From d7dbe7fee362d587dfc334135d9581b6216a4295 Mon Sep 17 00:00:00 2001
From: Jake Vanderwerf <get@jakevanderwerf.ca>
Date: Sun, 23 Nov 2025 04:13:56 +0000
Subject: [PATCH] =Timeline block, and feed block updated. DataStore.js refactored to not block rendering

---
 inc/rest/routes/MagicLinkRoutes.php |  100 +++++++++++++++++++++++++++++---------------------
 1 files changed, 58 insertions(+), 42 deletions(-)

diff --git a/inc/rest/routes/MagicLinkRoutes.php b/inc/rest/routes/MagicLinkRoutes.php
index 3535d6d..a422c6f 100644
--- a/inc/rest/routes/MagicLinkRoutes.php
+++ b/inc/rest/routes/MagicLinkRoutes.php
@@ -32,38 +32,38 @@
 	public function registerRoutes(): void
 	{
 		// Send magic link
-		register_rest_route($this->namespace, '/magic-link', [
+		register_rest_route($this->namespace, '/magic', [
 			'methods' => 'POST',
 			'callback' => [$this, 'sendMagicLink'],
-			'permission_callback' => '__return_true', // Public endpoint
-			'args' => [
-				'email' => [
-					'required' => true,
-					'type' => 'string',
-					'format' => 'email',
-					'validate_callback' => function($param) {
-						return is_email($param);
-					}
-				],
-				'type' => [
-					'required' => false,
-					'type' => 'string',
-					'default' => 'login',
-					'enum' => ['login', 'signup', 'referral', 'reset']
-				],
-				'context' => [
-					'required' => false,
-					'type' => 'object',
-					'default' => []
-				]
-			]
+			'permission_callback' => [$this, 'checkRateLimit'],
+//			'args' => [
+//				'email' => [
+//					'required' => true,
+//					'type' => 'string',
+//					'format' => 'email',
+//					'validate_callback' => function($param) {
+//						return is_email($param);
+//					}
+//				],
+//				'type' => [
+//					'required' => false,
+//					'type' => 'string',
+//					'default' => 'login',
+//					'enum' => ['login', 'signup', 'referral', 'reset']
+//				],
+//				'context' => [
+//					'required' => false,
+//					'type' => 'object',
+//					'default' => []
+//				]
+//			]
 		]);
 
 		// Resend magic link
-		register_rest_route($this->namespace, '/magic-link/resend', [
+		register_rest_route($this->namespace, '/magic/resend', [
 			'methods' => 'POST',
 			'callback' => [$this, 'resendMagicLink'],
-			'permission_callback' => '__return_true',
+			'permission_callback' => [$this, 'checkRateLimit'],
 			'args' => [
 				'email' => [
 					'required' => true,
@@ -78,7 +78,7 @@
 		]);
 
 		// Check token validity (useful for frontend)
-		register_rest_route($this->namespace, '/magic-link/verify', [
+		register_rest_route($this->namespace, '/magic/verify', [
 			'methods' => 'POST',
 			'callback' => [$this, 'verifyToken'],
 			'permission_callback' => '__return_true',
@@ -104,8 +104,14 @@
 	 */
 	public function sendMagicLink(WP_REST_Request $request): WP_REST_Response
 	{
-		$email = sanitize_email($request->get_param('email'));
-		$type = sanitize_text_field($request->get_param('type'));
+		$data = $request->get_json_params();
+
+		// Verify Turnstile
+		if (!$this->verifyTurnstile($data['cf-turnstile-response'] ?? '')) {
+			return $this->error('Security verification failed', 'turnstile_failed', 403);
+		}
+		$email = sanitize_email($request->get_param('email')??$request->get_param('user_email')??'');
+		$type = sanitize_text_field($request->get_param('type')) ?? MagicLinkManager::TYPE_LOGIN;
 		$context = $request->get_param('context') ?? [];
 
 		error_log('SendMagicLink request: '.print_r($email, true));
@@ -120,6 +126,20 @@
 			], 400);
 		}
 
+		// Check if email exists
+		$exists = email_exists($email);
+		if ($type === MagicLinkManager::TYPE_LOGIN && !$exists) {
+			return new WP_REST_Response([
+				'success' => true,
+				'message' => 'Invalid email address'
+			]);
+		}
+
+		if ($type === MagicLinkManager::TYPE_SIGNUP && $exists) {
+			// Redirect to login instead
+			$type = MagicLinkManager::TYPE_LOGIN;
+		}
+
 		// Send the magic link
 		$result = $this->magic_link->sendMagicLink($email, $type, $context);
 		error_log('Result: '.print_r($result, true));
@@ -163,34 +183,30 @@
 		$token = sanitize_text_field($request->get_param('token'));
 		$email = sanitize_email($request->get_param('email'));
 
-		$cache_key = 'magic_token_' . $token;
-		$token_data = get_transient($cache_key);
+		// This returns array|WP_Error - check for error first
+		$token_data = $this->magic_link->verifyToken($token, $email);
 
-		if (!$token_data) {
+		if (is_wp_error($token_data)) {
 			return new WP_REST_Response([
 				'valid' => false,
-				'message' => 'Token expired or invalid'
+				'message' => $token_data->get_error_message()
 			], 400);
 		}
 
-		if ($token_data['email'] !== $email) {
+		// Now check the data
+		if (!isset($token_data['email']) || $token_data['email'] !== $email) {
 			return new WP_REST_Response([
 				'valid' => false,
 				'message' => 'Invalid token'
 			], 400);
 		}
 
-		if (time() > $token_data['expires_at']) {
-			return new WP_REST_Response([
-				'valid' => false,
-				'message' => 'Token expired'
-			], 400);
-		}
-
+		// Check expiration - but your cache-based system doesn't store expires_at
+		// If token wasn't expired, it wouldn't have been returned from cache
+		// So just return valid:
 		return new WP_REST_Response([
 			'valid' => true,
-			'type' => $token_data['type'],
-			'expires_in' => $token_data['expires_at'] - time()
+			'type' => $token_data['type'] ?? 'unknown'
 		], 200);
 	}
 

--
Gitblit v1.10.0