Fix ApplePay nonce

2025-09-01 07:02:48 +08:00 · 2023-10-26 16:33:00 +01:00 · 2023-10-26 16:33:00 +01:00 · 2b9ac48616
commit 2b9ac48616
parent 4fbc47f1cf
4 changed files with 37 additions and 19 deletions
--- a/modules/ppcp-applepay/resources/js/ApplepayButton.js
+++ b/modules/ppcp-applepay/resources/js/ApplepayButton.js
@ -25,7 +25,7 @@ class ApplepayButton {

        this.updated_contact_info = []
        this.selectedShippingMethod = []
-        this.nonce = document.getElementById('woocommerce-process-checkout-nonce').value
+        this.nonce = document.getElementById('woocommerce-process-checkout-nonce')?.value

        this.log = function() {
            if ( this.buttonConfig.is_debug ) {
--- a/modules/ppcp-applepay/src/ApplepayModule.php
+++ b/modules/ppcp-applepay/src/ApplepayModule.php
@ -12,6 +12,7 @@ namespace WooCommerce\PayPalCommerce\Applepay;
 use Automattic\WooCommerce\Blocks\Payments\PaymentMethodRegistry;
 use WooCommerce\PayPalCommerce\Applepay\Assets\ApplePayButton;
 use WooCommerce\PayPalCommerce\Applepay\Assets\AppleProductStatus;
+use WooCommerce\PayPalCommerce\Applepay\Assets\PropertiesDictionary;
 use WooCommerce\PayPalCommerce\Button\Assets\ButtonInterface;
 use WooCommerce\PayPalCommerce\Button\Assets\SmartButtonInterface;
 use WooCommerce\PayPalCommerce\Applepay\Helper\AvailabilityNotice;
@ -90,6 +91,27 @@ class ApplepayModule implements ModuleInterface {
 				$apple_payment_method->bootstrap_ajax_request();
 			}
 		);
+
+		add_filter(
+			'nonce_user_logged_out',
+			/**
+			 * Prevents nonce from being changed for non logged in users.
+			 *
+			 * @param int $uid The uid.
+			 * @param string|int $action The action.
+			 * @return int
+			 *
+			 * @psalm-suppress MissingClosureParamType
+			 */
+			function ( $uid, $action ) {
+				if ( $action === PropertiesDictionary::NONCE_ACTION ) {
+					return 0;
+				}
+				return $uid;
+			},
+			100,
+			2
+		);
 	}

 	/**
--- a/modules/ppcp-applepay/src/Assets/DataToAppleButtonScripts.php
+++ b/modules/ppcp-applepay/src/Assets/DataToAppleButtonScripts.php
@ -169,37 +169,32 @@ class DataToAppleButtonScripts {
 		if ( ! $cart ) {
 			return array();
 		}
-		$nonce         = wp_nonce_field( 'woocommerce-process_checkout', 'woocommerce-process-checkout-nonce' );
-		$button_markup =
-			'<div id="applepay-container">'
-			. $nonce
-			. '</div>';
-		$type          = $this->settings->has( 'applepay_button_type' ) ? $this->settings->get( 'applepay_button_type' ) : '';
-		$color         = $this->settings->has( 'applepay_button_color' ) ? $this->settings->get( 'applepay_button_color' ) : '';
-		$lang          = $this->settings->has( 'applepay_button_language' ) ? $this->settings->get( 'applepay_button_language' ) : '';
-		$lang          = apply_filters( 'woocommerce_paypal_payments_applepay_button_language', $lang );
+
+		$type  = $this->settings->has( 'applepay_button_type' ) ? $this->settings->get( 'applepay_button_type' ) : '';
+		$color = $this->settings->has( 'applepay_button_color' ) ? $this->settings->get( 'applepay_button_color' ) : '';
+		$lang  = $this->settings->has( 'applepay_button_language' ) ? $this->settings->get( 'applepay_button_language' ) : '';
+		$lang  = apply_filters( 'woocommerce_paypal_payments_applepay_button_language', $lang );

 		return array(
-			'sdk_url'      => $this->sdk_url,
-			'is_debug'     => defined( 'WP_DEBUG' ) && WP_DEBUG ? true : false,
-			'button'       => array(
+			'sdk_url'  => $this->sdk_url,
+			'is_debug' => defined( 'WP_DEBUG' ) && WP_DEBUG ? true : false,
+			'button'   => array(
 				'wrapper'           => 'applepay-container',
 				'mini_cart_wrapper' => 'applepay-container-minicart',
 				'type'              => $type,
 				'color'             => $color,
 				'lang'              => $lang,
 			),
-			'product'      => array(
+			'product'  => array(
 				'needShipping' => $cart->needs_shipping(),
 				'subtotal'     => $cart->get_subtotal(),
 			),
-			'shop'         => array(
+			'shop'     => array(
 				'countryCode'  => $shop_country_code,
 				'currencyCode' => $currency_code,
 				'totalLabel'   => $total_label,
 			),
-			'ajax_url'     => admin_url( 'admin-ajax.php' ),
-			'buttonMarkup' => $button_markup, // Is this being used?
+			'ajax_url' => admin_url( 'admin-ajax.php' ),
 		);
 	}
 }
--- a/modules/ppcp-applepay/src/Assets/PropertiesDictionary.php
+++ b/modules/ppcp-applepay/src/Assets/PropertiesDictionary.php
@ -74,8 +74,9 @@ class PropertiesDictionary {
 	public const SHIPPING_CONTACT_INVALID = 'shipping Contact Invalid';
 	public const BILLING_CONTACT          = 'billing_contact';

-	public const NONCE   = 'nonce';
-	public const WCNONCE = 'woocommerce-process-checkout-nonce';
+	public const NONCE        = 'nonce';
+	public const NONCE_ACTION = 'woocommerce-process_checkout';
+	public const WCNONCE      = 'woocommerce-process-checkout-nonce';

 	public const CREATE_ORDER_CART_REQUIRED_FIELDS =
 		array(