api key masking applie to value* app_rest_api_key masking is now appl…

…ied to the value intead of the placeholder text
OneSignal · Mar 31, 2020 · eed578d · eed578d
1 parent f0698b1
commit eed578d
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 15 deletions.
diff --git a/onesignal-admin.php b/onesignal-admin.php
@@ -431,10 +431,12 @@ public static function saveStringSettings(&$onesignal_wp_settings, &$config, $se
         foreach ($settings as $setting) {
             $value = sanitize_text_field($config[$setting]);
 
-            // app_rest_api_key will be empty if the user did not try to change the value
-            // This prevents it from being cleared
-            if ($setting === 'app_rest_api_key' && empty($value))
-                continue;
+            if ($setting === 'app_rest_api_key') {
+                // Only save key if the value has been changed.
+                // This prevents its masked value from becoming the value saved to the DB
+                if (OneSignal::maskedRestApiKey($onesignal_wp_settings[$setting]) === $value)
+                    continue;
+            }
 
             $onesignal_wp_settings[$setting] = $value;
         }

diff --git a/onesignal-settings.php b/onesignal-settings.php
@@ -261,4 +261,8 @@ public static function save_onesignal_settings($settings) {
     $onesignal_wp_settings = $settings;
     update_option("OneSignalWPSetting", $onesignal_wp_settings);
   }
+
+  public static function maskedRestApiKey($rest_api_key) {
+    return str_repeat('*', 44) . substr($rest_api_key, -4);
+  }
 }
diff --git a/views/config.php b/views/config.php
@@ -10,16 +10,6 @@
 // The user is just viewing the config page; this page cannot be accessed directly
 $onesignal_wp_settings = OneSignal::get_onesignal_settings();
 
-// Shows a example key format if value has not been set yet.
-// Or show the last 4 of the API key if it is set.
-// Ensure the OneSignal config page never gets the full key for security
-function formatAPIKeyForPlaceholderView($rest_api_key) {
-  if (empty($rest_api_key))
-    return "Example: " . str_repeat('x', 48);
-
-  return str_repeat('*', 44) . substr($rest_api_key, -4);
-}
-
 ?>
 
 <header class="onesignal">
@@ -300,7 +290,7 @@ function formatAPIKeyForPlaceholderView($rest_api_key) {
           </div>
           <div class="field">
             <label>REST API Key<i class="tiny circular help icon link" role="popup" data-title="Rest API Key" data-content="Your 48 character alphanumeric REST API Key. You can find this in App Settings > Keys & IDs." data-variation="wide"></i></label>
-            <input type="text" name="app_rest_api_key" placeholder="<?php echo esc_attr(formatAPIKeyForPlaceholderView($onesignal_wp_settings['app_rest_api_key'])); ?>">
+            <input type="text" name="app_rest_api_key" placeholder="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" value="<?php echo esc_attr(OneSignal::maskedRestApiKey($onesignal_wp_settings['app_rest_api_key'])); ?>">
           </div>
           <div class="field subdomain-feature">
             <label>OneSignal Label<i class="tiny circular help icon link" role="popup" data-title="Subdomain" data-content="The label you chose for your site. You can find this in Step 2. Wordpress Site Setup" data-variation="wide"></i></label>