Merge pull request #18 from alvinjohnsonso/feature/request-auth-validation

feature/request-auth-validation
- used application/json content type for ajax requests
- added nonces to do CSRF checking
- added user access checks for ajax urls

Author: alvinjohnsonso

tawkto/assets/tawk.admin.css tawkto/assets/css/tawk.admin.csstawkto/assets/tawk.admin.css renamed to tawkto/assets/css/tawk.admin.css

@@ -1,28 +1,26 @@
 jQuery(function() {
     document.getElementById("defaultOpen").click();
 
-    console.log(jQuery("#always_display").prop("checked"));
-    if(jQuery("#always_display").prop("checked")){
+    if (jQuery("#always_display").prop("checked")) {
         jQuery('.twk_selected_display').hide();
         jQuery('#show_onfrontpage').prop('disabled', true);
         jQuery('#show_oncategory').prop('disabled', true);
         jQuery('#show_ontagpage').prop('disabled', true);
         jQuery('#show_onarticlepages').prop('disabled', true);
         jQuery('#include_url').prop('disabled', true);
-    }else{
+    } else {
         jQuery('.twk_selected_display').show();
-        
     }
 
     jQuery("#always_display").change(function() {
-        if(this.checked){
+        if (this.checked) {
             jQuery('.twk_selected_display').fadeOut();
             jQuery('#show_onfrontpage').prop('disabled', true);
             jQuery('#show_oncategory').prop('disabled', true);
             jQuery('#show_ontagpage').prop('disabled', true);
             jQuery('#show_onarticlepages').prop('disabled', true);
             jQuery('#include_url').prop('disabled', true);
-        }else{
+        } else {
             jQuery('.twk_selected_display').fadeIn();
             jQuery('#show_onfrontpage').prop('disabled', false);
             jQuery('#show_oncategory').prop('disabled', false);
@@ -32,31 +30,29 @@ jQuery(function() {
         }
     });
 
-
     jQuery("#exclude_url").change(function() {
-        if(this.checked){
+        if (this.checked) {
             jQuery("#exlucded_urls_container").fadeIn();
-        }else{
+        } else {
             jQuery("#exlucded_urls_container").fadeOut();
         }
     });
 
-    if(jQuery("#include_url").prop("checked")){
+    if (jQuery("#include_url").prop("checked")) {
         jQuery("#included_urls_container").show();
     }
 
     jQuery("#include_url").change(function() {
-        if(this.checked){
+        if (this.checked) {
             jQuery("#included_urls_container").fadeIn();
-        }else{
+        } else {
             jQuery("#included_urls_container").fadeOut();
         }
     });
 
-    if(jQuery("#exclude_url").prop("checked")){
+    if (jQuery("#exclude_url").prop("checked")) {
         jQuery("#exlucded_urls_container").fadeIn();
     }
-
 });
 
 

tawkto/assets/tawk.admin.js tawkto/assets/js/tawk.admin.jstawkto/assets/tawk.admin.js renamed to tawkto/assets/js/tawk.admin.js

@@ -0,0 +1,84 @@
+// variables
+var currentHost = window.location.protocol + '//' + window.location.host;
+var iframeUrl = tawk_selection_data.url.iframe + '&parentDomain=' + currentHost;
+var baseUrl = tawk_selection_data.url.base;
+
+jQuery('#tawkIframe').attr('src', iframeUrl);
+
+window.addEventListener('message', function (e) {
+	if(e.origin === baseUrl) {
+
+		if(e.data.action === 'setWidget') {
+			setWidget(e);
+		}
+
+		if(e.data.action === 'removeWidget') {
+			removeWidget(e);
+		}
+
+		if(e.data.action === 'reloadHeight') {
+			reloadIframeHeight(e.data.height);
+		}
+	}
+});
+
+function setWidget (e) {
+	const data = {
+		pageId : e.data.pageId,
+		widgetId : e.data.widgetId,
+		nonce : tawk_selection_data.nonce.setWidget
+	};
+
+	jQuery.ajax({
+		type : 'POST',
+		url : ajaxurl + '?action=tawkto_setwidget',
+		contentType : 'application/json',
+		dataType : 'json',
+		data : JSON.stringify(data),
+		success : function (r) {
+			if (!r.success) {
+				return e.source.postMessage({action: 'setFail'}, baseUrl);
+			}
+			e.source.postMessage({action: 'setDone'}, baseUrl);
+		},
+		error : function () {
+			e.source.postMessage({action: 'setFail'}, baseUrl);
+		}
+	});
+}
+
+function removeWidget (e) {
+	const data = {
+		nonce : tawk_selection_data.nonce.removeWidget
+	}
+
+	jQuery.ajax({
+		type : 'POST',
+		url : ajaxurl + '?action=tawkto_removewidget',
+		contentType : 'application/json',
+		dataType : 'json',
+		data : JSON.stringify(data),
+		success : function (r) {
+			if (!r.success) {
+				return e.source.postMessage({action: 'removeFail'}, baseUrl);
+			}
+			e.source.postMessage({action: 'removeDone'}, baseUrl);
+		},
+		error : function () {
+			e.source.postMessage({action: 'removeFail'}, baseUrl);
+		}
+	});
+}
+
+function reloadIframeHeight(height) {
+	if (!height) {
+		return;
+	}
+
+	var iframe = jQuery('#tawkIframe');
+	if (height === iframe.height()) {
+		return;
+	}
+
+	iframe.height(height);
+}

tawkto/assets/js/tawk.selection.js

@@ -2,8 +2,9 @@
 Contributors: tawkto
 Tags: tawk,tawk.to,tawkto,chat,free chat,livechat,chat widget,plugin,chat for web,chat online,chat software,free live chat,IM Chat,,live chat,live support,live web chat,online chat,online support,snapengage,wordpress chat,wordpress live chat
 Requires at least: 2.7
+Requires PHP: 5.6
 Tested up to: 5.8
-Stable tag: 0.5.5
+Stable tag: 0.6.0
 
 (OFFICIAL tawk.to plugin) Instantly chat with  visitors on your website with the free tawk.to chat widget.
 Website: [http://tawk.to](http://tawk.to)
@@ -55,6 +56,10 @@ Note: You will need a free tawk.to account : [Create one for free here!](https:/
 
 == Changelog ==
 
+= 0.6.0 =
+* **Security Update** Add CSRF tokens and specific action access checks.
+* **Security Update** Use `application/json` content type for ajax requests.
+
 = 0.5.5 =
 * Supported version bump 5.8.
 

tawkto/readme.txt

@@ -3,7 +3,7 @@
 Plugin Name: Tawk.to Live Chat
 Plugin URI: https://www.tawk.to
 Description: Embeds Tawk.to live chat widget to your site
-Version: 0.5.5
+Version: 0.6.0
 Author: Tawkto
 Text Domain: tawk-to-live-chat
 */
@@ -13,6 +13,8 @@ class TawkTo_Settings{
 		const TAWK_WIDGET_ID_VARIABLE = 'tawkto-embed-widget-widget-id';
 		const TAWK_PAGE_ID_VARIABLE = 'tawkto-embed-widget-page-id';
 		const TAWK_VISIBILITY_OPTIONS = 'tawkto-visibility-options';
+		const TAWK_ACTION_SET_WIDGET = 'tawkto-set-widget';
+		const TAWK_ACTION_REMOVE_WIDGET = 'tawkto-remove-widget';
 
 		public function __construct(){
 
@@ -52,10 +54,10 @@ public function tawk_settings_assets($hook)
 			if($hook != 'settings_page_tawkto_plugin')
 				return;
 
-			wp_register_style( 'tawk_admin_style', plugins_url( 'assets/tawk.admin.css' , __FILE__ ) );
-        	wp_enqueue_style( 'tawk_admin_style' );
+			wp_register_style( 'tawk_admin_style', plugins_url( 'assets/css/tawk.admin.css' , __FILE__ ) );
+			wp_enqueue_style( 'tawk_admin_style' );
 
-        	wp_enqueue_script( 'tawk_admin_script', plugins_url( 'assets/tawk.admin.js' , __FILE__ ) );
+			wp_enqueue_script( 'tawk_admin_script', plugins_url( 'assets/js/tawk.admin.js' , __FILE__ ) );
 
 		}
 
@@ -66,22 +68,43 @@ public function admin_init(){
 		public function action_setwidget() {
 			header('Content-Type: application/json');
 
-			if (!isset($_POST['pageId']) || !isset($_POST['widgetId'])) {
-				echo json_encode(array('success' => FALSE));
-				die();
-			}
+			if (wp_is_json_request() === false) {
+				$response['success'] = false;
+				$response['message'] = 'Invalid request';
+				wp_send_json($response);
+				wp_die();
+			};
+
+			$postData = json_decode(file_get_contents('php://input'), true);
 
-			if (!self::ids_are_correct($_POST['pageId'], $_POST['widgetId'])) {
-				echo json_encode(array('success' => FALSE));
-				die();
+			$response = array(
+				'success' => true
+			);
+
+			if ($this->validate_request_auth($postData, self::TAWK_ACTION_SET_WIDGET) === false) {
+				$response['success'] = false;
+				$response['message'] = 'Unauthorized';
+				wp_send_json($response);
+				wp_die();
+			};
+
+			if (!isset($postData['pageId']) || !isset($postData['widgetId'])) {
+				$response['success'] = false;
+				wp_send_json($response);
+				wp_die();
 			}
 
-			update_option(self::TAWK_PAGE_ID_VARIABLE, $_POST['pageId']);
-			update_option(self::TAWK_WIDGET_ID_VARIABLE, $_POST['widgetId']);
+			if (!self::ids_are_correct($postData['pageId'], $postData['widgetId'])) {
+				$response['success'] = false;
+				wp_send_json($response);
+				wp_die();
+			}
 
+			update_option(self::TAWK_PAGE_ID_VARIABLE, $postData['pageId']);
+			update_option(self::TAWK_WIDGET_ID_VARIABLE, $postData['widgetId']);
 
-			echo json_encode(array('success' => TRUE));
-			die();
+			wp_send_json($response);
+			wp_die();
 		}
 
 		function tawk_admin_notice() {
@@ -99,11 +122,47 @@ function tawk_admin_notice() {
 		public function action_removewidget() {
 			header('Content-Type: application/json');
 
+			if (wp_is_json_request() === false) {
+				$response['success'] = false;
+				$response['message'] = 'Invalid request';
+				wp_send_json($response);
+				wp_die();
+			};
+
+			$postData = json_decode(file_get_contents('php://input'), true);
+
+			$response = array(
+				'success' => true
+			);
+
+			if ($this->validate_request_auth($postData, self::TAWK_ACTION_REMOVE_WIDGET) === false) {
+				$response['success'] = false;
+				$response['message'] = 'Unauthorized';
+				wp_send_json($response);
+				wp_die();
+			};
+
 			update_option(self::TAWK_PAGE_ID_VARIABLE, '');
 			update_option(self::TAWK_WIDGET_ID_VARIABLE, '');
 
-			echo json_encode(array('success' => TRUE));
-			die();
+			wp_send_json($response);
+			wp_die();
+		}
+
+		private function validate_request_auth($postData = array(), $action) {
+			if (current_user_can('administrator') === false) {
+				return false;
+			}
+
+			if (isset($postData['nonce']) === false) {
+				return false;
+			}
+
+			if (wp_verify_nonce($postData['nonce'], $action) === false) {
+				return false;
+			}
+
+			return true;
 		}
 
 		public function validate_options($input){
@@ -167,6 +226,8 @@ public function create_plugin_settings_page(){
 					.'&currentPageId='.$page_id
 					.'&transparentBackground=1'
 					.'&pltf=wordpress';
+			$set_widget_nonce = wp_create_nonce(self::TAWK_ACTION_SET_WIDGET);
+			$remove_widget_nonce = wp_create_nonce(self::TAWK_ACTION_REMOVE_WIDGET);
 
 
 			include(sprintf("%s/templates/settings.php", dirname(__FILE__)));