search

YahnisElsts / plugin-update-checker

A custom update checker for WordPress plugins. Useful if you don't want to host your project in the official WP repository, but would still like it to support automatic updates. Despite the name, it also works with themes.
MIT License
2.22k stars 403 forks source link

License key removed at download request. #504

Closed bymem closed 1 year ago

bymem commented 1 year ago

Hi.

I'm trying to implement a license checker in the use of the wp-update-server, and i followed the epic torturial on securing your download links. And most of it seems to be working.

But i'm running into the problem that it seems like the license key is removed at the download request. I'm checking the request log, where i can see that the license key is being added at the get_metadata request, but when the download request is sent the license is not present.

require APP.'/theme/helpers/updater/plugin-update-checker.php';

$bonzaiUpdateChecker =  Puc_v4_Factory::buildUpdateChecker(
    'https://[URL_TO_UPDATE]/?action=get_metadata&slug=bonzai',
    THEME_DIR,
    'bonzai'
);

$bonzaiUpdateChecker->addQueryArgFilter('bnz_filter_update_checks');

function bnz_filter_update_checks($queryArgs) {
    if ( $license = get_theme_mod('license_key', false) ) {
        $queryArgs['license_key'] = $license;
    }

    $queryArgs['license_key'] = get_theme_mod('license_key', false);
    return $queryArgs;
}

this is the request log:

[2022-10-31 15:01:34 +0000] [REQUEST_IP]       GET     get_metadata    bonzai  0.9.75  6.0.3   https://beta.nmdev.dk   action=get_metadata&slug=bonzai&installed_version=0.9.75&php=7.4.32&locale=da_DK&license_key=errer324234242
[2022-10-31 15:01:41 +0000] [REQUEST_IP]       GET     download        bonzai  -       6.0.3   https://beta.nmdev.dk   action=download&slug=bonzai
YahnisElsts commented 1 year ago

That particular filter only applies to update information requests. It doesn't do anything for downloads. So the key isn't being removed - it's not getting added in the first place.

There are multiple ways you could modify the download URL. One option would be to use the pre_inject_update filter. It runs just before the update checker inserts the update into the internal update list that's used by WordPress core.

Here's a basic example (not tested):

$bonzaiUpdateChecker->addFilter('pre_inject_update', 'example_callback');

function example_callback($updateInfo) {
    if ( !empty($updateInfo->download_url) ) {
        $updateInfo->download_url = add_query_arg('license_key', 'abcdef', $updateInfo->download_url);
    }
    return $updateInfo;
}
bymem commented 1 year ago

Thank you so much that really did the trick, that could be a good add on to you'r already great tourial. Thank you so much the help.