From d72efdd0b88da38f6084133a6e903408ffdb8f39 Mon Sep 17 00:00:00 2001
From: Josh Kasten <jkasten@gmail.com>
Date: Mon, 30 Mar 2020 20:58:04 -0700
Subject: [PATCH 1/3] Only show the last 4 chars of the REST API key

* This prevents anyone from coping the key from settings that should not have view access to it.
---
 onesignal-admin.php |  9 +++++++--
 views/config.php    | 13 ++++++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/onesignal-admin.php b/onesignal-admin.php
index fbe53cf..8bb7601 100644
--- a/onesignal-admin.php
+++ b/onesignal-admin.php
@@ -432,9 +432,14 @@ public static function saveBooleanSettings(&$onesignal_wp_settings, &$config, $s
     public static function saveStringSettings(&$onesignal_wp_settings, &$config, $settings)
     {
         foreach ($settings as $setting) {
+            $value = sanitize_text_field($config[$setting]);
+
+            // app_rest_api_key will be empty if the user did not try to change the value
+            // This prevents it from being cleared
+            if ($setting === 'app_rest_api_key' && empty($value))
+                continue;
+
             if (array_key_exists($setting, $config)) {
-                $value = $config[$setting];
-                $value = sanitize_text_field($value);
                 $onesignal_wp_settings[$setting] = $value;
             }
         }
diff --git a/views/config.php b/views/config.php
index e6ba57f..e964b35 100644
--- a/views/config.php
+++ b/views/config.php
@@ -9,6 +9,17 @@
 
 // The user is just viewing the config page; this page cannot be accessed directly
 $onesignal_wp_settings = OneSignal::get_onesignal_settings();
+
+// Shows a example key format if value has not been set yet.
+// Or show the last 4 of the API key if it is set.
+// Ensure the OneSignal config page never gets the full key for security
+function formatAPIKeyForPlaceholderView($rest_api_key) {
+  if (empty($rest_api_key))
+    return "Example: " . str_repeat('x', 48);
+
+  return str_repeat('*', 44) . substr($rest_api_key, -4);
+}
+
 ?>
 
 <header class="onesignal">
@@ -289,7 +300,7 @@
           </div>
           <div class="field">
             <label>REST API Key<i class="tiny circular help icon link" role="popup" data-title="Rest API Key" data-content="Your 48 character alphanumeric REST API Key. You can find this in App Settings > Keys & IDs." data-variation="wide"></i></label>
-            <input type="text" name="app_rest_api_key" placeholder="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" value="<?php echo esc_attr($onesignal_wp_settings['app_rest_api_key']); ?>">
+            <input type="text" name="app_rest_api_key" placeholder="<?php echo esc_attr(formatAPIKeyForPlaceholderView($onesignal_wp_settings['app_rest_api_key'])); ?>">
           </div>
           <div class="field subdomain-feature">
             <label>OneSignal Label<i class="tiny circular help icon link" role="popup" data-title="Subdomain" data-content="The label you chose for your site. You can find this in Step 2. Wordpress Site Setup" data-variation="wide"></i></label>

From f0698b15bfb098b4d3a169cf3551f01395babedc Mon Sep 17 00:00:00 2001
From: Josh Kasten <jkasten@gmail.com>
Date: Mon, 30 Mar 2020 21:28:17 -0700
Subject: [PATCH 2/3] Save err on missing http_permission_request_modal

* Deleted old missing http_permission_request_modal* config keys that were
creating save errors with changed saveStringSettings logic
---
 onesignal-admin.php    | 7 +------
 onesignal-settings.php | 3 ---
 2 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/onesignal-admin.php b/onesignal-admin.php
index 8bb7601..ee12e4c 100644
--- a/onesignal-admin.php
+++ b/onesignal-admin.php
@@ -406,9 +406,6 @@ public static function save_config_page($config)
       'allowed_custom_post_types',
       'notification_title',
       'custom_manifest_url',
-      'http_permission_request_modal_title',
-      'http_permission_request_modal_message',
-      'http_permission_request_modal_button_text',
       'persist_notifications',
     );
         OneSignal_Admin::saveStringSettings($onesignal_wp_settings, $config, $stringSettings);
@@ -439,9 +436,7 @@ public static function saveStringSettings(&$onesignal_wp_settings, &$config, $se
             if ($setting === 'app_rest_api_key' && empty($value))
                 continue;
 
-            if (array_key_exists($setting, $config)) {
-                $onesignal_wp_settings[$setting] = $value;
-            }
+            $onesignal_wp_settings[$setting] = $value;
         }
     }
 
diff --git a/onesignal-settings.php b/onesignal-settings.php
index 66a267e..e18015f 100644
--- a/onesignal-settings.php
+++ b/onesignal-settings.php
@@ -87,9 +87,6 @@ public static function get_onesignal_settings() {
                   'use_custom_sdk_init' => false,
                   'show_notification_send_status_message' => true,
                   'use_http_permission_request' => 'CALCULATE_SPECIAL_VALUE',
-                  'http_permission_request_modal_title' => '',
-                  'http_permission_request_modal_message' => '',
-                  'http_permission_request_modal_button_text' => '',
                   'persist_notifications' => 'CALCULATE_SPECIAL_VALUE'
                   );
 

From eed578d5ff7335b1706e7b3079d52ddc6ed65302 Mon Sep 17 00:00:00 2001
From: Josh Kasten <jkasten@gmail.com>
Date: Mon, 30 Mar 2020 21:55:12 -0700
Subject: [PATCH 3/3] api key masking applie to value* app_rest_api_key masking
 is now applied to the value intead of the placeholder text

---
 onesignal-admin.php    | 10 ++++++----
 onesignal-settings.php |  4 ++++
 views/config.php       | 12 +-----------
 3 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/onesignal-admin.php b/onesignal-admin.php
index ee12e4c..37e2f34 100644
--- a/onesignal-admin.php
+++ b/onesignal-admin.php
@@ -431,10 +431,12 @@ public static function saveStringSettings(&$onesignal_wp_settings, &$config, $se
         foreach ($settings as $setting) {
             $value = sanitize_text_field($config[$setting]);
 
-            // app_rest_api_key will be empty if the user did not try to change the value
-            // This prevents it from being cleared
-            if ($setting === 'app_rest_api_key' && empty($value))
-                continue;
+            if ($setting === 'app_rest_api_key') {
+                // Only save key if the value has been changed.
+                // This prevents its masked value from becoming the value saved to the DB
+                if (OneSignal::maskedRestApiKey($onesignal_wp_settings[$setting]) === $value)
+                    continue;
+            }
 
             $onesignal_wp_settings[$setting] = $value;
         }
diff --git a/onesignal-settings.php b/onesignal-settings.php
index e18015f..590fbd9 100644
--- a/onesignal-settings.php
+++ b/onesignal-settings.php
@@ -261,4 +261,8 @@ public static function save_onesignal_settings($settings) {
     $onesignal_wp_settings = $settings;
     update_option("OneSignalWPSetting", $onesignal_wp_settings);
   }
+
+  public static function maskedRestApiKey($rest_api_key) {
+    return str_repeat('*', 44) . substr($rest_api_key, -4);
+  }
 }
\ No newline at end of file
diff --git a/views/config.php b/views/config.php
index e964b35..ea2c332 100644
--- a/views/config.php
+++ b/views/config.php
@@ -10,16 +10,6 @@
 // The user is just viewing the config page; this page cannot be accessed directly
 $onesignal_wp_settings = OneSignal::get_onesignal_settings();
 
-// Shows a example key format if value has not been set yet.
-// Or show the last 4 of the API key if it is set.
-// Ensure the OneSignal config page never gets the full key for security
-function formatAPIKeyForPlaceholderView($rest_api_key) {
-  if (empty($rest_api_key))
-    return "Example: " . str_repeat('x', 48);
-
-  return str_repeat('*', 44) . substr($rest_api_key, -4);
-}
-
 ?>
 
 <header class="onesignal">
@@ -300,7 +290,7 @@ function formatAPIKeyForPlaceholderView($rest_api_key) {
           </div>
           <div class="field">
             <label>REST API Key<i class="tiny circular help icon link" role="popup" data-title="Rest API Key" data-content="Your 48 character alphanumeric REST API Key. You can find this in App Settings > Keys & IDs." data-variation="wide"></i></label>
-            <input type="text" name="app_rest_api_key" placeholder="<?php echo esc_attr(formatAPIKeyForPlaceholderView($onesignal_wp_settings['app_rest_api_key'])); ?>">
+            <input type="text" name="app_rest_api_key" placeholder="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" value="<?php echo esc_attr(OneSignal::maskedRestApiKey($onesignal_wp_settings['app_rest_api_key'])); ?>">
           </div>
           <div class="field subdomain-feature">
             <label>OneSignal Label<i class="tiny circular help icon link" role="popup" data-title="Subdomain" data-content="The label you chose for your site. You can find this in Step 2. Wordpress Site Setup" data-variation="wide"></i></label>