[Subscriptions] Add/redirect url once token is set in cookie (#33437)

* Update class-token-subscription-service.php * Create add-redirect-url-once-token-in-cookie
Automattic · Oct 7, 2023 · 49859cf · 49859cf
1 parent 259bdfb
commit 49859cf
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/projects/plugins/jetpack/changelog/add-redirect-url-once-token-in-cookie b/projects/plugins/jetpack/changelog/add-redirect-url-once-token-in-cookie
@@ -0,0 +1,4 @@
+Significance: patch
+Type: enhancement
+
+[Subscriptions] Hide the token from the URL
diff --git a/...ons/blocks/premium-content/_inc/subscription-service/class-token-subscription-service.php b/...ons/blocks/premium-content/_inc/subscription-service/class-token-subscription-service.php
@@ -35,7 +35,7 @@ abstract class Token_Subscription_Service implements Subscription_Service {
 	public function initialize() {
 		$token = $this->token_from_request();
 		if ( null !== $token ) {
-			$this->set_token_cookie( $token );
+			$this->set_token_cookie( $token, true );
 		}
 	}
 
@@ -62,7 +62,7 @@ public function visitor_can_view_content( $valid_plan_ids, $access_level ) {
 		// URL token always has a precedence, so it can overwrite the cookie when new data available.
 		$token = $this->token_from_request();
 		if ( $token ) {
-			$this->set_token_cookie( $token );
+			$this->set_token_cookie( $token, false );
 		} else {
 			$token = $this->token_from_cookie();
 		}
@@ -202,15 +202,22 @@ private function token_from_cookie() {
 	 * Store the auth cookie.
 	 *
 	 * @param  string $token Auth token.
+	 * @param  bool   $redirect_when_cookie_is_set If true, we'll force-reload the page to "hide" the token from the URL.
 	 * @return void
 	 */
-	private function set_token_cookie( $token ) {
+	private function set_token_cookie( $token, $redirect_when_cookie_is_set = false ) {
 		if ( defined( 'TESTING_IN_JETPACK' ) && TESTING_IN_JETPACK ) {
 			return;
 		}
 
 		if ( ! empty( $token ) && false === headers_sent() ) {
 			setcookie( self::JWT_AUTH_TOKEN_COOKIE_NAME, $token, 0, '/', COOKIE_DOMAIN, is_ssl(), true ); // httponly -- used by visitor_can_view_content() within the PHP context.
+			if ( true === $redirect_when_cookie_is_set ) {
+				$location_without_token = remove_query_arg( 'token' );
+				if ( wp_safe_redirect( $location_without_token, 302, 'Subscriptions' ) ) {
+					exit;
+				}
+			}
 		}
 	}