From 82b48c2906159973e3e518e4e55afe56fa07b70e Mon Sep 17 00:00:00 2001 From: Diego Curbelo Date: Fri, 2 Aug 2024 20:29:43 -0300 Subject: [PATCH] Use different transients for live and test oauth state validations (#3335) --- includes/connect/class-wc-stripe-connect.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/includes/connect/class-wc-stripe-connect.php b/includes/connect/class-wc-stripe-connect.php index 32aa0a859..96bf3368a 100644 --- a/includes/connect/class-wc-stripe-connect.php +++ b/includes/connect/class-wc-stripe-connect.php @@ -56,7 +56,7 @@ public function get_oauth_url( $return_url = '', $mode = 'live' ) { return $result; } - set_transient( 'wcs_stripe_connect_state', $result->state, 6 * HOUR_IN_SECONDS ); + set_transient( 'wcs_stripe_connect_state_' . $mode, $result->state, 6 * HOUR_IN_SECONDS ); return $result->oauthUrl; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase } @@ -74,7 +74,7 @@ public function connect_oauth( $state, $code, $mode = 'live' ) { // The state parameter is used to protect against CSRF. // It's a unique, randomly generated, opaque, and non-guessable string that is sent when starting the // authentication request and validated when processing the response. - if ( get_transient( 'wcs_stripe_connect_state' ) !== $state ) { + if ( get_transient( 'wcs_stripe_connect_state_' . $mode ) !== $state ) { return new WP_Error( 'Invalid state received from Stripe server' ); } @@ -84,7 +84,7 @@ public function connect_oauth( $state, $code, $mode = 'live' ) { return $response; } - delete_transient( 'wcs_stripe_connect_state' ); + delete_transient( 'wcs_stripe_connect_state_' . $mode ); return $this->save_stripe_keys( $response, $mode ); }