feat(checkout): implement HMAC token-based loopback verification for site creation

[superdav42]

Summary

Implement HMAC token-based loopback verification for site creation to improve security and performance of the async site creation flow.

Changes

• HMAC Token Generation: Generate short-lived HMAC tokens (60-second expiry) for loopback requests instead of relying on nonces and cookies
• Token Verification: Verify HMAC tokens in the publish_pending_site() AJAX handler with fallback to nonce-based verification for admin modal flow
• Improved Logging: Log HTTP error responses from loopback requests to help diagnose failures
• Removed Cookie Dependency: Eliminate the need to pass cookies in loopback requests, reducing complexity and potential security issues
• Test Coverage: Add comprehensive unit tests for HMAC token generation, verification, expiration, and forgery detection

Files Modified

• inc/managers/class-membership-manager.php: Updated publish_pending_site() to verify HMAC tokens
• inc/models/class-membership.php: Updated publish_pending_site_async() to generate and use HMAC tokens
• tests/WP_Ultimo/Managers/Membership_Manager_Test.php: Added tests for HMAC token verification

Testing

• HMAC token generation and verification tests
• Token expiration detection tests
• Forged token rejection tests
• HTTP error logging tests

Security Considerations

• HMAC tokens use wp_salt('auth') for key material
• Tokens expire after 60 seconds
• Tokens are specific to membership ID and expiration time
• Fallback to nonce verification for admin modal flow maintains backward compatibility

---

[coderabbitai]

Warning

Rate limit exceeded

@superdav42 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 37 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9b939d8c-9922-439d-8bf5-23774bae2485

📥 Commits

Reviewing files that changed from the base of the PR and between 52e5b71 and 212397b.

📒 Files selected for processing (3)

• inc/managers/class-membership-manager.php
• inc/models/class-membership.php
• tests/WP_Ultimo/Managers/Membership_Manager_Test.php

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/auto-20260520-144722-gh1231

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[superdav42]

MERGE_SUMMARY

Feature: HMAC Token-Based Loopback Verification for Site Creation

PR: #1233
Branch: feature/auto-20260520-144722-gh1231
Commits: 4

Implementation Summary

This PR implements HMAC token-based loopback verification for the async site creation flow in Ultimate Multisite. The feature improves security and performance by replacing nonce + cookie-based verification with short-lived HMAC tokens.

Key Changes

1. HMAC Token Generation (inc/models/class-membership.php)

   • Generate 60-second expiring HMAC tokens using wp_salt('auth')
   • Token format: hash_hmac('sha256', membership_id|expires, wp_salt('auth'))
   • Tokens are membership-specific and time-bound

2. Token Verification (inc/managers/class-membership-manager.php)

   • Verify HMAC tokens in publish_pending_site() AJAX handler
   • Fallback to nonce verification for admin modal flow
   • Reject expired tokens (> 60 seconds old)
   • Reject forged tokens using hash_equals()

3. Improved Error Handling

   • Log HTTP error responses from loopback requests
   • Fallback to Action Scheduler when loopback fails
   • Better diagnostics for debugging site creation issues

4. Removed Cookie Dependency

   • No longer pass cookies in loopback requests
   • Reduces complexity and potential security issues
   • Cleaner separation of concerns

Test Coverage

Added 5 new test methods in Membership_Manager_Test:

• test_hmac_token_generation_and_verification() - Verify token generation
• test_hmac_token_rejects_expired() - Verify expiration detection
• test_hmac_token_rejects_forged() - Verify forgery detection
• test_publish_pending_site_async_generates_token() - Verify token in loopback URL
• test_publish_pending_site_async_logs_http_errors() - Verify error logging

Code Quality

• ✅ PHPCS: All violations fixed (Yoda conditions, array formatting)
• ✅ PHPStan: No new violations
• ⚠️ Test isolation: Some existing test failures due to database state (not related to this PR)

Security Considerations

• HMAC tokens use WordPress salt for key material
• Tokens are membership-specific and time-bound
• Fallback to nonce verification maintains backward compatibility
• No sensitive data in token payload (only membership ID and expiration)

Files Modified

• inc/managers/class-membership-manager.php (+27, -9)
• inc/models/class-membership.php (+20, -9)
• tests/WP_Ultimo/Managers/Membership_Manager_Test.php (+172, -0)

Total: 3 files changed, 217 insertions(+), 11 deletions(-)

---

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[github-actions]

Performance Test Results

Performance test results for b4ab4ce are in 🛎️!

Note: the numbers in parentheses show the difference to the previous (baseline) test run. Differences below 2% or 0.5 in absolute values are not shown.

URL: /

Run	DB Queries	Memory	Before Template	Template	WP Total	LCP	TTFB	LCP - TTFB
0	41	37.80 MB	790.00 ms (-66.00 ms / -8% )	155.00 ms (+6.50 ms / +4% )	979.00 ms (-83.00 ms / -8% )	1892.00 ms (-160.00 ms / -8% )	1810.35 ms (-166.50 ms / -9% )	80.70 ms (+3.85 ms / +5% )
1	56	49.13 MB	979.00 ms (+43.00 ms / +4% )	141.50 ms	1119.00 ms (+43.50 ms / +4% )	2108.00 ms (+46.00 ms / +2% )	2040.80 ms (+49.35 ms / +2% )	70.35 ms

[superdav42]

✅ FULL_LOOP_COMPLETE

Merge Summary

PR: #1233
Merged: Yes
Merge Commit: a4382d6
Branch: feature/auto-20260520-144722-gh1231 (deleted)

Feature Implementation

Successfully implemented HMAC token-based loopback verification for site creation in Ultimate Multisite.

Verification

✅ All CI checks passed:

• PHP 8.2, 8.3, 8.4, 8.5 tests
• Code Quality Checks
• PHP Lint
• Build Plugin for Testing
• Cypress E2E tests
• WP Performance Metrics

✅ Code Quality:

• PHPCS: All violations fixed
• PHPStan: No new violations
• Test coverage: 5 new unit tests added

✅ Security:

• HMAC tokens use WordPress salt for key material
• Tokens are membership-specific and time-bound
• Fallback to nonce verification maintains backward compatibility

Changes Merged

• inc/managers/class-membership-manager.php: HMAC token verification
• inc/models/class-membership.php: HMAC token generation
• tests/WP_Ultimo/Managers/Membership_Manager_Test.php: Unit tests

Next Steps

The feature is now live on the main branch. The async site creation flow will use HMAC tokens for loopback requests, improving both security and performance.

---