Fix/secure mode session security

[eug-L]

Changes to improve session security:

• Add auto incremental configuration version
• Save visitor hash instead of api key in user session
• Hash is regenerated if configuration version or visitor email changes

Summary by CodeRabbit

• New Features

  • Introduced visitor tracking by generating a visitor hash based on email and session data.
  • Added configuration versioning to enhance management.

• Refactor

  • Enhanced configuration management with a new versioning mechanism.
  • Streamlined API key validation with trimmed inputs and standardized error messaging.
  • Improved the decryption process to consistently return a null value on failure and removed obsolete transient storage methods.
  • Updated method visibility for better accessibility.

• Chores

  • Updated version numbers across project files to reflect the new release (0.9.1).

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The update modifies the TawkTo_Settings class in tawkto.php by adding a new configuration version constant and a corresponding update method. The changes streamline the JavaScript API key validation by trimming input and replacing a try block with a direct error call. The decryption method’s accessibility is expanded to public, and its failure return value is adjusted. Additionally, transient storage for the API key is removed, and a new method for generating a visitor hash based on email and session state is introduced. The version numbers in related files are also incremented to reflect the new release.

Changes

File(s)	Change Summary
tawkto/tawkto.php	- TawkTo_Settings: Added constant TAWK_CONFIG_VERSION and update_config_version() method; modified validate_js_api_key to trim input and enforce a 40-character length without a try block; changed get_decrypted_data() visibility from private to public and now returns null on failure; removed get_js_api_key() method. - TawkTo: Added new static method get_visitor_hash($email) for generating a visitor hash.
composer.json	- Version updated from "0.9.0" to "0.9.1".
package.json	- Version updated from "0.9.0" to "0.9.1".
tawkto/readme.txt	- Stable tag updated from 0.9.0 to 0.9.1; added changelog entry for version 0.9.1 with features: "Add configuration versioning" and "Improve security for Secure Mode."
tawkto/templates/widget.php	- Version numbers in comments updated from 0.9.0 to 0.9.1.

Sequence Diagram(s)

sequenceDiagram
    participant Admin as Admin Page
    participant Settings as TawkTo_Settings
    Admin ->> Settings: admin_init()
    Settings ->> Settings: update_config_version()
    Settings -->> Admin: Configuration version updated

Loading

sequenceDiagram
    participant Visitor as Visitor
    participant Tawk as TawkTo
    Visitor ->> Tawk: get_visitor_hash(email)
    Tawk -->> Visitor: Returns visitor hash

Loading

Suggested reviewers

• GeekOfAges

Poem

Hop along the code trail bright,
New constants and methods take flight,
Trimming keys and decryption redefined,
Visitor hashes with logic combined,
I, a rabbit, cheer each commit so light!
🐰✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between c41c8ba and 6a0c040.

📒 Files selected for processing (5)

• composer.json (1 hunks)
• package.json (1 hunks)
• tawkto/readme.txt (2 hunks)
• tawkto/tawkto.php (11 hunks)
• tawkto/templates/widget.php (2 hunks)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tawkto/tawkto.php (1)

697-732: Session-based visitor hash logic.
Storing a keyed HMAC using hash_hmac('sha256', ...) is a robust choice, but note that the user’s email is also stored in the session. Ensure this approach meets your privacy and GDPR obligations if applicable. Otherwise, your solution for generating and caching the hash works soundly.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f8c759c and bb999aa.

📒 Files selected for processing (2)

• tawkto/includes/default_config.php (2 hunks)
• tawkto/tawkto.php (8 hunks)

🔇 Additional comments (12)

tawkto/includes/default_config.php (4)

4-4: No functional changes, alignment looks fine.

---

19-19: No functional changes, alignment looks fine.

---

22-22: No functional changes, alignment looks fine.

---

25-25: Good addition for versioning.
Adding 'config_version' => 0 introduces a straightforward way to track configuration changes. This looks good as an initial default.

tawkto/tawkto.php (8)

30-30: Straightforward constant declaration.
Defining TAWK_CONFIG_VERSION aligns naming with the database option key, which improves clarity.

---

95-98: Ensuring backward compatibility.
Initializing the config version if it’s missing is a safe approach to avoid undefined states for existing installs.

---

139-139: Verify the intended frequency of version updates.
Registering TAWK_CONFIG_VERSION with update_config_version() may increment the config version every time settings are saved. If this is intentional, great. Otherwise, consider decoupling it or adding conditions to avoid unwarranted increments.

---

539-539: Expanded access for decrypting data.
Changing this method to public allows external calls to decrypt. If that’s the intended design, ensure no unintended exposure occurs.

---

591-591: New session constant.
Using a named constant for the visitor session key helps keep code consistent and maintainable.

---

607-608: Potential conflicts with caching plugins.
Invoking start_session() on 'init' can cause issues in WordPress environments that rarely rely on native PHP sessions. Verify compatibility with common caching setups.

---

610-619: Session handling concerns.
Starting a PHP session within WordPress may lead to unexpected behavior or header conflicts, especially if output has already begun. Confirm that your environment and hosting settings support sessions cleanly.

---

687-689: Hash assignment looks correct.
This ensures the visitor hash is set only if both the email and hash are non-empty.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

tawkto/tawkto.php (1)

683-727:

❓ Verification inconclusive

Secure implementation of visitor hash generation.

The implementation includes several important security features:

1. Proper session management
2. Configuration version checking
3. Email verification
4. Secure hash generation using HMAC SHA256

This addresses the PR objective of regenerating the hash when the configuration or email changes.

Consider adding session cookie security enhancements:

+if (session_status() === PHP_SESSION_NONE) {
+  $session_params = session_get_cookie_params();
+  session_set_cookie_params(
+    $session_params["lifetime"],
+    $session_params["path"],
+    $session_params["domain"],
+    true, // secure flag
+    true  // httponly flag
+  );
   session_start();
 }

Check if any other code handles session in this plugin:

---

🏁 Script executed:

#!/bin/bash
# Check for other session handling code
rg "session_start|session_set_cookie_params"

Length of output: 85

---

Improve Session Cookie Security

The implementation of visitor hash generation is secure overall—with proper session initialization, configuration version checking, email verification, and HMAC SHA256 hash generation. The grep output confirms that the only session handling in the plugin is the call to session_start() in tawkto/tawkto.php.

To further enhance security and ensure that session cookies are protected, please consider incorporating secure cookie parameters using session_set_cookie_params(). For example:

-if ( session_status() === PHP_SESSION_NONE ) {
-  session_start();
-}
+if ( session_status() === PHP_SESSION_NONE ) {
+  $session_params = session_get_cookie_params();
+  session_set_cookie_params(
+    $session_params["lifetime"],
+    $session_params["path"],
+    $session_params["domain"],
+    true,  // secure flag
+    true   // httponly flag
+  );
+  session_start();
+}

This change ensures that session cookies are flagged as secure and HTTP-only, further aligning with modern security practices.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between 9d2e4a1 and e3b2ae5.

📒 Files selected for processing (1)

• tawkto/tawkto.php (9 hunks)

🔇 Additional comments (9)

tawkto/tawkto.php (9)

30-30: Good addition of configuration versioning.

Adding a constant for tracking configuration version is essential for the secure mode session security enhancement. This will help in regenerating visitor hashes when configurations change.

---

135-135: Properly registered configuration version setting.

The registration hooks the setting to the update_config_version method, following WordPress best practices.

---

435-439: Improved input validation.

Good improvements to the validation logic:

1. Trimming the API key to remove any accidental whitespace
2. Simplifying the validation check with a direct error call

---

444-444: Error message simplification.

Standardizing the error message is a good practice. It provides a clear message without exposing internal details.

---

537-537: Improved method visibility and return values.

Making the decryption method public is necessary for the visitor hash generation feature. Returning null instead of an empty string on failure makes error checking more consistent and explicit.

Also applies to: 542-542, 551-551

---

649-649: Proper cleanup on deactivation.

Including the configuration version in the cleanup process ensures no orphaned data remains when the plugin is deactivated.

---

589-589: Added session storage for visitor data.

This constant will be used to store visitor information in a session, which is a more secure approach than the previous implementation.

---

673-676: Replaced API key storage with visitor hash.

This change aligns perfectly with the PR objective of enhancing security by not storing the API key directly.

---

330-337:

✅ Verification successful

Well-implemented auto-incremental configuration version.

The method properly retrieves the current version and increments it by 1. This ensures that visitor hashes will be regenerated whenever configuration changes occur.

Since this will always increment by 1 on each update, let's verify if there are other places in the code that also increment this value to avoid unnecessary increments:

---

🏁 Script executed:

#!/bin/bash
# Check for other places where TAWK_CONFIG_VERSION is incremented
rg -A 2 -B 2 "TAWK_CONFIG_VERSION.*\+|increment.*TAWK_CONFIG_VERSION" --no-ignore

Length of output: 286

---

Verified Configuration Version Incrementation

The auto-increment logic in tawkto/tawkto.php (lines 330-337) solely occurs in the update_config_version() method, and our search confirms no other instances incrementing TAWK_CONFIG_VERSION exist elsewhere in the codebase. The implementation correctly retrieves the current version and increments it by 1 to trigger regeneration of visitor hashes upon configuration changes.