Feature: add SecurityChallenge Field to Fields API (#7865)

jonwaldstein · Jon Waldstein · web-flow · commit d3dffd804877 · 2025-04-10T12:44:55.000-04:00
Co-authored-by: Jon Waldstein &lt;jonwaldstein@mac.mynetworksettings.com&gt;
diff --git a/src/DonationForms/DataTransferObjects/ValidationRouteData.php b/src/DonationForms/DataTransferObjects/ValidationRouteData.php
@@ -7,6 +7,8 @@
 use Give\DonationForms\Models\DonationForm;
 use Give\Framework\FieldsAPI\Actions\CreateValidatorFromFormFields;
 use Give\Framework\FieldsAPI\Exceptions\NameCollisionException;
+use Give\Framework\FieldsAPI\Field;
+use Give\Framework\FieldsAPI\SecurityChallenge;
 use Give\Framework\Http\Response\Types\JsonResponse;
 use Give\Framework\Support\Contracts\Arrayable;
 use WP_Error;
@@ -44,6 +46,7 @@ public static function fromRequest(array $requestData): self
      * compares the request against the individual fields,
      * their types and validation rules.
      *
+     * @unreleased updated to exclude security challenge fields during pre-validation
      * @since 3.22.0 added additional validation for form validity, added givewp_donation_form_fields_validated action
      * @since 3.0.0
      *
@@ -60,8 +63,8 @@ public function validate(): JsonResponse
             throw new DonationFormForbidden();
         }
 
-        $formFields = array_filter($form->schema()->getFields(), static function ($field) use ($request) {
-            return array_key_exists($field->getName(), $request);
+        $formFields = array_filter($form->schema()->getFields(), function ($field) use ($request) {
+            return array_key_exists($field->getName(), $request) && !$this->isSecurityChallengeField($field);
         });
 
         $validator = (new CreateValidatorFromFormFields())($formFields, $request);
@@ -135,4 +138,12 @@ public function toArray(): array
     {
         return get_object_vars($this);
     }
+
+    /**
+     * @unreleased
+     */
+    protected function isSecurityChallengeField(Field $field): bool
+    {
+        return is_subclass_of($field, SecurityChallenge::class);
+    }
 }
diff --git a/src/Framework/FieldsAPI/SecurityChallenge.php b/src/Framework/FieldsAPI/SecurityChallenge.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace Give\Framework\FieldsAPI;
+
+
+/**
+ * Security challenge fields are a special snowflake.
+ * They can typically only be validated once on the server.
+ * Extending this abstract field will ensure that the field is not validated on the server
+ * before the form is fully submitted, avoiding pre-validation conflicting endpoints.
+ *
+ * @unreleased
+ */
+abstract class SecurityChallenge extends Field
+{
+}
