Skip to content

feature/secure-mode-support #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eug-L merged 14 commits into from
Jan 27, 2025
Merged

feature/secure-mode-support #39

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
c6dd2f1
add api key input and encryption for visitor recognition
eug-L Nov 28, 2024
a011f8f
encryption error handling, check email on hashing & input pattern val…
eug-L Nov 28, 2024
5dd1dcd
improve secure mode notice
eug-L Jan 16, 2025
db96f98
add not changed validation and caching for api key
eug-L Jan 16, 2025
e6036b8
add check for encryption key
eug-L Jan 16, 2025
0af8c10
merge saved visibility options instead of caching
eug-L Jan 16, 2025
9f3eb1e
error handling for js api key
eug-L Jan 20, 2025
40b61ff
add/classify options into privacy & security
eug-L Jan 20, 2025
fcea02f
add upgrade script to migrate privacy settings
eug-L Jan 20, 2025
128eb19
fix variable typo
eug-L Jan 20, 2025
82e9e79
fix tests wait conditions
eug-L Jan 20, 2025
aee2922
remove unneeded default for js api key
eug-L Jan 22, 2025
6312dbc
update migration script
eug-L Jan 23, 2025
2cd1008
fix woocomerce build in tests
eug-L Jan 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .eslintrc.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
'use-strict';

module.exports = {
'root': true,
'env': {
'browser': true,
'jquery': true
Expand Down
20 changes: 20 additions & 0 deletions tawkto/assets/js/tawk.admin.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,26 @@ jQuery(

jQuery( this ).addClass( 'reverse' );
});

if ( jQuery( '#enable-visitor-recognition' ).prop( 'checked' ) ) {
jQuery( '.tawk-selected-visitor' ).show();
jQuery( '#js-api-key' ).prop( 'disabled', false );
} else {
jQuery( '.tawk-selected-visitor' ).hide();
jQuery( '#js-api-key' ).prop( 'disabled', true );
}

jQuery( '#enable-visitor-recognition' ).change(
function() {
if ( this.checked ) {
jQuery( '.tawk-selected-visitor' ).fadeIn();
jQuery( '#js-api-key' ).prop( 'disabled', false );
} else {
jQuery( '.tawk-selected-visitor' ).fadeOut();
jQuery( '#js-api-key' ).prop( 'disabled', true );
}
}
);
}
);

Expand Down
1 change: 1 addition & 0 deletions tawkto/includes/default_config.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,6 @@
'display_on_productpage' => 0,
'display_on_producttag' => 0,
'enable_visitor_recognition' => 1,
'js_api_key' => '',
),
);
121 changes: 121 additions & 0 deletions tawkto/tawkto.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@ class TawkTo_Settings {
const TAWK_VISIBILITY_OPTIONS = 'tawkto-visibility-options';
const TAWK_ACTION_SET_WIDGET = 'tawkto-set-widget';
const TAWK_ACTION_REMOVE_WIDGET = 'tawkto-remove-widget';
const CIPHER = 'AES-256-CBC';
const CIPHER_IV_LENGTH = 16;
const NO_CHANGE = 'nochange';
const TAWK_API_KEY = 'tawkto-js-api-key';
const TAWK_API_KEY_ENCRYPTED = 'tawkto-js-api-key-encrypted';

/**
* @var $plugin_ver Plugin version
Expand Down Expand Up @@ -249,10 +254,12 @@ public function validate_options( $input ) {
$visibility_text_fields = array(
'excluded_url_list',
'included_url_list',
'js_api_key',
);

self::validate_visibility_toggle_fields( $input, $visibility_toggle_fields );
self::validate_text_fields( $input, $visibility_text_fields );
self::validate_js_api_key( $input );

return $input;
}
Expand Down Expand Up @@ -303,6 +310,12 @@ public function create_plugin_settings_page() {
}
}

if ( ! empty( $visibility['js_api_key'] ) ) {
set_transient( self::TAWK_API_KEY_ENCRYPTED, $visibility['js_api_key'] );

$visibility['js_api_key'] = self::NO_CHANGE;
}

include sprintf( '%s/templates/settings.php', dirname( __FILE__ ) );
}

Expand All @@ -318,6 +331,24 @@ public static function ids_are_correct( $page_id, $widget_id ) {
return 1 === preg_match( '/^[0-9A-Fa-f]{24}$/', $page_id ) && 1 === preg_match( '/^[a-z0-9]{1,50}$/i', $widget_id );
}

/**
* Validate JS API Key field
*
* @param array $fields - List of fields.
* @return void
*/
private static function validate_js_api_key( &$fields ) {
if ( self::NO_CHANGE === $fields['js_api_key'] ) {
$fields['js_api_key'] = get_transient( self::TAWK_API_KEY_ENCRYPTED );
return;
}

$fields['js_api_key'] = 40 === strlen( $fields['js_api_key'] ) ? self::get_encrypted_data( $fields['js_api_key'] ) : '';

delete_transient( self::TAWK_API_KEY_ENCRYPTED );
delete_transient( self::TAWK_API_KEY );
}

/**
* Validates and sanitizes text fields
*
Expand Down Expand Up @@ -365,6 +396,87 @@ public static function get_default_visibility_options() {
return $config['visibility'];
}

/**
* Encrypt data
*
* @param string $data - Data to be encrypted.
* @return string
*/
private static function get_encrypted_data( $data ) {
if ( ! defined( 'SECURE_AUTH_KEY' ) ) {
return '';
}

try {
$iv = random_bytes( self::CIPHER_IV_LENGTH );
} catch ( Exception $e ) {
return '';
}

$encrypted_data = openssl_encrypt( $data, self::CIPHER, SECURE_AUTH_KEY, 0, $iv );

if ( false === $encrypted_data ) {
return '';
}

// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
$encrypted_data = base64_encode( $iv . $encrypted_data );

if ( false === $encrypted_data ) {
return '';
}

return $encrypted_data;
}
Comment on lines +494 to +519
Copy link

@coderabbitai coderabbitai bot Jan 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Add error handling for openssl_encrypt failures.

The encryption method needs additional error handling:

  1. Check if the OpenSSL extension is loaded
  2. Verify the cipher method exists

Apply this diff to improve error handling:

 private static function get_encrypted_data( $data ) {
+    if (!extension_loaded('openssl')) {
+        throw new Exception('OpenSSL extension is not loaded');
+    }
+
+    if (!in_array(self::CIPHER, openssl_get_cipher_methods())) {
+        throw new Exception('Cipher method not supported');
+    }
+
     if ( ! defined( 'SECURE_AUTH_KEY' ) ) {
         throw new Exception( 'SECURE_AUTH_KEY is not defined' );
     }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
private static function get_encrypted_data( $data ) {
if ( ! defined( 'SECURE_AUTH_KEY' ) ) {
throw new Exception( 'SECURE_AUTH_KEY is not defined' );
}
try {
$iv = random_bytes( self::CIPHER_IV_LENGTH );
} catch ( Exception $e ) {
throw new Exception( 'Error generating IV' );
}
$encrypted_data = openssl_encrypt( $data, self::CIPHER, SECURE_AUTH_KEY, 0, $iv );
if ( false === $encrypted_data ) {
throw new Exception( 'Error encrypting data' );
}
// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
$encrypted_data = base64_encode( $iv . $encrypted_data );
if ( false === $encrypted_data ) {
throw new Exception( 'Error encoding data' );
}
return $encrypted_data;
}
private static function get_encrypted_data( $data ) {
if (!extension_loaded('openssl')) {
throw new Exception('OpenSSL extension is not loaded');
}
if (!in_array(self::CIPHER, openssl_get_cipher_methods())) {
throw new Exception('Cipher method not supported');
}
if ( ! defined( 'SECURE_AUTH_KEY' ) ) {
throw new Exception( 'SECURE_AUTH_KEY is not defined' );
}
try {
$iv = random_bytes( self::CIPHER_IV_LENGTH );
} catch ( Exception $e ) {
throw new Exception( 'Error generating IV' );
}
$encrypted_data = openssl_encrypt( $data, self::CIPHER, SECURE_AUTH_KEY, 0, $iv );
if ( false === $encrypted_data ) {
throw new Exception( 'Error encrypting data' );
}
// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
$encrypted_data = base64_encode( $iv . $encrypted_data );
if ( false === $encrypted_data ) {
throw new Exception( 'Error encoding data' );
}
return $encrypted_data;
}


/**
* Decrypt data
*
* @param string $data - Data to be decrypted.
* @return string
*/
private static function get_decrypted_data( $data ) {
// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
$decoded_data = base64_decode( $data );

if ( false === $decoded_data ) {
return '';
}

$iv = substr( $decoded_data, 0, self::CIPHER_IV_LENGTH );
$encrypted_data = substr( $decoded_data, self::CIPHER_IV_LENGTH );

$decrypted_data = openssl_decrypt( $encrypted_data, self::CIPHER, SECURE_AUTH_KEY, 0, $iv );

if ( false === $decrypted_data ) {
return '';
}

return $decrypted_data;
}

/**
* Retrieves JS API Key
*
* @return string
*/
public static function get_js_api_key() {
if ( ! empty( get_transient( self::TAWK_API_KEY ) ) ) {
return get_transient( self::TAWK_API_KEY );
}

$visibility = get_option( self::TAWK_VISIBILITY_OPTIONS );

if ( ! isset( $visibility['js_api_key'] ) ) {
return '';
}

$key = self::get_decrypted_data( $visibility['js_api_key'] );

set_transient( self::TAWK_API_KEY, $key, 60 * 60 );

return $key;
}
}
}

Expand Down Expand Up @@ -442,6 +554,9 @@ public static function deactivate() {
delete_option( TawkTo_Settings::TAWK_WIDGET_ID_VARIABLE );
delete_option( TawkTo_Settings::TAWK_VISIBILITY_OPTIONS );
delete_option( self::PLUGIN_VERSION_VARIABLE );

delete_transient( TawkTo_Settings::TAWK_API_KEY );
delete_transient( TawkTo_Settings::TAWK_API_KEY_ENCRYPTED );
}

/**
Expand All @@ -463,6 +578,12 @@ public function get_current_customer_details() {
'name' => $current_user->display_name,
'email' => $current_user->user_email,
);

$js_api_key = TawkTo_Settings::get_js_api_key();
if ( ! empty( $user_info['email'] ) && ! empty( $js_api_key ) ) {
$user_info['hash'] = hash_hmac( 'sha256', $user_info['email'], $js_api_key );
}

return wp_json_encode( $user_info );
}
return null;
Expand Down
23 changes: 23 additions & 0 deletions tawkto/templates/settings.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -412,6 +412,29 @@ class="slider round"
</td>
</tr>
</table>

<div class="tawk-selected-visitor">
<p class='tawk-notice'>
<?php esc_html_e( 'Note: If Secure Mode is enabled on your property, please enter your Javascript API Key to ensure visitor recognition works correctly.', 'tawk-to-live-chat' ); ?>
</p>

<table class="form-table">
<tr valign="top">
<th class="tawk-setting" scope="row">
<?php esc_html_e( 'Javascript API Key', 'tawk-to-live-chat' ); ?>
</th>
<td>
<input type="password"
id="js-api-key"
name="tawkto-visibility-options[js_api_key]"
value="<?php echo esc_attr( $visibility['js_api_key'] ); ?>"
pattern="^[a-zA-Z0-9]+$"
onfocus="this.select();"
autocomplete="off" />
</td>
</tr>
</table>
</div>
</div>
</form>
</div>
Expand Down
25 changes: 25 additions & 0 deletions tests/Coverages/PrivacyOptionsTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ public static function setupBeforeClass(): void {

public function setup(): void {
self::$web->login();
self::$web->goto_privacy_options();
}

public static function tearDownAfterClass(): void {
Expand All @@ -60,6 +61,7 @@ public function should_have_data_on_visitor_object_if_logged_in(): void {
$this->assertNotEmpty( $visitor_data );
$this->assertEquals( self::$admin_name, $visitor_data['name'] );
$this->assertEquals( self::$admin_email, $visitor_data['email'] );
$this->assertArrayNotHasKey( 'hash', $visitor_data );
}

/**
Expand All @@ -76,4 +78,27 @@ public function should_not_have_data_on_visitor_object_if_not_logged_in(): void

$this->assertEmpty( $visitor_data );
}

/**
* @test
* @group privacy_options
*/
public function should_have_hash_on_visitor_object_if_logged_in_and_api_key_provided(): void {
self::$web->toggle_switch( '#enable-visitor-recognition', true );
self::$driver->find_element_and_input( '#js-api-key', str_repeat( 'a', 40 ) );

self::$driver->move_mouse_to( '#submit-header' )->click();
self::$driver->wait_for_seconds( 1 );
Copy link

@coderabbitai coderabbitai bot Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Replace arbitrary wait with explicit wait condition.

Using a fixed wait time can make tests flaky. Instead, wait for a specific condition to be met.

-self::$driver->move_mouse_to('#submit-header')->click();
-self::$driver->wait_for_seconds(1);
+self::$driver->move_mouse_to('#submit-header')->click();
+self::$driver->wait_until_element_is_located('#setting-error-settings_updated');
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
self::$driver->move_mouse_to( '#submit-header' )->click();
self::$driver->wait_for_seconds( 1 );
self::$driver->move_mouse_to('#submit-header')->click();
self::$driver->wait_until_element_is_located('#setting-error-settings_updated');


self::$driver->goto_page( self::$web->get_base_url() );

self::$driver->wait_until_element_is_located( self::$script_selector );

$visitor_data = self::$driver->get_driver()->executeScript( 'return Tawk_API.visitor' );

$this->assertNotEmpty( $visitor_data );
$this->assertEquals( self::$admin_name, $visitor_data['name'] );
$this->assertEquals( self::$admin_email, $visitor_data['email'] );
$this->assertArrayHasKey( 'hash', $visitor_data );
}
}
Loading