diff --git a/classes/Visualizer/Source/Json.php b/classes/Visualizer/Source/Json.php index e4068f64b..2961cd3ba 100644 --- a/classes/Visualizer/Source/Json.php +++ b/classes/Visualizer/Source/Json.php @@ -457,6 +457,17 @@ function( $headers ) { } } + // Check if this is a WooCommerce endpoint request and add verification token. + if ( $this->is_woocommerce_request( $url ) ) { + // Generate a unique token for this specific request. + $token = wp_generate_password( 32, false ); + set_transient( 'visualizer_wc_token_' . $token, time(), 60 ); + if ( ! isset( $args['headers'] ) ) { + $args['headers'] = array(); + } + $args['headers']['X-Visualizer-Token'] = $token; + } + do_action( 'themeisle_log_event', Visualizer_Plugin::NAME, sprintf( 'Connecting to %s with args = %s ', $url, print_r( $args, true ) ), 'debug', __FILE__, __LINE__ ); return wp_remote_request( $url, $args ); } @@ -488,6 +499,51 @@ public function refresh( $series ) { return true; } + /** + * Check if the URL is a WooCommerce endpoint request. + * + * @access private + * @param string $url The URL to check. + * @return bool True if it's a WooCommerce request, false otherwise. + */ + private function is_woocommerce_request( $url ) { + if ( empty( $url ) ) { + return false; + } + + $parsed_url = function_exists( 'wp_parse_url' ) ? wp_parse_url( $url ) : parse_url( $url ); + if ( empty( $parsed_url ) || empty( $parsed_url['host'] ) || empty( $parsed_url['path'] ) ) { + return false; + } + + $site_url = function_exists( 'home_url' ) ? home_url() : ( function_exists( 'site_url' ) ? site_url() : '' ); + $site_parts = $site_url ? ( function_exists( 'wp_parse_url' ) ? wp_parse_url( $site_url ) : parse_url( $site_url ) ) : array(); + if ( empty( $site_parts['host'] ) ) { + return false; + } + + $target_host = strtolower( $parsed_url['host'] ); + $site_host = strtolower( $site_parts['host'] ); + if ( $target_host !== $site_host ) { + return false; + } + + $path = '/' . ltrim( $parsed_url['path'], '/' ); + $wc_patterns = array( + '/wp-json/wc/', + '/wp-json/wc-analytics/', + '/wc-analytics/', + ); + + foreach ( $wc_patterns as $pattern ) { + if ( strpos( $path, $pattern ) !== false ) { + return true; + } + } + + return false; + } + /** * Returns source name. *