walletpress/wp-plugin/includes/class-walletpress.php
Rug Munch Media LLC ac36eb97e0
fix(audit): Wave 3 — WP plugin AES-GCM + email verification
P2-12 — Hosted email verification (opt-in)
  Added verify_email() method + /hosting/verify-email endpoint.
  When WP_REQUIRE_EMAIL_VERIFY=1:
    - Registration returns a verification_token in the response
    - User calls POST /hosting/verify-email with the token to activate
    - Token expires in 24 hours
  Email sending is documented but not automated (caller must wire
  core/email_notify.py). For community/self-hosted, verification is
  auto-skipped (email_verified=1 by default).

P2-18 — WP plugin AES-CBC → AES-GCM
  class-walletpress.php encrypt()/decrypt() was using AES-256-CBC
  with no authentication, making stored values vulnerable to
  padding-oracle and bit-flipping attacks.
  New format: base64(iv[12] || ciphertext || tag[16]) using AES-256-GCM.
  decrypt() auto-detects format and falls back to legacy CBC for
  backwards compat with existing encrypted values (e.g. the API
  key option in wp_options).

P2-10 — register() api_key plaintext note
  api_key in response body is intentional (the user MUST save it).
  But added a clearer 'warning' note and documented why.

Test results: 80 passed, 5 skipped (no regressions).

Refs: AUDIT.md P2-12, P2-18, P2-10
2026-06-30 21:10:34 +07:00

253 lines
15 KiB
PHP

<?php
defined('ABSPATH') || exit;
class WalletPress {
private array $modules = [];
private ?WalletPressAPI $api = null;
/**
* Encrypt a value using WordPress salt as the key.
*
* P2-18 fix: Was AES-256-CBC without authentication (malleable, vulnerable
* to padding-oracle / bit-flipping attacks). Now AES-256-GCM with the
* 16-byte auth tag appended to the IV field. Format:
* base64( iv (12B) || ciphertext || tag (16B) )
* On legacy decrypt() (CBC), auto-detects and decodes the old format
* so existing encrypted values still work after an update.
*/
public static function encrypt(string $plaintext): string {
if ($plaintext === '') return '';
$key = defined('LOGGED_IN_KEY') ? LOGGED_IN_KEY : wp_salt('logged_in');
// Derive a 32-byte key from the salt (it may be shorter than 32 chars)
$key = hash('sha256', $key, true);
$iv = openssl_random_pseudo_bytes(12);
$tag = '';
$cipher = openssl_encrypt(
$plaintext,
'aes-256-gcm',
$key,
OPENSSL_RAW_DATA,
$iv,
$tag,
'',
16
);
// Format: base64(iv (12) || ciphertext || tag (16))
return base64_encode($iv . $cipher . $tag);
}
/** Decrypt a value encrypted by encrypt(). Supports legacy CBC format. */
public static function decrypt(string $ciphertext): string {
if ($ciphertext === '') return '';
$key = defined('LOGGED_IN_KEY') ? LOGGED_IN_KEY : wp_salt('logged_in');
$data = base64_decode($ciphertext, true);
if ($data === false || strlen($data) < 16) return '';
// Auto-detect format. GCM: 12B IV + N ciphertext + 16B tag = at least 28B.
// CBC legacy: 16B IV + N ciphertext. Heuristic: try GCM first if
// (len - 12 - 16) >= 0; otherwise legacy CBC.
$key = hash('sha256', $key, true);
if (strlen($data) >= 28) {
// Try GCM first
$iv = substr($data, 0, 12);
$tag = substr($data, -16);
$cipher = substr($data, 12, -16);
$plain = openssl_decrypt($cipher, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag, '');
if ($plain !== false) return $plain;
// Fall through to CBC attempt
}
// Legacy CBC: 16B IV + ciphertext
$iv = substr($data, 0, 16);
$cipher = substr($data, 16);
return openssl_decrypt($cipher, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv) ?: '';
}
public function init(): void {
add_action('init', [$this, 'load_textdomain']);
add_action('init', [$this, 'register_shortcodes']);
add_filter('pre_update_option_walletpress_api_key', [__CLASS__, 'encrypt'], 10, 1);
add_filter('option_walletpress_api_key', [__CLASS__, 'decrypt'], 10, 1);
add_action('wp_enqueue_scripts', [$this, 'enqueue_frontend']);
add_action('admin_enqueue_scripts', [$this, 'enqueue_admin']);
add_action('rest_api_init', [$this, 'register_routes']);
add_filter('script_loader_tag', [$this, 'add_module_scripts'], 10, 3);
$this->api = new WalletPressAPI(
get_option('walletpress_api_url', ''),
get_option('walletpress_api_key', '')
);
$this->modules = [
'admin' => new WalletPressAdmin($this),
'auth' => new WalletPressAuth($this),
'gate' => new WalletPressGate($this),
'payments' => new WalletPressPayments($this),
];
do_action('walletpress_init', $this);
}
public function api(): WalletPressAPI { return $this->api; }
public function module(string $name): ?object { return $this->modules[$name] ?? null; }
public function load_textdomain(): void {
load_plugin_textdomain('walletpress', false, dirname(plugin_basename(WALLETPRESS_FILE)) . '/languages');
}
public function register_shortcodes(): void {
add_shortcode('wallet_connect', [WalletPressAuth::class, 'render_connect_button']);
add_shortcode('wallet_gate', [WalletPressGate::class, 'render_gate']);
add_shortcode('wallet_pay', [WalletPressPayments::class, 'render_pay_button']);
add_shortcode('wallet_profile', [$this, 'render_profile']);
add_shortcode('wallet_generate', [$this, 'render_generate_shortcode']);
}
public function render_generate_shortcode(): string {
if (!current_user_can('manage_options')) return '';
ob_start(); ?>
<div class="walletpress-generate-shortcode">
<form class="wp-generate-form">
<select name="chain"><?php foreach ($this->supported_chains() as $k => $c): ?>
<option value="<?php echo esc_attr($k); ?>"><?php echo esc_html($c['label']); ?></option>
<?php endforeach; ?></select>
<input type="text" name="label" placeholder="Label (optional)">
<button type="submit" class="walletpress-btn walletpress-btn-pay">Generate</button>
</form>
<pre class="wp-gen-result" style="display:none;"></pre>
</div>
<?php
return ob_get_clean();
}
public function register_routes(): void {
$c = 'WalletPressAuth';
$g = 'WalletPressGate';
$p = 'WalletPressPayments';
register_rest_route('walletpress/v1', '/auth/nonce', ['methods' => 'GET', 'callback' => [$c, 'rest_nonce'], 'permission_callback' => '__return_true']);
register_rest_route('walletpress/v1', '/auth/verify', ['methods' => 'POST', 'callback' => [$c, 'rest_verify'], 'permission_callback' => '__return_true']);
register_rest_route('walletpress/v1', '/auth/me', ['methods' => 'GET', 'callback' => [$c, 'rest_me'], 'permission_callback' => '__return_true']);
register_rest_route('walletpress/v1', '/auth/balance', ['methods' => 'GET', 'callback' => [$c, 'rest_balance'], 'permission_callback' => '__return_true']);
register_rest_route('walletpress/v1', '/generate', ['methods' => 'POST', 'callback' => [$this, 'rest_generate'], 'permission_callback' => function() { return current_user_can('manage_options'); }]);
register_rest_route('walletpress/v1', '/vault', ['methods' => 'GET', 'callback' => [$this, 'rest_vault'], 'permission_callback' => function() { return current_user_can('manage_options'); }]);
register_rest_route('walletpress/v1', '/verify-ownership', ['methods' => 'POST', 'callback' => [$g, 'rest_verify_ownership'], 'permission_callback' => '__return_true']);
register_rest_route('walletpress/v1', '/payments/create', ['methods' => 'POST', 'callback' => [$p, 'rest_create_payment'], 'permission_callback' => '__return_true']);
register_rest_route('walletpress/v1', '/payments/verify', ['methods' => 'POST', 'callback' => [$p, 'rest_verify_payment'], 'permission_callback' => '__return_true']);
}
public function rest_generate(WP_REST_Request $req): WP_REST_Response {
$result = $this->api->generate_wallet(sanitize_text_field($req->get_param('chain')), sanitize_text_field($req->get_param('label')));
return new WP_REST_Response($result ?: ['error' => 'Generation failed'], $result ? 200 : 502);
}
public function rest_vault(): WP_REST_Response {
$vault = $this->api->list_vault();
return new WP_REST_Response($vault ?: ['error' => 'Failed to fetch vault'], $vault ? 200 : 502);
}
public function enqueue_frontend(): void {
wp_enqueue_script('walletpress', WALLETPRESS_URL . 'assets/js/walletpress.js', [], WALLETPRESS_VERSION, true);
wp_enqueue_style('walletpress', WALLETPRESS_URL . 'assets/css/walletpress.css', [], WALLETPRESS_VERSION);
$user = wp_get_current_user();
wp_localize_script('walletpress', 'walletpress', [
'rest' => esc_url_raw(rest_url('walletpress/v1')),
'nonce' => wp_create_nonce('wp_rest'),
'api_url' => get_option('walletpress_api_url', ''),
'user' => $user->ID ? ['id' => $user->ID, 'display_name' => $user->display_name, 'wallet' => get_user_meta($user->ID, 'walletpress_address', true) ?: null] : null,
'chains' => $this->supported_chains(),
]);
}
public function enqueue_admin(string $hook): void {
if (str_contains($hook, 'walletpress')) {
wp_enqueue_style('walletpress-admin', WALLETPRESS_URL . 'assets/css/walletpress.css', [], WALLETPRESS_VERSION);
wp_enqueue_script('walletpress-admin', WALLETPRESS_URL . 'assets/js/walletpress-admin.js', [], WALLETPRESS_VERSION, true);
wp_localize_script('walletpress-admin', 'walletpress_admin', [
'nonce' => wp_create_nonce('walletpress_admin'),
'ajax' => admin_url('admin-ajax.php'),
]);
}
}
public function add_module_scripts(string $tag, string $handle, string $src): string {
return ($handle === 'walletpress') ? str_replace('<script', '<script type="module"', $tag) : $tag;
}
public function supported_chains(): array {
return [
'solana' => ['label' => 'Solana', 'icon' => 'sol', 'wallet' => 'phantom'],
'ethereum' => ['label' => 'Ethereum', 'icon' => 'eth', 'wallet' => 'metamask'],
'base' => ['label' => 'Base', 'icon' => 'base', 'wallet' => 'metamask'],
'polygon' => ['label' => 'Polygon', 'icon' => 'matic', 'wallet' => 'metamask'],
'bsc' => ['label' => 'BNB Chain', 'icon' => 'bnb', 'wallet' => 'metamask'],
'arbitrum' => ['label' => 'Arbitrum', 'icon' => 'arb', 'wallet' => 'metamask'],
'optimism' => ['label' => 'Optimism', 'icon' => 'op', 'wallet' => 'metamask'],
'avalanche' => ['label' => 'Avalanche', 'icon' => 'avax', 'wallet' => 'metamask'],
'bitcoin' => ['label' => 'Bitcoin', 'icon' => 'btc', 'wallet' => ''],
'tron' => ['label' => 'Tron', 'icon' => 'trx', 'wallet' => ''],
'fantom' => ['label' => 'Fantom', 'icon' => 'ftm', 'wallet' => 'metamask'],
'gnosis' => ['label' => 'Gnosis', 'icon' => 'xdai', 'wallet' => 'metamask'],
'celo' => ['label' => 'Celo', 'icon' => 'celo', 'wallet' => 'metamask'],
'scroll' => ['label' => 'Scroll', 'icon' => 'scr', 'wallet' => 'metamask'],
'zksync' => ['label' => 'zkSync Era', 'icon' => 'zk', 'wallet' => 'metamask'],
'blast' => ['label' => 'Blast', 'icon' => 'blast', 'wallet' => 'metamask'],
'mantle' => ['label' => 'Mantle', 'icon' => 'mnt', 'wallet' => 'metamask'],
'linea' => ['label' => 'Linea', 'icon' => 'linea', 'wallet' => 'metamask'],
'metis' => ['label' => 'Metis', 'icon' => 'metis', 'wallet' => 'metamask'],
'opbnb' => ['label' => 'opBNB', 'icon' => 'bnb', 'wallet' => 'metamask'],
'manta' => ['label' => 'Manta', 'icon' => 'manta', 'wallet' => 'metamask'],
'starknet' => ['label' => 'StarkNet', 'icon' => 'strk', 'wallet' => 'metamask'],
'polygon_zkevm' => ['label' => 'Polygon zkEVM', 'icon' => 'poly', 'wallet' => 'metamask'],
'litecoin' => ['label' => 'Litecoin', 'icon' => 'ltc', 'wallet' => ''],
'dogecoin' => ['label' => 'Dogecoin', 'icon' => 'doge', 'wallet' => ''],
'bitcoin_cash' => ['label' => 'Bitcoin Cash', 'icon' => 'bch', 'wallet' => ''],
'cardano' => ['label' => 'Cardano', 'icon' => 'ada', 'wallet' => ''],
'polkadot' => ['label' => 'Polkadot', 'icon' => 'dot', 'wallet' => ''],
'kusama' => ['label' => 'Kusama', 'icon' => 'ksm', 'wallet' => ''],
'cosmos' => ['label' => 'Cosmos', 'icon' => 'atom', 'wallet' => ''],
'osmosis' => ['label' => 'Osmosis', 'icon' => 'osmo', 'wallet' => ''],
'injective' => ['label' => 'Injective', 'icon' => 'inj', 'wallet' => ''],
'ripple' => ['label' => 'Ripple', 'icon' => 'xrp', 'wallet' => ''],
'stellar' => ['label' => 'Stellar', 'icon' => 'xlm', 'wallet' => ''],
'near' => ['label' => 'NEAR', 'icon' => 'near', 'wallet' => ''],
'sui' => ['label' => 'Sui', 'icon' => 'sui', 'wallet' => ''],
'aptos' => ['label' => 'Aptos', 'icon' => 'apt', 'wallet' => ''],
'algorand' => ['label' => 'Algorand', 'icon' => 'algo', 'wallet' => ''],
'tezos' => ['label' => 'Tezos', 'icon' => 'xtz', 'wallet' => ''],
'monero' => ['label' => 'Monero', 'icon' => 'xmr', 'wallet' => ''],
'filecoin' => ['label' => 'Filecoin', 'icon' => 'fil', 'wallet' => ''],
'internet_computer' => ['label' => 'Internet Computer', 'icon' => 'icp', 'wallet' => ''],
'hedera' => ['label' => 'Hedera', 'icon' => 'hbar', 'wallet' => ''],
'ton' => ['label' => 'TON', 'icon' => 'ton', 'wallet' => ''],
'nano' => ['label' => 'Nano', 'icon' => 'nano', 'wallet' => ''],
'elrond' => ['label' => 'Elrond', 'icon' => 'egld', 'wallet' => ''],
'casper' => ['label' => 'Casper', 'icon' => 'cspr', 'wallet' => ''],
'zilliqa' => ['label' => 'Zilliqa', 'icon' => 'zil', 'wallet' => ''],
'sei' => ['label' => 'Sei', 'icon' => 'sei', 'wallet' => ''],
'juno' => ['label' => 'Juno', 'icon' => 'juno', 'wallet' => ''],
'kava' => ['label' => 'Kava', 'icon' => 'kava', 'wallet' => 'metamask'],
'moonbeam' => ['label' => 'Moonbeam', 'icon' => 'glmr', 'wallet' => 'metamask'],
'cronos' => ['label' => 'Cronos', 'icon' => 'cro', 'wallet' => 'metamask'],
'harmony' => ['label' => 'Harmony', 'icon' => 'one', 'wallet' => 'metamask'],
'aurora' => ['label' => 'Aurora', 'icon' => 'aurora', 'wallet' => 'metamask'],
];
}
public function render_profile(): string {
if (!is_user_logged_in()) return do_shortcode('[wallet_connect]');
$user = wp_get_current_user();
$wallet = get_user_meta($user->ID, 'walletpress_address', true);
ob_start(); ?>
<div class="walletpress-profile">
<h3><?php esc_html_e('Wallet Profile', 'walletpress'); ?></h3>
<p><strong><?php esc_html_e('User:', 'walletpress'); ?></strong> <?php echo esc_html($user->display_name); ?></p>
<?php if ($wallet): ?>
<p><strong><?php esc_html_e('Wallet:', 'walletpress'); ?></strong> <code><?php echo esc_html(substr($wallet, 0, 6) . '...' . substr($wallet, -4)); ?></code></p>
<button class="walletpress-disconnect button"><?php esc_html_e('Disconnect Wallet', 'walletpress'); ?></button>
<?php else: echo do_shortcode('[wallet_connect]'); endif; ?>
</div>
<?php return ob_get_clean();
}
}