From 73ab21bfb0b2bd3cf487e96e53fbe2533d51c338 Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Sun, 31 May 2026 21:02:11 -0500 Subject: [PATCH] =?UTF-8?q?fix:=20skip=20global=20token=20check=20for=20sy?= =?UTF-8?q?ncclear/syncpush=20=E2=80=94=20they=20auth=20via=20POST=20body?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The global API token check reads from query string/header, but syncclear and syncpush send the token in the JSON POST body. Skip the global check for these actions. Authored-by: Moko Consulting Co-Authored-By: Claude Opus 4.6 (1M context) --- .../plg_system_mokowaas/Extension/MokoWaaS.php | 5 ++++- .../src/Extension/ContentSync.php | 15 +++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php index 9c84fdaf..6f7f25dc 100644 --- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php +++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php @@ -1624,7 +1624,10 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface $providedToken = $this->app->input->get('token', '', 'RAW'); } - if (!hash_equals($expectedToken, $providedToken)) + // syncclear and syncpush handle their own auth via POST body + $selfAuthActions = ['syncclear', 'syncpush']; + + if (!\in_array($action, $selfAuthActions, true) && !hash_equals($expectedToken, $providedToken)) { $this->sendHealthResponse(401, ['error' => 'Invalid token']); diff --git a/src/packages/plg_task_mokowaassync/src/Extension/ContentSync.php b/src/packages/plg_task_mokowaassync/src/Extension/ContentSync.php index 6e2be642..eb3df337 100644 --- a/src/packages/plg_task_mokowaassync/src/Extension/ContentSync.php +++ b/src/packages/plg_task_mokowaassync/src/Extension/ContentSync.php @@ -71,6 +71,21 @@ final class ContentSync extends CMSPlugin implements SubscriberInterface { $params = $event->getArgument('params'); + // Debug: log what we received + if (is_object($params)) + { + $this->logTask('Params type: object, keys: ' . implode(', ', array_keys(get_object_vars($params)))); + } + elseif (is_array($params)) + { + $this->logTask('Params type: array, keys: ' . implode(', ', array_keys($params))); + $params = (object) $params; + } + else + { + $this->logTask('Params type: ' . gettype($params)); + } + $targetUrl = rtrim($params->target_url ?? '', '/'); if (empty($targetUrl))