From ce379e33c489b565d6ea4ef063436d41e3de4e12 Mon Sep 17 00:00:00 2001 From: Irshad Ahmad Date: Sun, 1 Dec 2024 11:53:52 +0530 Subject: [PATCH] Fix WP Telegram Login race condition to prevent duplicate Mini App users --- .changeset/three-games-wink.md | 5 +++++ plugins/wptelegram-login/src/includes/Utils.php | 12 ++++++++++-- .../src/shared/LoginHandler.php | 17 +++++++++++++---- 3 files changed, 28 insertions(+), 6 deletions(-) create mode 100644 .changeset/three-games-wink.md diff --git a/.changeset/three-games-wink.md b/.changeset/three-games-wink.md new file mode 100644 index 00000000..604e7158 --- /dev/null +++ b/.changeset/three-games-wink.md @@ -0,0 +1,5 @@ +--- +"wptelegram-login": patch +--- + +Fixed WP Telegram Login race condition to prevent duplicate Mini App users diff --git a/plugins/wptelegram-login/src/includes/Utils.php b/plugins/wptelegram-login/src/includes/Utils.php index ff52095a..98b199f7 100644 --- a/plugins/wptelegram-login/src/includes/Utils.php +++ b/plugins/wptelegram-login/src/includes/Utils.php @@ -91,7 +91,7 @@ public static function get_default_settings() { * * @since 1.10.3 * - * @param int $tg_user_id Telegram User ID. + * @param int|string $tg_user_id Telegram User ID. * * @return WP_User|false User object or false */ @@ -106,6 +106,14 @@ public static function get_user_by_telegram_id( $tg_user_id ) { $users = get_users( $args ); - return reset( $users ); + $user = reset( $users ); + + /** + * Filter the user found by its Telegram ID. + * + * @param WP_User|false $user The user object or false. + * @param int|string $tg_user_id Telegram User ID. + */ + return apply_filters( 'wptelegram_login_get_user_by_telegram_id', $user, $tg_user_id ); } } diff --git a/plugins/wptelegram-login/src/shared/LoginHandler.php b/plugins/wptelegram-login/src/shared/LoginHandler.php index 9805468c..0480392e 100644 --- a/plugins/wptelegram-login/src/shared/LoginHandler.php +++ b/plugins/wptelegram-login/src/shared/LoginHandler.php @@ -53,6 +53,15 @@ public function telegram_login() { try { $auth_data = $this->validate_auth_data( $input ); + // Add a lock using transients to prevent multiple concurrent requests. + $transient_key = 'wptelegram_login_' . $auth_data['id']; + + if ( get_transient( $transient_key ) ) { + sleep( 5 ); // Wait for 5 seconds. + } + + set_transient( $transient_key, current_time( 'mysql' ), 10 ); + /** * Fires before the user data is saved after validation. * @@ -261,6 +270,10 @@ public function validate_auth_data( $input_data ) { $auth_data = ! empty( $auth_data['user'] ) ? Utils::sanitize( json_decode( $auth_data['user'], true ) ) : []; } + if ( empty( $auth_data['id'] ) || empty( $auth_data['first_name'] ) ) { + throw new Exception( esc_html__( 'Invalid! The data is incomplete', 'wptelegram-login' ) ); + } + /** * Filter the validated auth data. * @@ -440,10 +453,6 @@ public function unique_email( $user, $host ) { */ public function save_telegram_user_data( $data ) { - if ( empty( $data['id'] ) || empty( $data['first_name'] ) ) { - throw new Exception( esc_html__( 'Invalid! The data is incomplete', 'wptelegram-login' ) ); - } - $data = array_map( 'htmlspecialchars', $data ); // Check if the request is from a logged in user.