HEX
Server: Apache/2.4.52 (Ubuntu)
System: Linux spn-python 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64
User: arjun (1000)
PHP: 8.1.2-1ubuntu2.20
Disabled: NONE
$ pwd: /var/www/html/appointmentbook.me/wp-content/plugins/booknetic-saas/includes/
Upload Files
File: /var/www/html/appointmentbook.me/wp-content/plugins/booknetic-saas/includes/api.php
<?php
use BookneticApp\Frontend\Controller\AjaxHelper;
use BookneticSaaS\Models\Plan;
use BookneticSaaS\Models\Tenant;
use BookneticSaaS\Providers\Helpers\Helper;
use BookneticSaaS\Providers\Helpers\Date;

add_action('rest_api_init', function () {
    register_rest_route('custom-api/v1', '/register-user/', [
        'methods'  => ['GET', 'POST'], // Allow both GET and POST
        'callback' => 'register_user_from_main_site',
        'permission_callback' => function () {
            return is_valid_api_key();
        },
    ]);
    register_rest_route('booknetic-saas/v1', '/login', [
        'methods'  => ['GET', 'POST'],
        'callback' => 'booknetic_saas_login',
        'permission_callback' => '__return_true',
    ]);
});

function is_valid_api_key() {
    $headers = getallheaders();
    $api_key = isset($headers['Authorization']) ? str_replace('Bearer ', '', $headers['Authorization']) : '';
    return $api_key === CUSTOM_API_KEY;
}

function register_user_from_main_site(WP_REST_Request $request) {
    // Get the POST data (make sure to validate and sanitize it)
    $data = json_decode($request->get_body(), true);
    // Sanitize and validate input fields
    $username = sanitize_text_field($data['username'] ?? '');
    $full_name = sanitize_text_field($data['name'] ?? '');
    $email = sanitize_email($data['email'] ?? '');
    // $password = isset($data['password']) ? sanitize_text_field($data['password']) : wp_generate_password();

    if (empty($full_name) || empty($email)) {
        return new WP_REST_Response(['status' => 'error', 'message' => 'Please fill in all required fields!'], 400);
    }

    // Check if email already exists
    if (email_exists($email)) {
        return new WP_REST_Response(['status' => 'error', 'message' => 'This email is already registered!'], 400);
    }
    
    // Create the WordPress user
    $user_id = wp_insert_user([
        'user_login' => $username,  // Using email as the username
        'user_email' => $email,
        'display_name' => $full_name,
        'first_name' => $full_name,
        'role' => 'booknetic_saas_tenant', // Adjust the role as needed
        'user_pass' => '',
    ]);

    if (is_wp_error($user_id)) {
        return new WP_REST_Response(['status' => 'error', 'message' => $user_id->get_error_message()], 400);
    }
    // Insert reference_user_id into the database
    global $wpdb;
    $table_name = $wpdb->prefix . 'users'; 

    $wpdb->update(
        $table_name,
        ['reference_user_id' => $data['user_id']],
        ['ID' => $user_id]
    );
    // Create Tenant Entry (Ensure Plan::where(), Helper::getOption(), Date::dateTimeSQL() etc. exist)
    $activation_token = md5(microtime(1) . uniqid());
    $defaultPlan = Plan::where('is_default', 1)->fetch(); // Adjust this to match your Plan retrieval logic
    $trialPeriod = Helper::getOption('trial_period', 30); // Ensure this option exists

    Tenant::insert([
        'user_id' => $user_id,
        'plan_id' => $defaultPlan->id,
        'expires_in' => Date::dateTimeSQL('+' . $trialPeriod . ' days'),
        'email' => $email,
        'full_name' => $full_name,
        'inserted_at' => Date::dateTimeSQL(),
        'activation_last_sent_time' => Date::format('Y-m-d H:i:s'),
        'activation_token' => $activation_token,
    ]);

    $tenantId = Tenant::lastId();

    // Trigger WordPress action hook after registration
    do_action('bkntcsaas_tenant_sign_up_confirm', $tenantId);

    return new WP_REST_Response(['status' => 'success', 'message' => 'User registered successfully!'], 200);
}

// Register REST API for login

/**
 * Booknetic SaaS Login API
 */
function booknetic_saas_login(WP_REST_Request $request) {
    $secret_key = CUSTOM_API_KEY;
    // Check if the token is sent via GET or POST
    $token = $request->get_param('token');
    
    if (!$token) {
        return new WP_Error('no_token', 'Invalid request. Token is required.', array('status' => 400));
    }
    $token_parts = explode('.', base64_decode($token));

    if (count($token_parts) !== 2) {
        die('Invalid token format.');
    }

    $payload = json_decode($token_parts[0], true);

    $signature = $token_parts[1];
    
    if ($signature !== hash_hmac('sha256', $token_parts[0], $secret_key)) {
        die('Invalid signature.');
    }

    if (time() > $payload['exp']) {
        die('Token expired.');
    }
    
    // Retrieve the user ID from the token payload
    $user_id = $payload['user_id'];
    
    if (!$user_id) {
        return new WP_Error('invalid_user', 'User not found.', array('status' => 404));
    }

    // Retrieve the user based on reference_user_id
    $user = get_user_by_reference_id($user_id);

    if (!$user) {
        return new WP_Error('invalid_user', 'User not found.', array('status' => 404));
    }

    // Log the user in
    wp_set_current_user($user->ID);
    wp_set_auth_cookie($user->ID, true);

    $redirect_url = Helper::getURLOfUsersDashboard();
    // print_r($redirect_url);die();
    wp_redirect($redirect_url);
    exit;
}

/**
 * Get user by reference_user_id
 */
function get_user_by_reference_id($reference_id) {
    global $wpdb;
    $table_name = $wpdb->prefix . 'users'; // Adjust for actual table prefix

    // Query user by reference_user_id
    $user = $wpdb->get_row($wpdb->prepare(
        "SELECT * FROM $table_name WHERE reference_user_id = %d",
        $reference_id
    ));
    // print_r($user);die();
    return $user ?: null;
}
@ Telegram