (no regressions).
Refs: AUDIT.md P2-12, P2-18, P2-10
253 lines
15 KiB
PHP
253 lines
15 KiB
PHP
<?php
|
|
defined('ABSPATH') || exit;
|
|
|
|
class WalletPress {
|
|
private array $modules = [];
|
|
private ?WalletPressAPI $api = null;
|
|
|
|
/**
|
|
* Encrypt a value using WordPress salt as the key.
|
|
*
|
|
* P2-18 fix: Was AES-256-CBC without authentication (malleable, vulnerable
|
|
* to padding-oracle / bit-flipping attacks). Now AES-256-GCM with the
|
|
* 16-byte auth tag appended to the IV field. Format:
|
|
* base64( iv (12B) || ciphertext || tag (16B) )
|
|
* On legacy decrypt() (CBC), auto-detects and decodes the old format
|
|
* so existing encrypted values still work after an update.
|
|
*/
|
|
public static function encrypt(string $plaintext): string {
|
|
if ($plaintext === '') return '';
|
|
$key = defined('LOGGED_IN_KEY') ? LOGGED_IN_KEY : wp_salt('logged_in');
|
|
// Derive a 32-byte key from the salt (it may be shorter than 32 chars)
|
|
$key = hash('sha256', $key, true);
|
|
$iv = openssl_random_pseudo_bytes(12);
|
|
$tag = '';
|
|
$cipher = openssl_encrypt(
|
|
$plaintext,
|
|
'aes-256-gcm',
|
|
$key,
|
|
OPENSSL_RAW_DATA,
|
|
$iv,
|
|
$tag,
|
|
'',
|
|
16
|
|
);
|
|
// Format: base64(iv (12) || ciphertext || tag (16))
|
|
return base64_encode($iv . $cipher . $tag);
|
|
}
|
|
|
|
/** Decrypt a value encrypted by encrypt(). Supports legacy CBC format. */
|
|
public static function decrypt(string $ciphertext): string {
|
|
if ($ciphertext === '') return '';
|
|
$key = defined('LOGGED_IN_KEY') ? LOGGED_IN_KEY : wp_salt('logged_in');
|
|
$data = base64_decode($ciphertext, true);
|
|
if ($data === false || strlen($data) < 16) return '';
|
|
|
|
// Auto-detect format. GCM: 12B IV + N ciphertext + 16B tag = at least 28B.
|
|
// CBC legacy: 16B IV + N ciphertext. Heuristic: try GCM first if
|
|
// (len - 12 - 16) >= 0; otherwise legacy CBC.
|
|
$key = hash('sha256', $key, true);
|
|
if (strlen($data) >= 28) {
|
|
// Try GCM first
|
|
$iv = substr($data, 0, 12);
|
|
$tag = substr($data, -16);
|
|
$cipher = substr($data, 12, -16);
|
|
$plain = openssl_decrypt($cipher, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag, '');
|
|
if ($plain !== false) return $plain;
|
|
// Fall through to CBC attempt
|
|
}
|
|
// Legacy CBC: 16B IV + ciphertext
|
|
$iv = substr($data, 0, 16);
|
|
$cipher = substr($data, 16);
|
|
return openssl_decrypt($cipher, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv) ?: '';
|
|
}
|
|
|
|
public function init(): void {
|
|
add_action('init', [$this, 'load_textdomain']);
|
|
add_action('init', [$this, 'register_shortcodes']);
|
|
add_filter('pre_update_option_walletpress_api_key', [__CLASS__, 'encrypt'], 10, 1);
|
|
add_filter('option_walletpress_api_key', [__CLASS__, 'decrypt'], 10, 1);
|
|
add_action('wp_enqueue_scripts', [$this, 'enqueue_frontend']);
|
|
add_action('admin_enqueue_scripts', [$this, 'enqueue_admin']);
|
|
add_action('rest_api_init', [$this, 'register_routes']);
|
|
add_filter('script_loader_tag', [$this, 'add_module_scripts'], 10, 3);
|
|
|
|
$this->api = new WalletPressAPI(
|
|
get_option('walletpress_api_url', ''),
|
|
get_option('walletpress_api_key', '')
|
|
);
|
|
|
|
$this->modules = [
|
|
'admin' => new WalletPressAdmin($this),
|
|
'auth' => new WalletPressAuth($this),
|
|
'gate' => new WalletPressGate($this),
|
|
'payments' => new WalletPressPayments($this),
|
|
];
|
|
|
|
do_action('walletpress_init', $this);
|
|
}
|
|
|
|
public function api(): WalletPressAPI { return $this->api; }
|
|
public function module(string $name): ?object { return $this->modules[$name] ?? null; }
|
|
|
|
public function load_textdomain(): void {
|
|
load_plugin_textdomain('walletpress', false, dirname(plugin_basename(WALLETPRESS_FILE)) . '/languages');
|
|
}
|
|
|
|
public function register_shortcodes(): void {
|
|
add_shortcode('wallet_connect', [WalletPressAuth::class, 'render_connect_button']);
|
|
add_shortcode('wallet_gate', [WalletPressGate::class, 'render_gate']);
|
|
add_shortcode('wallet_pay', [WalletPressPayments::class, 'render_pay_button']);
|
|
add_shortcode('wallet_profile', [$this, 'render_profile']);
|
|
add_shortcode('wallet_generate', [$this, 'render_generate_shortcode']);
|
|
}
|
|
|
|
public function render_generate_shortcode(): string {
|
|
if (!current_user_can('manage_options')) return '';
|
|
ob_start(); ?>
|
|
<div class="walletpress-generate-shortcode">
|
|
<form class="wp-generate-form">
|
|
<select name="chain"><?php foreach ($this->supported_chains() as $k => $c): ?>
|
|
<option value="<?php echo esc_attr($k); ?>"><?php echo esc_html($c['label']); ?></option>
|
|
<?php endforeach; ?></select>
|
|
<input type="text" name="label" placeholder="Label (optional)">
|
|
<button type="submit" class="walletpress-btn walletpress-btn-pay">Generate</button>
|
|
</form>
|
|
<pre class="wp-gen-result" style="display:none;"></pre>
|
|
</div>
|
|
<?php
|
|
return ob_get_clean();
|
|
}
|
|
|
|
public function register_routes(): void {
|
|
$c = 'WalletPressAuth';
|
|
$g = 'WalletPressGate';
|
|
$p = 'WalletPressPayments';
|
|
|
|
register_rest_route('walletpress/v1', '/auth/nonce', ['methods' => 'GET', 'callback' => [$c, 'rest_nonce'], 'permission_callback' => '__return_true']);
|
|
register_rest_route('walletpress/v1', '/auth/verify', ['methods' => 'POST', 'callback' => [$c, 'rest_verify'], 'permission_callback' => '__return_true']);
|
|
register_rest_route('walletpress/v1', '/auth/me', ['methods' => 'GET', 'callback' => [$c, 'rest_me'], 'permission_callback' => '__return_true']);
|
|
register_rest_route('walletpress/v1', '/auth/balance', ['methods' => 'GET', 'callback' => [$c, 'rest_balance'], 'permission_callback' => '__return_true']);
|
|
|
|
register_rest_route('walletpress/v1', '/generate', ['methods' => 'POST', 'callback' => [$this, 'rest_generate'], 'permission_callback' => function() { return current_user_can('manage_options'); }]);
|
|
register_rest_route('walletpress/v1', '/vault', ['methods' => 'GET', 'callback' => [$this, 'rest_vault'], 'permission_callback' => function() { return current_user_can('manage_options'); }]);
|
|
register_rest_route('walletpress/v1', '/verify-ownership', ['methods' => 'POST', 'callback' => [$g, 'rest_verify_ownership'], 'permission_callback' => '__return_true']);
|
|
|
|
register_rest_route('walletpress/v1', '/payments/create', ['methods' => 'POST', 'callback' => [$p, 'rest_create_payment'], 'permission_callback' => '__return_true']);
|
|
register_rest_route('walletpress/v1', '/payments/verify', ['methods' => 'POST', 'callback' => [$p, 'rest_verify_payment'], 'permission_callback' => '__return_true']);
|
|
}
|
|
|
|
public function rest_generate(WP_REST_Request $req): WP_REST_Response {
|
|
$result = $this->api->generate_wallet(sanitize_text_field($req->get_param('chain')), sanitize_text_field($req->get_param('label')));
|
|
return new WP_REST_Response($result ?: ['error' => 'Generation failed'], $result ? 200 : 502);
|
|
}
|
|
|
|
public function rest_vault(): WP_REST_Response {
|
|
$vault = $this->api->list_vault();
|
|
return new WP_REST_Response($vault ?: ['error' => 'Failed to fetch vault'], $vault ? 200 : 502);
|
|
}
|
|
|
|
public function enqueue_frontend(): void {
|
|
wp_enqueue_script('walletpress', WALLETPRESS_URL . 'assets/js/walletpress.js', [], WALLETPRESS_VERSION, true);
|
|
wp_enqueue_style('walletpress', WALLETPRESS_URL . 'assets/css/walletpress.css', [], WALLETPRESS_VERSION);
|
|
$user = wp_get_current_user();
|
|
wp_localize_script('walletpress', 'walletpress', [
|
|
'rest' => esc_url_raw(rest_url('walletpress/v1')),
|
|
'nonce' => wp_create_nonce('wp_rest'),
|
|
'api_url' => get_option('walletpress_api_url', ''),
|
|
'user' => $user->ID ? ['id' => $user->ID, 'display_name' => $user->display_name, 'wallet' => get_user_meta($user->ID, 'walletpress_address', true) ?: null] : null,
|
|
'chains' => $this->supported_chains(),
|
|
]);
|
|
}
|
|
|
|
public function enqueue_admin(string $hook): void {
|
|
if (str_contains($hook, 'walletpress')) {
|
|
wp_enqueue_style('walletpress-admin', WALLETPRESS_URL . 'assets/css/walletpress.css', [], WALLETPRESS_VERSION);
|
|
wp_enqueue_script('walletpress-admin', WALLETPRESS_URL . 'assets/js/walletpress-admin.js', [], WALLETPRESS_VERSION, true);
|
|
wp_localize_script('walletpress-admin', 'walletpress_admin', [
|
|
'nonce' => wp_create_nonce('walletpress_admin'),
|
|
'ajax' => admin_url('admin-ajax.php'),
|
|
]);
|
|
}
|
|
}
|
|
|
|
public function add_module_scripts(string $tag, string $handle, string $src): string {
|
|
return ($handle === 'walletpress') ? str_replace('<script', '<script type="module"', $tag) : $tag;
|
|
}
|
|
|
|
public function supported_chains(): array {
|
|
return [
|
|
'solana' => ['label' => 'Solana', 'icon' => 'sol', 'wallet' => 'phantom'],
|
|
'ethereum' => ['label' => 'Ethereum', 'icon' => 'eth', 'wallet' => 'metamask'],
|
|
'base' => ['label' => 'Base', 'icon' => 'base', 'wallet' => 'metamask'],
|
|
'polygon' => ['label' => 'Polygon', 'icon' => 'matic', 'wallet' => 'metamask'],
|
|
'bsc' => ['label' => 'BNB Chain', 'icon' => 'bnb', 'wallet' => 'metamask'],
|
|
'arbitrum' => ['label' => 'Arbitrum', 'icon' => 'arb', 'wallet' => 'metamask'],
|
|
'optimism' => ['label' => 'Optimism', 'icon' => 'op', 'wallet' => 'metamask'],
|
|
'avalanche' => ['label' => 'Avalanche', 'icon' => 'avax', 'wallet' => 'metamask'],
|
|
'bitcoin' => ['label' => 'Bitcoin', 'icon' => 'btc', 'wallet' => ''],
|
|
'tron' => ['label' => 'Tron', 'icon' => 'trx', 'wallet' => ''],
|
|
'fantom' => ['label' => 'Fantom', 'icon' => 'ftm', 'wallet' => 'metamask'],
|
|
'gnosis' => ['label' => 'Gnosis', 'icon' => 'xdai', 'wallet' => 'metamask'],
|
|
'celo' => ['label' => 'Celo', 'icon' => 'celo', 'wallet' => 'metamask'],
|
|
'scroll' => ['label' => 'Scroll', 'icon' => 'scr', 'wallet' => 'metamask'],
|
|
'zksync' => ['label' => 'zkSync Era', 'icon' => 'zk', 'wallet' => 'metamask'],
|
|
'blast' => ['label' => 'Blast', 'icon' => 'blast', 'wallet' => 'metamask'],
|
|
'mantle' => ['label' => 'Mantle', 'icon' => 'mnt', 'wallet' => 'metamask'],
|
|
'linea' => ['label' => 'Linea', 'icon' => 'linea', 'wallet' => 'metamask'],
|
|
'metis' => ['label' => 'Metis', 'icon' => 'metis', 'wallet' => 'metamask'],
|
|
'opbnb' => ['label' => 'opBNB', 'icon' => 'bnb', 'wallet' => 'metamask'],
|
|
'manta' => ['label' => 'Manta', 'icon' => 'manta', 'wallet' => 'metamask'],
|
|
'starknet' => ['label' => 'StarkNet', 'icon' => 'strk', 'wallet' => 'metamask'],
|
|
'polygon_zkevm' => ['label' => 'Polygon zkEVM', 'icon' => 'poly', 'wallet' => 'metamask'],
|
|
'litecoin' => ['label' => 'Litecoin', 'icon' => 'ltc', 'wallet' => ''],
|
|
'dogecoin' => ['label' => 'Dogecoin', 'icon' => 'doge', 'wallet' => ''],
|
|
'bitcoin_cash' => ['label' => 'Bitcoin Cash', 'icon' => 'bch', 'wallet' => ''],
|
|
'cardano' => ['label' => 'Cardano', 'icon' => 'ada', 'wallet' => ''],
|
|
'polkadot' => ['label' => 'Polkadot', 'icon' => 'dot', 'wallet' => ''],
|
|
'kusama' => ['label' => 'Kusama', 'icon' => 'ksm', 'wallet' => ''],
|
|
'cosmos' => ['label' => 'Cosmos', 'icon' => 'atom', 'wallet' => ''],
|
|
'osmosis' => ['label' => 'Osmosis', 'icon' => 'osmo', 'wallet' => ''],
|
|
'injective' => ['label' => 'Injective', 'icon' => 'inj', 'wallet' => ''],
|
|
'ripple' => ['label' => 'Ripple', 'icon' => 'xrp', 'wallet' => ''],
|
|
'stellar' => ['label' => 'Stellar', 'icon' => 'xlm', 'wallet' => ''],
|
|
'near' => ['label' => 'NEAR', 'icon' => 'near', 'wallet' => ''],
|
|
'sui' => ['label' => 'Sui', 'icon' => 'sui', 'wallet' => ''],
|
|
'aptos' => ['label' => 'Aptos', 'icon' => 'apt', 'wallet' => ''],
|
|
'algorand' => ['label' => 'Algorand', 'icon' => 'algo', 'wallet' => ''],
|
|
'tezos' => ['label' => 'Tezos', 'icon' => 'xtz', 'wallet' => ''],
|
|
'monero' => ['label' => 'Monero', 'icon' => 'xmr', 'wallet' => ''],
|
|
'filecoin' => ['label' => 'Filecoin', 'icon' => 'fil', 'wallet' => ''],
|
|
'internet_computer' => ['label' => 'Internet Computer', 'icon' => 'icp', 'wallet' => ''],
|
|
'hedera' => ['label' => 'Hedera', 'icon' => 'hbar', 'wallet' => ''],
|
|
'ton' => ['label' => 'TON', 'icon' => 'ton', 'wallet' => ''],
|
|
'nano' => ['label' => 'Nano', 'icon' => 'nano', 'wallet' => ''],
|
|
'elrond' => ['label' => 'Elrond', 'icon' => 'egld', 'wallet' => ''],
|
|
'casper' => ['label' => 'Casper', 'icon' => 'cspr', 'wallet' => ''],
|
|
'zilliqa' => ['label' => 'Zilliqa', 'icon' => 'zil', 'wallet' => ''],
|
|
'sei' => ['label' => 'Sei', 'icon' => 'sei', 'wallet' => ''],
|
|
'juno' => ['label' => 'Juno', 'icon' => 'juno', 'wallet' => ''],
|
|
'kava' => ['label' => 'Kava', 'icon' => 'kava', 'wallet' => 'metamask'],
|
|
'moonbeam' => ['label' => 'Moonbeam', 'icon' => 'glmr', 'wallet' => 'metamask'],
|
|
'cronos' => ['label' => 'Cronos', 'icon' => 'cro', 'wallet' => 'metamask'],
|
|
'harmony' => ['label' => 'Harmony', 'icon' => 'one', 'wallet' => 'metamask'],
|
|
'aurora' => ['label' => 'Aurora', 'icon' => 'aurora', 'wallet' => 'metamask'],
|
|
];
|
|
}
|
|
|
|
public function render_profile(): string {
|
|
if (!is_user_logged_in()) return do_shortcode('[wallet_connect]');
|
|
$user = wp_get_current_user();
|
|
$wallet = get_user_meta($user->ID, 'walletpress_address', true);
|
|
ob_start(); ?>
|
|
<div class="walletpress-profile">
|
|
<h3><?php esc_html_e('Wallet Profile', 'walletpress'); ?></h3>
|
|
<p><strong><?php esc_html_e('User:', 'walletpress'); ?></strong> <?php echo esc_html($user->display_name); ?></p>
|
|
<?php if ($wallet): ?>
|
|
<p><strong><?php esc_html_e('Wallet:', 'walletpress'); ?></strong> <code><?php echo esc_html(substr($wallet, 0, 6) . '...' . substr($wallet, -4)); ?></code></p>
|
|
<button class="walletpress-disconnect button"><?php esc_html_e('Disconnect Wallet', 'walletpress'); ?></button>
|
|
<?php else: echo do_shortcode('[wallet_connect]'); endif; ?>
|
|
</div>
|
|
<?php return ob_get_clean();
|
|
}
|
|
}
|