Merge pull request #1253 from Codeinwp/bugfix/pro/520

vytisbulkevicius · web-flow · commit fdb151158003 · 2026-03-03T17:34:22.000+02:00
Added WooCommerce request verification token
diff --git a/classes/Visualizer/Source/Json.php b/classes/Visualizer/Source/Json.php
@@ -457,6 +457,17 @@ function( $headers ) {
 			}
 		}
 
+		// Check if this is a WooCommerce endpoint request and add verification token.
+		if ( $this->is_woocommerce_request( $url ) ) {
+			// Generate a unique token for this specific request.
+			$token = wp_generate_password( 32, false );
+			set_transient( 'visualizer_wc_token_' . $token, time(), 60 );
+			if ( ! isset( $args['headers'] ) ) {
+				$args['headers'] = array();
+			}
+			$args['headers']['X-Visualizer-Token'] = $token;
+		}
+
 		do_action( 'themeisle_log_event', Visualizer_Plugin::NAME, sprintf( 'Connecting to %s with args = %s ', $url, print_r( $args, true ) ), 'debug', __FILE__, __LINE__ );
 		return wp_remote_request( $url, $args );
 	}
@@ -488,6 +499,51 @@ public function refresh( $series ) {
 		return true;
 	}
 
+	/**
+	 * Check if the URL is a WooCommerce endpoint request.
+	 *
+	 * @access private
+	 * @param string $url The URL to check.
+	 * @return bool True if it's a WooCommerce request, false otherwise.
+	 */
+	private function is_woocommerce_request( $url ) {
+		if ( empty( $url ) ) {
+			return false;
+		}
+
+		$parsed_url = function_exists( 'wp_parse_url' ) ? wp_parse_url( $url ) : parse_url( $url );
+		if ( empty( $parsed_url ) || empty( $parsed_url['host'] ) || empty( $parsed_url['path'] ) ) {
+			return false;
+		}
+
+		$site_url   = function_exists( 'home_url' ) ? home_url() : ( function_exists( 'site_url' ) ? site_url() : '' );
+		$site_parts = $site_url ? ( function_exists( 'wp_parse_url' ) ? wp_parse_url( $site_url ) : parse_url( $site_url ) ) : array();
+		if ( empty( $site_parts['host'] ) ) {
+			return false;
+		}
+
+		$target_host = strtolower( $parsed_url['host'] );
+		$site_host   = strtolower( $site_parts['host'] );
+		if ( $target_host !== $site_host ) {
+			return false;
+		}
+
+		$path        = '/' . ltrim( $parsed_url['path'], '/' );
+		$wc_patterns = array(
+			'/wp-json/wc/',
+			'/wp-json/wc-analytics/',
+			'/wc-analytics/',
+		);
+
+		foreach ( $wc_patterns as $pattern ) {
+			if ( strpos( $path, $pattern ) !== false ) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
 	/**
 	 * Returns source name.
 	 *
