Secure “Content Unlocking” Flow (Server-Verified Login Tokens)

[xecdev]

No description provided.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/improve-content-unlocking-security

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR implements a secure content unlocking flow that validates payment transactions on the server before granting access to paywalled content. The key security improvement is the introduction of server-verified unlock tokens that prevent unauthorized content access.

Key Changes:

• Introduced a two-step validation process: first validating the unlock transaction, then marking payment as successful using a server-issued token
• Added unlock_token and used fields to the database schema to track transaction validation state
• Refactored the JavaScript payment flow to use onClose instead of onSuccess for better reliability

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
includes/class-paybutton-ajax.php	Added ajax_validate_unlock_tx() endpoint and refactored mark_payment_successful() to verify unlock tokens before granting access
includes/class-paybutton-activator.php	Updated database schema to include unlock_token, used flag, and additional indexes for improved query performance
assets/js/paywalled-content.js	Restructured payment flow to validate transactions and retrieve unlock tokens before marking payment successful

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Changing from CREATE TABLE IF NOT EXISTS to CREATE TABLE will cause the activation to fail if the table already exists. This breaks plugin reactivation and updates. Restore the IF NOT EXISTS clause.

[Copilot]

Changing from CREATE TABLE IF NOT EXISTS to CREATE TABLE will cause the activation to fail if the table already exists. This breaks plugin reactivation and updates. Restore the IF NOT EXISTS clause.

Suggested change

	$sql_login = "CREATE TABLE $login_table (
	$sql_login = "CREATE TABLE IF NOT EXISTS $login_table (

[Copilot]

Corrected spelling of 'add' to 'address'.

Suggested change

	// Shared state: user wallet add + unlock tx captured in onSuccess, consumed in onClose.
	// Shared state: user wallet address + unlock tx captured in onSuccess, consumed in onClose.

[Copilot]

Replace en-dash (–) with standard hyphen (-) for consistency with standard naming conventions.

Suggested change

	* AJAX endpoint to validate a content–unlock transaction.
	* AJAX endpoint to validate a content-unlock transaction.

[Copilot]

The comment states '~24 chars base64url' but the calculation is imprecise. 18 bytes encodes to exactly 24 base64 characters. Consider updating the comment to '24 chars base64url' for accuracy.

Suggested change

	$raw = random_bytes(18); // ~24 chars base64url
	$raw = random_bytes(18); // 24 chars base64url

[Klakurka]

Probably good to merge but we can remove some of this commented out logging.

[Klakurka]

Remove?

[xecdev]

No, I will keep it for future reference