File: /home/cpt/public_html/wp-content/plugins/wpforms-lite/src/Integrations/Stripe/Api/WebhookRoute.php
<?php
namespace WPForms\Integrations\Stripe\Api;
use Exception;
use WPForms\Vendor\Stripe\Webhook;
use RuntimeException;
use BadMethodCallException;
use WPForms\Vendor\Stripe\Event as StripeEvent;
use WPForms\Vendor\Stripe\Exception\SignatureVerificationException;
use WPForms\Integrations\Stripe\Helpers;
use WPForms\Integrations\Stripe\WebhooksHealthCheck;
/**
 * Webhooks Rest Route handler.
 *
 * @since 1.8.4
 */
class WebhookRoute extends Common {
	/**
	 * Event type.
	 *
	 * @since 1.8.4
	 *
	 * @var string
	 */
	private $event_type = 'unknown';
	/**
	 * Payload.
	 *
	 * @since 1.8.4
	 *
	 * @var array
	 */
	private $payload = [];
	/**
	 * Response.
	 *
	 * @since 1.8.4
	 *
	 * @var string
	 */
	private $response = '';
	/**
	 * Response code.
	 *
	 * @since 1.8.4
	 *
	 * @var int
	 */
	private $response_code = 200;
	/**
	 * Initialize.
	 *
	 * @since 1.8.4
	 */
	public function init() {
		$this->hooks();
	}
	/**
	 * Register hooks.
	 *
	 * @since 1.8.4
	 */
	private function hooks() {
		if ( $this->is_rest_verification() ) {
			add_action( 'rest_api_init', [ $this, 'register_rest_routes' ] );
			return;
		}
		// Do not serve regular page when it seems Stripe Webhooks are still sending requests to disabled CURL endpoint.
		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
		if ( isset( $_GET[ Helpers::get_webhook_endpoint_data()['fallback'] ] )
			&& (
				! Helpers::is_webhook_enabled()
				|| Helpers::is_rest_api_set()
			) ) {
			add_action( 'wp', [ $this, 'dispatch_with_error_500' ] );
			return;
		}
		if ( ! Helpers::is_webhook_enabled() || ! Helpers::is_webhook_configured() ) {
			return;
		}
		if ( Helpers::is_rest_api_set() ) {
			add_action( 'rest_api_init', [ $this, 'register_rest_routes' ] );
		} else {
			add_action( 'wp', [ $this, 'dispatch_with_url_param' ] );
		}
	}
	/**
	 * Register webhook REST route.
	 *
	 * @since 1.8.4
	 */
	public function register_rest_routes() {
		$methods = [ 'POST' ];
		if ( $this->is_rest_verification() ) {
			$methods[] = 'GET';
		}
		register_rest_route(
			Helpers::get_webhook_endpoint_data()['namespace'],
			'/' . Helpers::get_webhook_endpoint_data()['route'],
			[
				'methods'             => $methods,
				'callback'            => [ $this, 'dispatch_stripe_webhooks_payload' ],
				'show_in_index'       => false,
				'permission_callback' => '__return_true',
			]
		);
	}
	/**
	 * Dispatch Stripe webhooks payload for the url param.
	 *
	 * @since 1.8.4
	 */
	public function dispatch_with_url_param() {
		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
		if ( ! isset( $_GET[ Helpers::get_webhook_endpoint_data()['fallback'] ] ) ) {
			return;
		}
		$this->dispatch_stripe_webhooks_payload();
	}
	/**
	 * Dispatch Stripe webhooks payload for the url param with error 500.
	 *
	 * Runs when url param is not configured or webhooks are not enabled at all.
	 *
	 * @since 1.8.4
	 */
	public function dispatch_with_error_500() {
		$this->response      = esc_html__( 'It seems to be request to Stripe PHP Listener method handler but the site is not configured to use it.', 'wpforms-lite' );
		$this->response_code = 500;
		$this->respond();
	}
	/**
	 * Dispatch Stripe webhooks payload.
	 *
	 * @since 1.8.4
	 */
	public function dispatch_stripe_webhooks_payload() {
		if ( $this->is_rest_verification() ) {
			wp_send_json_success();
		}
		try {
			$this->payload = file_get_contents( 'php://input' );
			$event         = Webhook::constructEvent(
				$this->payload,
				$this->get_webhook_signature(),
				$this->get_webhook_signing_secret()
			);
			// Update webhooks site health status.
			WebhooksHealthCheck::save_status( WebhooksHealthCheck::ENDPOINT_OPTION, WebhooksHealthCheck::STATUS_OK );
			WebhooksHealthCheck::save_status( WebhooksHealthCheck::SIGNATURE_OPTION,WebhooksHealthCheck::STATUS_OK );
			$this->event_type = $event->type;
			$this->response   = 'WPForms Stripe: ' . $this->event_type . ' event received.';
			$processed = $this->process_event( $event );
			$this->response_code = $processed ? 200 : 202;
			$this->respond();
		} catch ( SignatureVerificationException $e ) {
			WebhooksHealthCheck::save_status( WebhooksHealthCheck::SIGNATURE_OPTION, WebhooksHealthCheck::STATUS_ERROR );
			$this->response_code = 500;
			$this->response      = $e->getMessage();
			$this->respond();
		} catch ( Exception $e ) {
			$this->handle_exception( $e );
			$this->response      = $e->getMessage();
			$this->response_code = $e instanceof BadMethodCallException ? 501 : 500;
			$this->respond();
		}
	}
	/**
	 * Get webhook stripe signature.
	 *
	 * @since 1.8.4
	 *
	 * @throws RuntimeException When Stripe signature is not set.
	 *
	 * @return string
	 */
	private function get_webhook_signature() {
		if ( ! isset( $_SERVER['HTTP_STRIPE_SIGNATURE'] ) ) {
			throw new RuntimeException( 'Stripe signature is not set.' );
		}
		return $_SERVER['HTTP_STRIPE_SIGNATURE']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
	}
	/**
	 * Get webhook signing secret.
	 *
	 * @since 1.8.4
	 *
	 * @throws RuntimeException When webhook signing secret is not set.
	 *
	 * @return string
	 */
	private function get_webhook_signing_secret() {
		$secret = wpforms_setting( 'stripe-webhooks-secret-' . Helpers::get_stripe_mode() );
		if ( empty( $secret ) ) {
			throw new RuntimeException( 'Webhook signing secret is not set.' );
		}
		return $secret;
	}
	/**
	 * Process Stripe event.
	 *
	 * @since 1.8.4
	 *
	 * @param StripeEvent $event Stripe event.
	 *
	 * @return bool True if event has handling class, false otherwise.
	 */
	private function process_event( StripeEvent $event ) {
		$webhooks = self::get_event_whitelist();
		// Event can't be handled.
		if ( ! isset( $webhooks[ $event->type ] ) || ! class_exists( $webhooks[ $event->type ] ) ) {
			return false;
		}
		$handler = new $webhooks[ $event->type ]();
		$handler->setup( $event );
		return $handler->handle();
	}
	/**
	 * Get event whitelist.
	 *
	 * @since 1.8.4
	 *
	 * @return array
	 */
	private static function get_event_whitelist() {
		return [
			'charge.refunded'               => Webhooks\ChargeRefunded::class,
			'charge.refund.updated'         => Webhooks\ChargeRefundUpdated::class,
			'invoice.payment_succeeded'     => Webhooks\InvoicePaymentSucceeded::class,
			'invoice.created'               => Webhooks\InvoiceCreated::class,
			'charge.succeeded'              => Webhooks\ChargeSucceeded::class,
			'customer.subscription.created' => Webhooks\CustomerSubscriptionCreated::class,
			'customer.subscription.updated' => Webhooks\CustomerSubscriptionUpdated::class,
			'customer.subscription.deleted' => Webhooks\CustomerSubscriptionDeleted::class,
		];
	}
	/**
	 * Check if rest verification is requested.
	 *
	 * @since 1.8.4
	 *
	 * @return bool
	 */
	private function is_rest_verification() {
		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
		return isset( $_GET['verify'] ) && $_GET['verify'] === '1';
	}
	/**
	 * Respond to the request.
	 *
	 * @since 1.8.4
	 */
	private function respond() {
		$this->log_webhook();
		wp_die( esc_html( $this->response ), '', (int) $this->response_code );
	}
	/**
	 * Log webhook request.
	 *
	 * @since 1.8.4
	 */
	private function log_webhook() {
		// log only if WP_DEBUG_LOG and WPFORMS_WEBHOOKS_DEBUG are set to true.
		if (
			! defined( 'WPFORMS_WEBHOOKS_DEBUG' ) ||
			! WPFORMS_WEBHOOKS_DEBUG ||
			! defined( 'WP_DEBUG_LOG' ) ||
			! WP_DEBUG_LOG
		) {
			return;
		}
		// If it is set to explictly display logs on output, return: this would make response to Stripe malformed.
		if ( defined( 'WP_DEBUG_DISPLAY' ) && WP_DEBUG_DISPLAY ) {
			return;
		}
		$webhook_log = maybe_serialize(
			[
				'event_type'    => $this->event_type,
				'response_code' => $this->response_code,
				'response'      => $this->response,
				'payload'       => $this->payload,
			]
		);
		// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
		error_log( $webhook_log );
	}
	/**
	 * Get webhooks events list.
	 *
	 * @since 1.8.4
	 *
	 * @return array
	 */
	public static function get_webhooks_events_list() {
		return array_keys( self::get_event_whitelist() );
	}
}