Edit File by line

<?php

[0] Fix | Delete

[1] Fix | Delete

namespace WPForms\Integrations\Stripe\Api;

[2] Fix | Delete

[3] Fix | Delete

use Exception;

[4] Fix | Delete

use WPForms\Vendor\Stripe\Webhook;

[5] Fix | Delete

use RuntimeException;

[6] Fix | Delete

use BadMethodCallException;

[7] Fix | Delete

use WPForms\Vendor\Stripe\Event as StripeEvent;

[8] Fix | Delete

use WPForms\Vendor\Stripe\Exception\SignatureVerificationException;

[9] Fix | Delete

use WPForms\Integrations\Stripe\Helpers;

[10] Fix | Delete

use WPForms\Integrations\Stripe\WebhooksHealthCheck;

[11] Fix | Delete

[12] Fix | Delete

/**

[13] Fix | Delete

* Webhooks Rest Route handler.

[14] Fix | Delete

[15] Fix | Delete

* @since 1.8.4

[16] Fix | Delete

[17] Fix | Delete

class WebhookRoute extends Common {

[18] Fix | Delete

[19] Fix | Delete

/**

[20] Fix | Delete

* Event type.

[21] Fix | Delete

[22] Fix | Delete

* @since 1.8.4

[23] Fix | Delete

[24] Fix | Delete

* @var string

[25] Fix | Delete

[26] Fix | Delete

private $event_type = 'unknown';

[27] Fix | Delete

[28] Fix | Delete

/**

[29] Fix | Delete

* Payload.

[30] Fix | Delete

[31] Fix | Delete

* @since 1.8.4

[32] Fix | Delete

[33] Fix | Delete

* @var array

[34] Fix | Delete

[35] Fix | Delete

private $payload = [];

[36] Fix | Delete

[37] Fix | Delete

/**

[38] Fix | Delete

* Response.

[39] Fix | Delete

[40] Fix | Delete

* @since 1.8.4

[41] Fix | Delete

[42] Fix | Delete

* @var string

[43] Fix | Delete

[44] Fix | Delete

private $response = '';

[45] Fix | Delete

[46] Fix | Delete

/**

[47] Fix | Delete

* Response code.

[48] Fix | Delete

[49] Fix | Delete

* @since 1.8.4

[50] Fix | Delete

[51] Fix | Delete

* @var int

[52] Fix | Delete

[53] Fix | Delete

private $response_code = 200;

[54] Fix | Delete

[55] Fix | Delete

/**

[56] Fix | Delete

* Initialize.

[57] Fix | Delete

[58] Fix | Delete

* @since 1.8.4

[59] Fix | Delete

[60] Fix | Delete

public function init() {

[61] Fix | Delete

[62] Fix | Delete

$this->hooks();

[63] Fix | Delete

}

[64] Fix | Delete

[65] Fix | Delete

/**

[66] Fix | Delete

* Register hooks.

[67] Fix | Delete

[68] Fix | Delete

* @since 1.8.4

[69] Fix | Delete

[70] Fix | Delete

private function hooks() {

[71] Fix | Delete

[72] Fix | Delete

if ( $this->is_rest_verification() ) {

[73] Fix | Delete

add_action( 'rest_api_init', [ $this, 'register_rest_routes' ] );

[74] Fix | Delete

[75] Fix | Delete

return;

[76] Fix | Delete

}

[77] Fix | Delete

[78] Fix | Delete

// Do not serve regular page when it seems Stripe Webhooks are still sending requests to disabled CURL endpoint.

[79] Fix | Delete

// phpcs:ignore WordPress.Security.NonceVerification.Recommended

[80] Fix | Delete

if ( isset( $_GET[ Helpers::get_webhook_endpoint_data()['fallback'] ] )

[81] Fix | Delete

&& (

[82] Fix | Delete

! Helpers::is_webhook_enabled()

[83] Fix | Delete

|| Helpers::is_rest_api_set()

[84] Fix | Delete

) ) {

[85] Fix | Delete

add_action( 'wp', [ $this, 'dispatch_with_error_500' ] );

[86] Fix | Delete

[87] Fix | Delete

return;

[88] Fix | Delete

}

[89] Fix | Delete

[90] Fix | Delete

if ( ! Helpers::is_webhook_enabled() || ! Helpers::is_webhook_configured() ) {

[91] Fix | Delete

return;

[92] Fix | Delete

}

[93] Fix | Delete

[94] Fix | Delete

if ( Helpers::is_rest_api_set() ) {

[95] Fix | Delete

add_action( 'rest_api_init', [ $this, 'register_rest_routes' ] );

[96] Fix | Delete

} else {

[97] Fix | Delete

add_action( 'wp', [ $this, 'dispatch_with_url_param' ] );

[98] Fix | Delete

}

[99] Fix | Delete

}

[100] Fix | Delete

[101] Fix | Delete

/**

[102] Fix | Delete

* Register webhook REST route.

[103] Fix | Delete

[104] Fix | Delete

* @since 1.8.4

[105] Fix | Delete

[106] Fix | Delete

public function register_rest_routes() {

[107] Fix | Delete

[108] Fix | Delete

$methods = [ 'POST' ];

[109] Fix | Delete

[110] Fix | Delete

if ( $this->is_rest_verification() ) {

[111] Fix | Delete

$methods[] = 'GET';

[112] Fix | Delete

}

[113] Fix | Delete

[114] Fix | Delete

register_rest_route(

[115] Fix | Delete

Helpers::get_webhook_endpoint_data()['namespace'],

[116] Fix | Delete

'/' . Helpers::get_webhook_endpoint_data()['route'],

[117] Fix | Delete

[

[118] Fix | Delete

'methods' => $methods,

[119] Fix | Delete

'callback' => [ $this, 'dispatch_stripe_webhooks_payload' ],

[120] Fix | Delete

'show_in_index' => false,

[121] Fix | Delete

'permission_callback' => '__return_true',

[122] Fix | Delete

]

[123] Fix | Delete

);

[124] Fix | Delete

}

[125] Fix | Delete

[126] Fix | Delete

/**

[127] Fix | Delete

* Dispatch Stripe webhooks payload for the url param.

[128] Fix | Delete

[129] Fix | Delete

* @since 1.8.4

[130] Fix | Delete

[131] Fix | Delete

public function dispatch_with_url_param() {

[132] Fix | Delete

[133] Fix | Delete

// phpcs:ignore WordPress.Security.NonceVerification.Recommended

[134] Fix | Delete

if ( ! isset( $_GET[ Helpers::get_webhook_endpoint_data()['fallback'] ] ) ) {

[135] Fix | Delete

return;

[136] Fix | Delete

}

[137] Fix | Delete

[138] Fix | Delete

$this->dispatch_stripe_webhooks_payload();

[139] Fix | Delete

}

[140] Fix | Delete

[141] Fix | Delete

/**

[142] Fix | Delete

* Dispatch Stripe webhooks payload for the url param with error 500.

[143] Fix | Delete

[144] Fix | Delete

* Runs when url param is not configured or webhooks are not enabled at all.

[145] Fix | Delete

[146] Fix | Delete

* @since 1.8.4

[147] Fix | Delete

[148] Fix | Delete

public function dispatch_with_error_500() {

[149] Fix | Delete

[150] Fix | Delete

$this->response = esc_html__( 'It seems to be request to Stripe PHP Listener method handler but the site is not configured to use it.', 'wpforms-lite' );

[151] Fix | Delete

$this->response_code = 500;

[152] Fix | Delete

[153] Fix | Delete

$this->respond();

[154] Fix | Delete

}

[155] Fix | Delete

[156] Fix | Delete

/**

[157] Fix | Delete

* Dispatch Stripe webhooks payload.

[158] Fix | Delete

[159] Fix | Delete

* @since 1.8.4

[160] Fix | Delete

[161] Fix | Delete

public function dispatch_stripe_webhooks_payload() {

[162] Fix | Delete

[163] Fix | Delete

if ( $this->is_rest_verification() ) {

[164] Fix | Delete

wp_send_json_success();

[165] Fix | Delete

}

[166] Fix | Delete

[167] Fix | Delete

try {

[168] Fix | Delete

$this->payload = file_get_contents( 'php://input' );

[169] Fix | Delete

$event = Webhook::constructEvent(

[170] Fix | Delete

$this->payload,

[171] Fix | Delete

$this->get_webhook_signature(),

[172] Fix | Delete

$this->get_webhook_signing_secret()

[173] Fix | Delete

);

[174] Fix | Delete

[175] Fix | Delete

// Update webhooks site health status.

[176] Fix | Delete

WebhooksHealthCheck::save_status( WebhooksHealthCheck::ENDPOINT_OPTION, WebhooksHealthCheck::STATUS_OK );

[177] Fix | Delete

WebhooksHealthCheck::save_status( WebhooksHealthCheck::SIGNATURE_OPTION,WebhooksHealthCheck::STATUS_OK );

[178] Fix | Delete

[179] Fix | Delete

$this->event_type = $event->type;

[180] Fix | Delete

$this->response = 'WPForms Stripe: ' . $this->event_type . ' event received.';

[181] Fix | Delete

[182] Fix | Delete

$processed = $this->process_event( $event );

[183] Fix | Delete

[184] Fix | Delete

$this->response_code = $processed ? 200 : 202;

[185] Fix | Delete

[186] Fix | Delete

$this->respond();

[187] Fix | Delete

} catch ( SignatureVerificationException $e ) {

[188] Fix | Delete

[189] Fix | Delete

WebhooksHealthCheck::save_status( WebhooksHealthCheck::SIGNATURE_OPTION, WebhooksHealthCheck::STATUS_ERROR );

[190] Fix | Delete

[191] Fix | Delete

$this->response_code = 500;

[192] Fix | Delete

$this->response = $e->getMessage();

[193] Fix | Delete

[194] Fix | Delete

$this->respond();

[195] Fix | Delete

} catch ( Exception $e ) {

[196] Fix | Delete

$this->handle_exception( $e );

[197] Fix | Delete

[198] Fix | Delete

$this->response = $e->getMessage();

[199] Fix | Delete

$this->response_code = $e instanceof BadMethodCallException ? 501 : 500;

[200] Fix | Delete

[201] Fix | Delete

$this->respond();

[202] Fix | Delete

}

[203] Fix | Delete

}

[204] Fix | Delete

[205] Fix | Delete

/**

[206] Fix | Delete

* Get webhook stripe signature.

[207] Fix | Delete

[208] Fix | Delete

* @since 1.8.4

[209] Fix | Delete

[210] Fix | Delete

* @throws RuntimeException When Stripe signature is not set.

[211] Fix | Delete

[212] Fix | Delete

* @return string

[213] Fix | Delete

[214] Fix | Delete

private function get_webhook_signature() {

[215] Fix | Delete

[216] Fix | Delete

if ( ! isset( $_SERVER['HTTP_STRIPE_SIGNATURE'] ) ) {

[217] Fix | Delete

throw new RuntimeException( 'Stripe signature is not set.' );

[218] Fix | Delete

}

[219] Fix | Delete

[220] Fix | Delete

return $_SERVER['HTTP_STRIPE_SIGNATURE']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash

[221] Fix | Delete

}

[222] Fix | Delete

[223] Fix | Delete

/**

[224] Fix | Delete

* Get webhook signing secret.

[225] Fix | Delete

[226] Fix | Delete

* @since 1.8.4

[227] Fix | Delete

[228] Fix | Delete

* @throws RuntimeException When webhook signing secret is not set.

[229] Fix | Delete

[230] Fix | Delete

* @return string

[231] Fix | Delete

[232] Fix | Delete

private function get_webhook_signing_secret() {

[233] Fix | Delete

[234] Fix | Delete

$secret = wpforms_setting( 'stripe-webhooks-secret-' . Helpers::get_stripe_mode() );

[235] Fix | Delete

[236] Fix | Delete

if ( empty( $secret ) ) {

[237] Fix | Delete

throw new RuntimeException( 'Webhook signing secret is not set.' );

[238] Fix | Delete

}

[239] Fix | Delete

[240] Fix | Delete

return $secret;

[241] Fix | Delete

}

[242] Fix | Delete

[243] Fix | Delete

/**

[244] Fix | Delete

* Process Stripe event.

[245] Fix | Delete

[246] Fix | Delete

* @since 1.8.4

[247] Fix | Delete

[248] Fix | Delete

* @param StripeEvent $event Stripe event.

[249] Fix | Delete

[250] Fix | Delete

* @return bool True if event has handling class, false otherwise.

[251] Fix | Delete

[252] Fix | Delete

private function process_event( StripeEvent $event ) {

[253] Fix | Delete

[254] Fix | Delete

$webhooks = self::get_event_whitelist();

[255] Fix | Delete

[256] Fix | Delete

// Event can't be handled.

[257] Fix | Delete

if ( ! isset( $webhooks[ $event->type ] ) || ! class_exists( $webhooks[ $event->type ] ) ) {

[258] Fix | Delete

return false;

[259] Fix | Delete

}

[260] Fix | Delete

[261] Fix | Delete

$handler = new $webhooks[ $event->type ]();

[262] Fix | Delete

[263] Fix | Delete

$handler->setup( $event );

[264] Fix | Delete

[265] Fix | Delete

return $handler->handle();

[266] Fix | Delete

}

[267] Fix | Delete

[268] Fix | Delete

/**

[269] Fix | Delete

* Get event whitelist.

[270] Fix | Delete

[271] Fix | Delete

* @since 1.8.4

[272] Fix | Delete

[273] Fix | Delete

* @return array

[274] Fix | Delete

[275] Fix | Delete

private static function get_event_whitelist() {

[276] Fix | Delete

[277] Fix | Delete

return [

[278] Fix | Delete

'charge.refunded' => Webhooks\ChargeRefunded::class,

[279] Fix | Delete

'invoice.payment_succeeded' => Webhooks\InvoicePaymentSucceeded::class,

[280] Fix | Delete

'invoice.created' => Webhooks\InvoiceCreated::class,

[281] Fix | Delete

'charge.succeeded' => Webhooks\ChargeSucceeded::class,

[282] Fix | Delete

'customer.subscription.created' => Webhooks\CustomerSubscriptionCreated::class,

[283] Fix | Delete

'customer.subscription.updated' => Webhooks\CustomerSubscriptionUpdated::class,

[284] Fix | Delete

'customer.subscription.deleted' => Webhooks\CustomerSubscriptionDeleted::class,

[285] Fix | Delete

];

[286] Fix | Delete

}

[287] Fix | Delete

[288] Fix | Delete

/**

[289] Fix | Delete

* Check if rest verification is requested.

[290] Fix | Delete

[291] Fix | Delete

* @since 1.8.4

[292] Fix | Delete

[293] Fix | Delete

* @return bool

[294] Fix | Delete

[295] Fix | Delete

private function is_rest_verification() {

[296] Fix | Delete

[297] Fix | Delete

// phpcs:ignore WordPress.Security.NonceVerification.Recommended

[298] Fix | Delete

return isset( $_GET['verify'] ) && $_GET['verify'] === '1';

[299] Fix | Delete

}

[300] Fix | Delete

[301] Fix | Delete

/**

[302] Fix | Delete

* Respond to the request.

[303] Fix | Delete

[304] Fix | Delete

* @since 1.8.4

[305] Fix | Delete

[306] Fix | Delete

private function respond() {

[307] Fix | Delete

[308] Fix | Delete

$this->log_webhook();

[309] Fix | Delete

[310] Fix | Delete

wp_die( esc_html( $this->response ), '', (int) $this->response_code );

[311] Fix | Delete

}

[312] Fix | Delete

[313] Fix | Delete

/**

[314] Fix | Delete

* Log webhook request.

[315] Fix | Delete

[316] Fix | Delete

* @since 1.8.4

[317] Fix | Delete

[318] Fix | Delete

private function log_webhook() {

[319] Fix | Delete

[320] Fix | Delete

// log only if WP_DEBUG_LOG and WPFORMS_WEBHOOKS_DEBUG are set to true.

[321] Fix | Delete

if (

[322] Fix | Delete

! defined( 'WPFORMS_WEBHOOKS_DEBUG' ) ||

[323] Fix | Delete

! WPFORMS_WEBHOOKS_DEBUG ||

[324] Fix | Delete

! defined( 'WP_DEBUG_LOG' ) ||

[325] Fix | Delete

! WP_DEBUG_LOG

[326] Fix | Delete

) {

[327] Fix | Delete

return;

[328] Fix | Delete

}

[329] Fix | Delete

[330] Fix | Delete

// If it is set to explictly display logs on output, return: this would make response to Stripe malformed.

[331] Fix | Delete

if ( defined( 'WP_DEBUG_DISPLAY' ) && WP_DEBUG_DISPLAY ) {

[332] Fix | Delete

return;

[333] Fix | Delete

}

[334] Fix | Delete

[335] Fix | Delete

$webhook_log = maybe_serialize(

[336] Fix | Delete

[

[337] Fix | Delete

'event_type' => $this->event_type,

[338] Fix | Delete

'response_code' => $this->response_code,

[339] Fix | Delete

'response' => $this->response,

[340] Fix | Delete

'payload' => $this->payload,

[341] Fix | Delete

]

[342] Fix | Delete

);

[343] Fix | Delete

[344] Fix | Delete

// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log

[345] Fix | Delete

error_log( $webhook_log );

[346] Fix | Delete

}

[347] Fix | Delete

[348] Fix | Delete

/**

[349] Fix | Delete

* Get webhooks events list.

[350] Fix | Delete

[351] Fix | Delete

* @since 1.8.4

[352] Fix | Delete

[353] Fix | Delete

* @return array

[354] Fix | Delete

[355] Fix | Delete

public static function get_webhooks_events_list() {

[356] Fix | Delete

[357] Fix | Delete

return array_keys( self::get_event_whitelist() );

[358] Fix | Delete

}

[359] Fix | Delete

}

[360] Fix | Delete

[361] Fix | Delete