Edit File by line

<?php

[0] Fix | Delete

[1] Fix | Delete

namespace WPForms\Integrations\Stripe\Admin;

[2] Fix | Delete

[3] Fix | Delete

use WPForms\Integrations\Stripe\Api\DomainManager;

[4] Fix | Delete

use WPForms\Integrations\Stripe\Api\WebhooksManager;

[5] Fix | Delete

use WPForms\Integrations\Stripe\Helpers;

[6] Fix | Delete

use WPForms\Integrations\Stripe\WebhooksHealthCheck;

[7] Fix | Delete

use WPForms\Vendor\Stripe\Account;

[8] Fix | Delete

[9] Fix | Delete

/**

[10] Fix | Delete

* Stripe Connect functionality.

[11] Fix | Delete

[12] Fix | Delete

* @since 1.8.2

[13] Fix | Delete

[14] Fix | Delete

class Connect {

[15] Fix | Delete

[16] Fix | Delete

/**

[17] Fix | Delete

* WPForms Stripe OAuth URL.

[18] Fix | Delete

[19] Fix | Delete

* @since 1.8.2

[20] Fix | Delete

[21] Fix | Delete

const WPFORMS_URL = 'https://wpforms.com/oauth/stripe-connect';

[22] Fix | Delete

[23] Fix | Delete

/**

[24] Fix | Delete

* Stripe live/test account objects.

[25] Fix | Delete

[26] Fix | Delete

* @since 1.8.2

[27] Fix | Delete

[28] Fix | Delete

* @var array

[29] Fix | Delete

[30] Fix | Delete

protected $accounts = [];

[31] Fix | Delete

[32] Fix | Delete

/**

[33] Fix | Delete

* Webhooks manager.

[34] Fix | Delete

[35] Fix | Delete

* @since 1.8.4

[36] Fix | Delete

[37] Fix | Delete

* @var WebhooksManager

[38] Fix | Delete

[39] Fix | Delete

private $webhooks_manager;

[40] Fix | Delete

[41] Fix | Delete

/**

[42] Fix | Delete

* Domain manager.

[43] Fix | Delete

[44] Fix | Delete

* @since 1.8.6

[45] Fix | Delete

[46] Fix | Delete

* @var DomainManager

[47] Fix | Delete

[48] Fix | Delete

private $domain_manager;

[49] Fix | Delete

[50] Fix | Delete

/**

[51] Fix | Delete

* Initialize.

[52] Fix | Delete

[53] Fix | Delete

* @since 1.8.2

[54] Fix | Delete

[55] Fix | Delete

* @return Connect

[56] Fix | Delete

[57] Fix | Delete

public function init() {

[58] Fix | Delete

[59] Fix | Delete

$this->webhooks_manager = new WebhooksManager();

[60] Fix | Delete

$this->domain_manager = new DomainManager();

[61] Fix | Delete

[62] Fix | Delete

$this->hooks();

[63] Fix | Delete

[64] Fix | Delete

return $this;

[65] Fix | Delete

}

[66] Fix | Delete

[67] Fix | Delete

/**

[68] Fix | Delete

* Hooks.

[69] Fix | Delete

[70] Fix | Delete

* @since 1.8.2

[71] Fix | Delete

[72] Fix | Delete

private function hooks() {

[73] Fix | Delete

[74] Fix | Delete

add_action( 'admin_init', [ $this, 'handle_oauth_handshake' ] );

[75] Fix | Delete

}

[76] Fix | Delete

[77] Fix | Delete

/**

[78] Fix | Delete

* Handle Stripe Connect OAuth handshake and save Stripe keys.

[79] Fix | Delete

[80] Fix | Delete

* @since 1.8.2

[81] Fix | Delete

[82] Fix | Delete

public function handle_oauth_handshake(): void {

[83] Fix | Delete

[84] Fix | Delete

// Handle disconnect requests.

[85] Fix | Delete

if ( $this->is_valid_disconnect_request() ) {

[86] Fix | Delete

$this->handle_disconnect();

[87] Fix | Delete

[88] Fix | Delete

return;

[89] Fix | Delete

}

[90] Fix | Delete

[91] Fix | Delete

if ( ! $this->is_valid_handshake_request() ) {

[92] Fix | Delete

return;

[93] Fix | Delete

}

[94] Fix | Delete

[95] Fix | Delete

$state = isset( $_GET['state'] ) ? sanitize_text_field( wp_unslash( $_GET['state'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended

[96] Fix | Delete

[97] Fix | Delete

if ( empty( $state ) ) {

[98] Fix | Delete

return;

[99] Fix | Delete

}

[100] Fix | Delete

[101] Fix | Delete

$credentials = $this->fetch_stripe_credentials( $state );

[102] Fix | Delete

$required_keys = [ 'stripe_user_id', 'stripe_publishable_key', 'access_token', 'refresh_token', 'live_mode' ];

[103] Fix | Delete

[104] Fix | Delete

if ( 0 !== count( array_diff( $required_keys, array_keys( $credentials ) ) ) ) {

[105] Fix | Delete

return;

[106] Fix | Delete

}

[107] Fix | Delete

[108] Fix | Delete

$mode = empty( $credentials['live_mode'] ) ? 'test' : 'live';

[109] Fix | Delete

[110] Fix | Delete

$this->set_connected_user_id( $credentials['stripe_user_id'], $mode );

[111] Fix | Delete

$this->set_current_mode( $mode );

[112] Fix | Delete

[113] Fix | Delete

// In case of switching accounts existing account data needs to be cleared.

[114] Fix | Delete

unset( $this->accounts[ $mode ] );

[115] Fix | Delete

[116] Fix | Delete

Helpers::set_stripe_key( $credentials['stripe_publishable_key'], 'publishable', $mode );

[117] Fix | Delete

Helpers::set_stripe_key( $credentials['access_token'], 'secret', $mode );

[118] Fix | Delete

[119] Fix | Delete

$this->update_account_meta( $credentials['stripe_user_id'], $mode );

[120] Fix | Delete

$this->set_connected_account_country( $mode );

[121] Fix | Delete

$this->webhooks_manager->connect();

[122] Fix | Delete

$this->domain_manager->validate();

[123] Fix | Delete

[124] Fix | Delete

$settings_url = $this->get_payments_settings_url( false );

[125] Fix | Delete

[126] Fix | Delete

wp_safe_redirect( $settings_url );

[127] Fix | Delete

exit;

[128] Fix | Delete

}

[129] Fix | Delete

[130] Fix | Delete

/**

[131] Fix | Delete

* Validates if the current handshake request is valid.

[132] Fix | Delete

[133] Fix | Delete

* @since 1.9.5

[134] Fix | Delete

[135] Fix | Delete

private function is_valid_handshake_request(): bool {

[136] Fix | Delete

[137] Fix | Delete

if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( $_GET['_wpnonce'] ), 'wpforms_stripe_connect' ) ) {

[138] Fix | Delete

return false;

[139] Fix | Delete

}

[140] Fix | Delete

[141] Fix | Delete

if ( ! isset( $_GET['stripe_connect'] ) || $_GET['stripe_connect'] !== 'complete' ) {

[142] Fix | Delete

return false;

[143] Fix | Delete

}

[144] Fix | Delete

[145] Fix | Delete

if ( ! wpforms_current_user_can() ) {

[146] Fix | Delete

return false;

[147] Fix | Delete

}

[148] Fix | Delete

[149] Fix | Delete

return true;

[150] Fix | Delete

}

[151] Fix | Delete

[152] Fix | Delete

/**

[153] Fix | Delete

* Validates if the current disconnect request is valid.

[154] Fix | Delete

[155] Fix | Delete

* @since 1.9.8

[156] Fix | Delete

[157] Fix | Delete

* @return bool

[158] Fix | Delete

[159] Fix | Delete

private function is_valid_disconnect_request(): bool {

[160] Fix | Delete

[161] Fix | Delete

if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( $_GET['_wpnonce'] ), 'wpforms_stripe_disconnect' ) ) {

[162] Fix | Delete

return false;

[163] Fix | Delete

}

[164] Fix | Delete

[165] Fix | Delete

if ( ! wpforms_current_user_can() ) {

[166] Fix | Delete

return false;

[167] Fix | Delete

}

[168] Fix | Delete

[169] Fix | Delete

return true;

[170] Fix | Delete

}

[171] Fix | Delete

[172] Fix | Delete

/**

[173] Fix | Delete

* Fetch Stripe credentials from https://wpforms.com.

[174] Fix | Delete

[175] Fix | Delete

* @since 1.8.2

[176] Fix | Delete

[177] Fix | Delete

* @param string $state Anonymous autogenerated ID to safely fetch Stripe credentials.

[178] Fix | Delete

[179] Fix | Delete

* @return array

[180] Fix | Delete

[181] Fix | Delete

protected function fetch_stripe_credentials( $state ) {

[182] Fix | Delete

[183] Fix | Delete

$response = wp_remote_post(

[184] Fix | Delete

self::WPFORMS_URL,

[185] Fix | Delete

[

[186] Fix | Delete

'body' => [

[187] Fix | Delete

'action' => 'credentials',

[188] Fix | Delete

'state' => $state,

[189] Fix | Delete

[190] Fix | Delete

]

[191] Fix | Delete

);

[192] Fix | Delete

[193] Fix | Delete

if ( is_wp_error( $response ) ) {

[194] Fix | Delete

return [];

[195] Fix | Delete

}

[196] Fix | Delete

[197] Fix | Delete

$body = wpforms_json_decode( wp_remote_retrieve_body( $response ), true );

[198] Fix | Delete

[199] Fix | Delete

return is_array( $body ) ? $body : [];

[200] Fix | Delete

}

[201] Fix | Delete

[202] Fix | Delete

/**

[203] Fix | Delete

* Fetch Stripe Account from Stripe.

[204] Fix | Delete

[205] Fix | Delete

* @since 1.8.2

[206] Fix | Delete

[207] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[208] Fix | Delete

[209] Fix | Delete

* @return null|Account

[210] Fix | Delete

[211] Fix | Delete

protected function fetch_stripe_account( $mode = '' ) {

[212] Fix | Delete

[213] Fix | Delete

$api_key = Helpers::get_stripe_key( 'secret', $mode );

[214] Fix | Delete

[215] Fix | Delete

if ( ! $api_key ) {

[216] Fix | Delete

return null;

[217] Fix | Delete

}

[218] Fix | Delete

[219] Fix | Delete

try {

[220] Fix | Delete

$account = Account::retrieve( null, sanitize_text_field( $api_key ) );

[221] Fix | Delete

} catch ( \Exception $e ) {

[222] Fix | Delete

$account = null;

[223] Fix | Delete

}

[224] Fix | Delete

[225] Fix | Delete

return $account;

[226] Fix | Delete

}

[227] Fix | Delete

[228] Fix | Delete

/**

[229] Fix | Delete

* Update connected account meta.

[230] Fix | Delete

[231] Fix | Delete

* @since 1.8.2

[232] Fix | Delete

[233] Fix | Delete

* @param string $account_id Account ID.

[234] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[235] Fix | Delete

[236] Fix | Delete

public function update_account_meta( $account_id = '', $mode = '' ) {

[237] Fix | Delete

[238] Fix | Delete

if ( ! $mode ) {

[239] Fix | Delete

$mode = Helpers::get_stripe_mode();

[240] Fix | Delete

}

[241] Fix | Delete

[242] Fix | Delete

// Stripe API has limited update method for live accounts only.

[243] Fix | Delete

if ( $mode !== 'live' ) {

[244] Fix | Delete

return;

[245] Fix | Delete

}

[246] Fix | Delete

[247] Fix | Delete

if ( ! $account_id ) {

[248] Fix | Delete

$account_id = $this->get_connected_user_id( $mode );

[249] Fix | Delete

}

[250] Fix | Delete

[251] Fix | Delete

// Return early if no connected account.

[252] Fix | Delete

if ( ! $account_id ) {

[253] Fix | Delete

return;

[254] Fix | Delete

}

[255] Fix | Delete

[256] Fix | Delete

$licence_type = wpforms_get_license_type();

[257] Fix | Delete

[258] Fix | Delete

$metadata = [

[259] Fix | Delete

'wpforms_stripe' => Helpers::is_addon_active() ? 'addon' : 'core',

[260] Fix | Delete

'wpforms_type' => wpforms()->is_pro() ? 'pro' : 'lite',

[261] Fix | Delete

'wpforms_license' => $licence_type ? $licence_type : 'lite',

[262] Fix | Delete

];

[263] Fix | Delete

[264] Fix | Delete

try {

[265] Fix | Delete

Account::update( $account_id, [ 'metadata' => $metadata ], Helpers::get_auth_opts() );

[266] Fix | Delete

} catch ( \Exception $e ) {

[267] Fix | Delete

wpforms_log(

[268] Fix | Delete

'Unable to update connected Stripe account meta.',

[269] Fix | Delete

$e->getMessage(),

[270] Fix | Delete

[

[271] Fix | Delete

'type' => [ 'payment', 'error' ],

[272] Fix | Delete

]

[273] Fix | Delete

);

[274] Fix | Delete

}

[275] Fix | Delete

}

[276] Fix | Delete

[277] Fix | Delete

/**

[278] Fix | Delete

* Generate random alphanumeric token string.

[279] Fix | Delete

* Token length is always 32 chars.

[280] Fix | Delete

[281] Fix | Delete

* @since 1.8.2

[282] Fix | Delete

[283] Fix | Delete

* @return string

[284] Fix | Delete

[285] Fix | Delete

public function generate_random_token() {

[286] Fix | Delete

[287] Fix | Delete

$random = false;

[288] Fix | Delete

[289] Fix | Delete

if ( function_exists( 'openssl_random_pseudo_bytes' ) ) {

[290] Fix | Delete

$strong_result = false; // This has been added as argument #2 ($strong_result) cannot be passed by reference.

[291] Fix | Delete

$random = openssl_random_pseudo_bytes( 16, $strong_result );

[292] Fix | Delete

}

[293] Fix | Delete

[294] Fix | Delete

if ( $random === false ) {

[295] Fix | Delete

return md5( wp_rand() );

[296] Fix | Delete

}

[297] Fix | Delete

[298] Fix | Delete

return bin2hex( $random );

[299] Fix | Delete

}

[300] Fix | Delete

[301] Fix | Delete

/**

[302] Fix | Delete

* Set fetched Stripe Account for caching purposes.

[303] Fix | Delete

[304] Fix | Delete

* @since 1.8.2

[305] Fix | Delete

[306] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[307] Fix | Delete

[308] Fix | Delete

protected function set_connected_account( $mode = '' ) {

[309] Fix | Delete

[310] Fix | Delete

$user_id = $this->get_connected_user_id( $mode );

[311] Fix | Delete

[312] Fix | Delete

if ( ! $user_id ) {

[313] Fix | Delete

return;

[314] Fix | Delete

}

[315] Fix | Delete

[316] Fix | Delete

$account = $this->fetch_stripe_account( $mode );

[317] Fix | Delete

$this->accounts[ $mode ] = null;

[318] Fix | Delete

[319] Fix | Delete

if ( ! isset( $account->id ) || $account->id !== $user_id ) {

[320] Fix | Delete

return;

[321] Fix | Delete

}

[322] Fix | Delete

[323] Fix | Delete

$this->accounts[ $mode ] = $account;

[324] Fix | Delete

}

[325] Fix | Delete

[326] Fix | Delete

/**

[327] Fix | Delete

* Get cached Stripe Account or fetch it from Stripe.

[328] Fix | Delete

[329] Fix | Delete

* @since 1.8.2

[330] Fix | Delete

[331] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[332] Fix | Delete

[333] Fix | Delete

* @return null|Account

[334] Fix | Delete

[335] Fix | Delete

public function get_connected_account( $mode = '' ) {

[336] Fix | Delete

[337] Fix | Delete

$mode = Helpers::validate_stripe_mode( $mode );

[338] Fix | Delete

[339] Fix | Delete

if ( empty( $this->accounts ) || ( is_array( $this->accounts ) && ! array_key_exists( $mode, $this->accounts ) ) ) {

[340] Fix | Delete

$this->set_connected_account( $mode );

[341] Fix | Delete

}

[342] Fix | Delete

[343] Fix | Delete

if ( ! empty( $this->accounts[ $mode ] ) ) {

[344] Fix | Delete

return $this->accounts[ $mode ];

[345] Fix | Delete

}

[346] Fix | Delete

[347] Fix | Delete

return null;

[348] Fix | Delete

}

[349] Fix | Delete

[350] Fix | Delete

/**

[351] Fix | Delete

* Save connected user id to an option.

[352] Fix | Delete

[353] Fix | Delete

* @since 1.8.2

[354] Fix | Delete

[355] Fix | Delete

* @param string $user_id User id to set.

[356] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[357] Fix | Delete

[358] Fix | Delete

* @return bool

[359] Fix | Delete

[360] Fix | Delete

protected function set_connected_user_id( $user_id, $mode = '' ) {

[361] Fix | Delete

[362] Fix | Delete

$mode = Helpers::validate_stripe_mode( $mode );

[363] Fix | Delete

[364] Fix | Delete

return update_option( "wpforms_stripe_{$mode}_connect_user_id", sanitize_text_field( $user_id ) );

[365] Fix | Delete

}

[366] Fix | Delete

[367] Fix | Delete

/**

[368] Fix | Delete

* Get saved Stripe Connect user id from DB.

[369] Fix | Delete

[370] Fix | Delete

* @since 1.8.2

[371] Fix | Delete

[372] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[373] Fix | Delete

[374] Fix | Delete

* @return string

[375] Fix | Delete

[376] Fix | Delete

public function get_connected_user_id( $mode = '' ) {

[377] Fix | Delete

[378] Fix | Delete

$mode = Helpers::validate_stripe_mode( $mode );

[379] Fix | Delete

$user_id = get_option( "wpforms_stripe_{$mode}_connect_user_id", '' );

[380] Fix | Delete

[381] Fix | Delete

/**

[382] Fix | Delete

* User ID associated with the Stripe account.

[383] Fix | Delete

[384] Fix | Delete

* @since 1.8.2

[385] Fix | Delete

[386] Fix | Delete

* @param string $user_id User ID.

[387] Fix | Delete

[388] Fix | Delete

return (string) apply_filters( 'wpforms_stripe_admin_connect_get_connected_user_id', $user_id ); // phpcs:ignore WPForms.PHP.ValidateHooks.InvalidHookName

[389] Fix | Delete

}

[390] Fix | Delete

[391] Fix | Delete

/**

[392] Fix | Delete

* Get Stripe Account name.

[393] Fix | Delete

[394] Fix | Delete

* @since 1.8.2

[395] Fix | Delete

[396] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[397] Fix | Delete

[398] Fix | Delete

* @return string

[399] Fix | Delete

[400] Fix | Delete

public function get_connected_account_name( $mode = '' ) {

[401] Fix | Delete

[402] Fix | Delete

$account = $this->get_connected_account( $mode );

[403] Fix | Delete

[404] Fix | Delete

if ( isset( $account->display_name ) ) {

[405] Fix | Delete

return $account->display_name;

[406] Fix | Delete

}

[407] Fix | Delete

[408] Fix | Delete

if ( isset( $account->settings, $account->settings->dashboard->display_name ) ) {

[409] Fix | Delete

return $account->settings->dashboard->display_name;

[410] Fix | Delete

}

[411] Fix | Delete

[412] Fix | Delete

return '';

[413] Fix | Delete

}

[414] Fix | Delete

[415] Fix | Delete

/**

[416] Fix | Delete

* Set Stripe mode.

[417] Fix | Delete

[418] Fix | Delete

* @since 1.8.4

[419] Fix | Delete

[420] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[421] Fix | Delete

[422] Fix | Delete

private function set_current_mode( $mode ) {

[423] Fix | Delete

[424] Fix | Delete

$key = 'stripe-test-mode';

[425] Fix | Delete

$settings = (array) get_option( 'wpforms_settings', [] );

[426] Fix | Delete

$settings[ $key ] = $mode === 'test';

[427] Fix | Delete

[428] Fix | Delete

update_option( 'wpforms_settings', $settings );

[429] Fix | Delete

}

[430] Fix | Delete

[431] Fix | Delete

/**

[432] Fix | Delete

* Set Stripe Account country.

[433] Fix | Delete

[434] Fix | Delete

* @since 1.8.2

[435] Fix | Delete

[436] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[437] Fix | Delete

[438] Fix | Delete

private function set_connected_account_country( $mode = '' ) {

[439] Fix | Delete

[440] Fix | Delete

$account = $this->get_connected_account( $mode );

[441] Fix | Delete

[442] Fix | Delete

if ( ! isset( $account->country ) ) {

[443] Fix | Delete

return;

[444] Fix | Delete

}

[445] Fix | Delete

[446] Fix | Delete

update_option( "wpforms_stripe_{$mode}_account_country", strtolower( $account->country ) );

[447] Fix | Delete

}

[448] Fix | Delete

[449] Fix | Delete

/**

[450] Fix | Delete

* Get Stripe Connect button URL.

[451] Fix | Delete

[452] Fix | Delete

* @since 1.8.2

[453] Fix | Delete

[454] Fix | Delete

* @param string $mode Stripe mode (e.g. 'live' or 'test').

[455] Fix | Delete

[456] Fix | Delete

* @return string

[457] Fix | Delete

[458] Fix | Delete

public function get_connect_with_stripe_url( $mode = '' ) {

[459] Fix | Delete

[460] Fix | Delete

$mode = Helpers::validate_stripe_mode( $mode );

[461] Fix | Delete

$settings_url = $this->get_payments_settings_url();

[462] Fix | Delete

[463] Fix | Delete

return add_query_arg(

[464] Fix | Delete

[

[465] Fix | Delete

'action' => 'init',

[466] Fix | Delete

'live_mode' => absint( $mode === 'live' ),

[467] Fix | Delete

'state' => $this->generate_random_token(),

[468] Fix | Delete

'site_url' => rawurlencode( $settings_url ),

[469] Fix | Delete

[470] Fix | Delete

self::WPFORMS_URL

[471] Fix | Delete

);

[472] Fix | Delete

}

[473] Fix | Delete

[474] Fix | Delete

/**

[475] Fix | Delete

* Get "Payments" settings page URL.

[476] Fix | Delete

[477] Fix | Delete

* @since 1.8.2

[478] Fix | Delete

* @since 1.9.8 Added `$include_nonce` and `$action` parameters to allow more flexible settings.

[479] Fix | Delete

[480] Fix | Delete

* @param bool $include_nonce Whether to include nonce in the URL.

[481] Fix | Delete

* @param string $action Action to be used for nonce verification.

[482] Fix | Delete

[483] Fix | Delete

* @return string

[484] Fix | Delete

[485] Fix | Delete

private function get_payments_settings_url( bool $include_nonce = true, string $action = 'wpforms_stripe_connect' ): string {

[486] Fix | Delete

[487] Fix | Delete

$args = [

[488] Fix | Delete

'page' => 'wpforms-settings',

[489] Fix | Delete

'view' => 'payments',

[490] Fix | Delete

];

[491] Fix | Delete

[492] Fix | Delete

if ( $include_nonce ) {

[493] Fix | Delete

$args['_wpnonce'] = wp_create_nonce( $action );

[494] Fix | Delete

}

[495] Fix | Delete

[496] Fix | Delete

return add_query_arg( $args, admin_url( 'admin.php' ) );

[497] Fix | Delete

}

[498] Fix | Delete

[499] Fix | Delete