7702a6dfcc
- Created a base mail template - Adapt and improve document API to usage of catalogs and processors - Adapt eveai_sync to new authentication mechanism and usage of catalogs and processors
134 lines
3.6 KiB
PHP
134 lines
3.6 KiB
PHP
<?php
|
|
class EveAI_Chat_Security {
|
|
public function verify_request($request) {
|
|
// Verify nonce
|
|
$nonce = $request->get_header('X-WP-Nonce');
|
|
if (!wp_verify_nonce($nonce, 'wp_rest')) {
|
|
return false;
|
|
}
|
|
|
|
// Verify origin
|
|
$origin = $request->get_header('origin');
|
|
if (!$this->verify_origin($origin)) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
private function verify_origin($origin) {
|
|
// Get the site URL
|
|
$site_url = parse_url(get_site_url(), PHP_URL_HOST);
|
|
$origin_host = parse_url($origin, PHP_URL_HOST);
|
|
|
|
// Check if origin matches site URL or is a subdomain
|
|
return $origin_host === $site_url ||
|
|
strpos($origin_host, '.' . $site_url) !== false;
|
|
}
|
|
|
|
public function encrypt_sensitive_data($data) {
|
|
if (empty($data)) {
|
|
return '';
|
|
}
|
|
|
|
$encryption_key = $this->get_encryption_key();
|
|
$iv = openssl_random_pseudo_bytes(16);
|
|
$encrypted = openssl_encrypt(
|
|
$data,
|
|
'AES-256-CBC',
|
|
$encryption_key,
|
|
0,
|
|
$iv
|
|
);
|
|
|
|
return base64_encode($iv . $encrypted);
|
|
}
|
|
|
|
public function decrypt_sensitive_data($encrypted_data) {
|
|
if (empty($encrypted_data)) {
|
|
return '';
|
|
}
|
|
|
|
$encryption_key = $this->get_encryption_key();
|
|
$data = base64_decode($encrypted_data);
|
|
$iv = substr($data, 0, 16);
|
|
$encrypted = substr($data, 16);
|
|
|
|
return openssl_decrypt(
|
|
$encrypted,
|
|
'AES-256-CBC',
|
|
$encryption_key,
|
|
0,
|
|
$iv
|
|
);
|
|
}
|
|
|
|
private function get_encryption_key() {
|
|
$key = get_option('eveai_chat_encryption_key');
|
|
if (!$key) {
|
|
$key = bin2hex(random_bytes(32));
|
|
update_option('eveai_chat_encryption_key', $key);
|
|
}
|
|
return $key;
|
|
}
|
|
|
|
/**
|
|
* Generates a local temporary token for additional security
|
|
*/
|
|
public function generate_local_token($tenant_id, $domain) {
|
|
$data = array(
|
|
'tenant_id' => $tenant_id,
|
|
'domain' => $domain,
|
|
'timestamp' => time(),
|
|
'site_url' => get_site_url()
|
|
);
|
|
|
|
return $this->encrypt_sensitive_data(json_encode($data));
|
|
}
|
|
|
|
/**
|
|
* Verifies if the domain is allowed for the given tenant
|
|
*/
|
|
public function verify_tenant_domain($tenant_id, $domain) {
|
|
// This could be enhanced with a database check of allowed domains per tenant
|
|
$allowed_domains = array(
|
|
parse_url(get_site_url(), PHP_URL_HOST),
|
|
'localhost',
|
|
// Add other allowed domains as needed
|
|
);
|
|
|
|
$domain_host = parse_url($domain, PHP_URL_HOST);
|
|
return in_array($domain_host, $allowed_domains);
|
|
}
|
|
|
|
/**
|
|
* Enhanced origin verification
|
|
*/
|
|
public function verify_origin($origin) {
|
|
if (empty($origin)) {
|
|
return false;
|
|
}
|
|
|
|
// Get the allowed origins
|
|
$site_url = parse_url(get_site_url(), PHP_URL_HOST);
|
|
$allowed_origins = array(
|
|
$site_url,
|
|
'www.' . $site_url,
|
|
'localhost',
|
|
// Add any additional allowed origins
|
|
);
|
|
|
|
$origin_host = parse_url($origin, PHP_URL_HOST);
|
|
|
|
// Check if origin matches allowed origins or is a subdomain
|
|
foreach ($allowed_origins as $allowed_origin) {
|
|
if ($origin_host === $allowed_origin ||
|
|
strpos($origin_host, '.' . $allowed_origin) !== false) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
}
|