Better storing of credentials for hosting providers

inc/admin-pages/class-hosting-integration-wizard-admin-page.php

@@ -219,7 +219,7 @@ public function section_configuration(): void {
 		$fields = $this->integration->get_fields();
 
 		foreach ($fields as $field_constant => &$field) {
-			$field['value'] = defined($field_constant) && constant($field_constant) ? constant($field_constant) : '';
+			$field['value'] = $this->integration->get_credential($field_constant);
 		}
 
 		$form = new \WP_Ultimo\UI\Form(
@@ -319,22 +319,7 @@ public function handle_configuration(): void {
 			}
 		}
 
-		if ((int) wu_request('submit') === 0) {
-			$redirect_url = add_query_arg(
-				[
-					'manual' => '1',
-					'post'   => wp_json_encode($filtered_data),
-				]
-			);
-
-			wp_safe_redirect($redirect_url);
-
-			exit;
-		}
-
-		if ((int) wu_request('submit') === 1) {
-			$this->integration->setup_constants($filtered_data);
-		}
+		$this->integration->save_credentials($filtered_data);
 
 		$redirect_url = $this->get_next_section_link();
 

inc/helpers/class-credential-store.php

@@ -0,0 +1,123 @@
+<?php
+/**
+ * Credential Store helper for encrypting/decrypting hosting integration credentials.
+ *
+ * @package WP_Ultimo
+ * @subpackage Helpers
+ * @since 2.3.0
+ */
+
+namespace WP_Ultimo\Helpers;
+
+// Exit if accessed directly
+defined('ABSPATH') || exit;
+
+/**
+ * Handles encryption and decryption of hosting credentials stored in network options.
+ *
+ * @since 2.3.0
+ */
+class Credential_Store {
+
+	/**
+	 * The cipher method used for encryption.
+	 *
+	 * @var string
+	 */
+	const CIPHER_METHOD = 'aes-256-cbc';
+
+	/**
+	 * Prefix for encrypted values to identify them.
+	 *
+	 * @var string
+	 */
+	const ENCRYPTED_PREFIX = '$wu_enc$';
+
+	/**
+	 * Encrypt a value for storage.
+	 *
+	 * @since 2.3.0
+	 *
+	 * @param string $value The plaintext value to encrypt.
+	 * @return string The encrypted value.
+	 */
+	public static function encrypt(string $value): string {
+
+		if (empty($value)) {
+			return '';
+		}
+
+		if ( ! function_exists('openssl_encrypt') || ! in_array(self::CIPHER_METHOD, openssl_get_cipher_methods(), true)) {
+			return self::ENCRYPTED_PREFIX . base64_encode($value); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+		}
+
+		$key = self::get_encryption_key();
+		$iv  = openssl_random_pseudo_bytes(openssl_cipher_iv_length(self::CIPHER_METHOD));
+
+		$encrypted = openssl_encrypt($value, self::CIPHER_METHOD, $key, 0, $iv);
+
+		if (false === $encrypted) {
+			return self::ENCRYPTED_PREFIX . base64_encode($value); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+		}
+
+		return self::ENCRYPTED_PREFIX . base64_encode($iv . '::' . $encrypted); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+	}
+
+	/**
+	 * Decrypt a stored value.
+	 *
+	 * @since 2.3.0
+	 *
+	 * @param string $value The encrypted value to decrypt.
+	 * @return string The decrypted plaintext value.
+	 */
+	public static function decrypt(string $value): string {
+
+		if (empty($value)) {
+			return '';
+		}
+
+		if (strpos($value, self::ENCRYPTED_PREFIX) !== 0) {
+			return $value;
+		}
+
+		$encoded = substr($value, strlen(self::ENCRYPTED_PREFIX));
+		$decoded = base64_decode($encoded); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
+
+		if (false === $decoded) {
+			return '';
+		}
+
+		if (strpos($decoded, '::') === false) {
+			return $decoded;
+		}
+
+		if ( ! function_exists('openssl_decrypt') || ! in_array(self::CIPHER_METHOD, openssl_get_cipher_methods(), true)) {
+			return $decoded;
+		}
+
+		$parts = explode('::', $decoded, 2);
+
+		if (count($parts) !== 2) {
+			return '';
+		}
+
+		[$iv, $encrypted] = $parts;
+
+		$key       = self::get_encryption_key();
+		$decrypted = openssl_decrypt($encrypted, self::CIPHER_METHOD, $key, 0, $iv);
+
+		return false === $decrypted ? '' : $decrypted;
+	}
+
+	/**
+	 * Get the encryption key derived from WordPress salts.
+	 *
+	 * @since 2.3.0
+	 * @return string
+	 */
+	private static function get_encryption_key(): string {
+
+		return hash('sha256', wp_salt('auth'), true);
+	}
+}

inc/integrations/host-providers/class-base-host-provider.php

@@ -9,6 +9,7 @@
 
 namespace WP_Ultimo\Integrations\Host_Providers;
 
+use WP_Ultimo\Helpers\Credential_Store;
 use WP_Ultimo\Helpers\WP_Config;
 
 // Exit if accessed directly
@@ -398,6 +399,66 @@ public function load_dependencies() {}
 	 */
 	abstract public function detect();
 
+	/**
+	 * Retrieves a credential value by constant name.
+	 *
+	 * Constants defined in wp-config.php take priority over stored network options.
+	 *
+	 * @since 2.3.0
+	 *
+	 * @param string $constant_name The constant name to look up.
+	 * @return string The credential value, or empty string if not found.
+	 */
+	public function get_credential(string $constant_name): string {
+
+		if (defined($constant_name) && constant($constant_name)) {
+			return (string) constant($constant_name);
+		}
+
+		$stored = get_network_option(null, 'wu_hosting_credential_' . $constant_name, '');
+
+		if ( ! empty($stored)) {
+			return Credential_Store::decrypt($stored);
+		}
+
+		return '';
+	}
+
+	/**
+	 * Saves credential values as encrypted network options.
+	 *
+	 * @since 2.3.0
+	 *
+	 * @param array $constant_values Key => Value pairs of credential constants.
+	 * @return void
+	 */
+	public function save_credentials(array $constant_values): void {
+
+		$allowed = array_flip($this->get_all_constants());
+		$values  = shortcode_atts($allowed, $constant_values);
+
+		foreach ($values as $constant_name => $value) {
+			if ( ! empty($value)) {
+				update_network_option(null, 'wu_hosting_credential_' . $constant_name, Credential_Store::encrypt($value));
+			} else {
+				delete_network_option(null, 'wu_hosting_credential_' . $constant_name);
+			}
+		}
+	}
+
+	/**
+	 * Deletes all stored credentials for this integration.
+	 *
+	 * @since 2.3.0
+	 * @return void
+	 */
+	public function delete_credentials(): void {
+
+		foreach ($this->get_all_constants() as $constant_name) {
+			delete_network_option(null, 'wu_hosting_credential_' . $constant_name);
+		}
+	}
+
 	/**
 	 * Checks if the integration is correctly setup after enabled.
 	 *
@@ -414,7 +475,7 @@ public function is_setup() {
 			$current = false;
 
 			foreach ($constants as $constant) {
-				if (defined($constant) && constant($constant)) {
+				if ($this->get_credential($constant)) {
 					$current = true;
 
 					break;
@@ -450,7 +511,7 @@ public function get_missing_constants() {
 			$current = false;
 
 			foreach ($constants as $constant) {
-				if (defined($constant) && constant($constant)) {
+				if ($this->get_credential($constant)) {
 					$current = true;
 
 					break;

inc/integrations/host-providers/class-closte-host-provider.php

@@ -115,7 +115,7 @@ public function ssl_tries($max_tries, $domain) {
 	 */
 	public function detect() {
 
-		return defined('CLOSTE_CLIENT_API_KEY') && CLOSTE_CLIENT_API_KEY;
+		return (bool) $this->get_credential('CLOSTE_CLIENT_API_KEY');
 	}
 
 	/**
@@ -304,25 +304,16 @@ public function test_connection(): void {
 	 */
 	public function send_closte_api_request($endpoint, $data) {
 
-		if (defined('CLOSTE_CLIENT_API_KEY') === false) {
-			wu_log_add('integration-closte', 'CLOSTE_CLIENT_API_KEY constant not defined');
-			return [
-				'success' => false,
-				'error'   => 'Closte API Key not found.',
-			];
-		}
+		$api_key = $this->get_credential('CLOSTE_CLIENT_API_KEY');
 
-		if (empty(CLOSTE_CLIENT_API_KEY)) {
-			wu_log_add('integration-closte', 'CLOSTE_CLIENT_API_KEY is empty');
+		if (empty($api_key)) {
+			wu_log_add('integration-closte', 'CLOSTE_CLIENT_API_KEY constant not defined or empty');
 			return [
 				'success' => false,
-				'error'   => 'Closte API Key is empty.',
+				'error'   => 'Closte API Key not found.',
 			];
 		}
 
-		// Try different authentication methods
-		$api_key = CLOSTE_CLIENT_API_KEY;
-
 		$post_fields = [
 			'blocking' => true,
 			'timeout'  => 45,

inc/integrations/host-providers/class-cloudflare-host-provider.php

@@ -80,7 +80,7 @@ public function add_cloudflare_dns_entries($dns_records, $domain) {
 
 		$zone_ids = [];
 
-		$default_zone_id = defined('WU_CLOUDFLARE_ZONE_ID') && WU_CLOUDFLARE_ZONE_ID ? WU_CLOUDFLARE_ZONE_ID : false;
+		$default_zone_id = $this->get_credential('WU_CLOUDFLARE_ZONE_ID') ?: false;
 
 		if ($default_zone_id) {
 			$zone_ids[] = $default_zone_id;
@@ -235,7 +235,7 @@ public function on_add_subdomain($subdomain, $site_id): void {
 
 		global $current_site;
 
-		$zone_id = defined('WU_CLOUDFLARE_ZONE_ID') && WU_CLOUDFLARE_ZONE_ID ? WU_CLOUDFLARE_ZONE_ID : '';
+		$zone_id = $this->get_credential('WU_CLOUDFLARE_ZONE_ID');
 
 		if ( ! $zone_id) {
 			return;
@@ -312,7 +312,7 @@ public function on_remove_subdomain($subdomain, $site_id): void {
 
 		global $current_site;
 
-		$zone_id = defined('WU_CLOUDFLARE_ZONE_ID') && WU_CLOUDFLARE_ZONE_ID ? WU_CLOUDFLARE_ZONE_ID : '';
+		$zone_id = $this->get_credential('WU_CLOUDFLARE_ZONE_ID');
 
 		if ( ! $zone_id) {
 			return;
@@ -390,7 +390,7 @@ protected function cloudflare_api_call($endpoint = 'client/v4/user/tokens/verify
 				'body'        => 'GET' === $method ? $data : wp_json_encode($data),
 				'data_format' => 'body',
 				'headers'     => [
-					'Authorization' => sprintf('Bearer %s', defined('WU_CLOUDFLARE_API_KEY') ? WU_CLOUDFLARE_API_KEY : ''),
+					'Authorization' => sprintf('Bearer %s', $this->get_credential('WU_CLOUDFLARE_API_KEY')),
 					'Content-Type'  => 'application/json',
 				],
 			]

inc/integrations/host-providers/class-cloudways-host-provider.php

@@ -398,10 +398,10 @@ protected function get_domain_list() {
 
 		$domain_list = $this->get_all_mapped_domains();
 
-		$extra_domains = defined('WU_CLOUDWAYS_EXTRA_DOMAINS') && WU_CLOUDWAYS_EXTRA_DOMAINS;
+		$extra_domains = $this->get_credential('WU_CLOUDWAYS_EXTRA_DOMAINS');
 
 		if ($extra_domains) {
-			$extra_domains_list = array_filter(array_map('trim', explode(',', (string) WU_CLOUDWAYS_EXTRA_DOMAINS)));
+			$extra_domains_list = array_filter(array_map('trim', explode(',', $extra_domains)));
 
 			$domain_list = array_merge($domain_list, $extra_domains_list);
 		}
@@ -430,8 +430,8 @@ protected function get_cloudways_access_token() {
 						'content-type'  => 'application/x-www-form-urlencoded',
 					],
 					'body'     => [
-						'email'   => defined('WU_CLOUDWAYS_EMAIL') ? WU_CLOUDWAYS_EMAIL : '',
-						'api_key' => defined('WU_CLOUDWAYS_API_KEY') ? WU_CLOUDWAYS_API_KEY : '',
+						'email'   => $this->get_credential('WU_CLOUDWAYS_EMAIL'),
+						'api_key' => $this->get_credential('WU_CLOUDWAYS_API_KEY'),
 					],
 				]
 			);
@@ -473,15 +473,15 @@ protected function send_cloudways_request($endpoint, $data = [], $method = 'POST
 		if ('GET' === $method) {
 			$endpoint_url = add_query_arg(
 				[
-					'server_id' => defined('WU_CLOUDWAYS_SERVER_ID') ? WU_CLOUDWAYS_SERVER_ID : '',
-					'app_id'    => defined('WU_CLOUDWAYS_APP_ID') ? WU_CLOUDWAYS_APP_ID : '',
+					'server_id' => $this->get_credential('WU_CLOUDWAYS_SERVER_ID'),
+					'app_id'    => $this->get_credential('WU_CLOUDWAYS_APP_ID'),
 				],
 				$endpoint_url
 			);
 		} else {
-			$data['server_id'] = defined('WU_CLOUDWAYS_SERVER_ID') ? WU_CLOUDWAYS_SERVER_ID : '';
-			$data['app_id']    = defined('WU_CLOUDWAYS_APP_ID') ? WU_CLOUDWAYS_APP_ID : '';
-			$data['ssl_email'] = defined('WU_CLOUDWAYS_EMAIL') ? WU_CLOUDWAYS_EMAIL : '';
+			$data['server_id'] = $this->get_credential('WU_CLOUDWAYS_SERVER_ID');
+			$data['app_id']    = $this->get_credential('WU_CLOUDWAYS_APP_ID');
+			$data['ssl_email'] = $this->get_credential('WU_CLOUDWAYS_EMAIL');
 			$data['wild_card'] = false;
 		}