CreaCaptcha

Interceptor
in package

Inspects front-end POST requests and enforces a valid ALTCHA payload for requests whose path matches a configured pattern. See the module-2 design spec for the bypass chain (§6) and the guard decision (§7/§8).

Table of Contents

Constants

EXCLUDED_SCRIPTS  = ['wp-login.php', 'wp-comments-post.php', 'wp-cron.php', 'xmlrpc.php']
Script basenames that are never guarded. The module-1 core-form integrations own these; a second verification here would consume the challenge and make the subsequent hook verification fail as a replay.

Methods

match_path()  : bool
Matches a request path against a list of `*`-wildcard patterns, with `!`-prefixed entries acting as hard exclusions (allow-list semantics).
run()  : void
Runs the interceptor for the current request. Registered on `init` at priority 1. Terminates the request when verification fails.
context()  : array{path: string, method: string, script: string, is_ajax: bool, action: string}
Builds the request context. Adds an `action` field read from $_POST['action'] (preferred) or $_GET['action'] for action-based protection.
fail()  : void
Sends the fail-closed response and terminates the request — see spec §10.
is_ajax_request()  : bool
Best-effort detection of a JSON/AJAX request.
is_guarded()  : bool
Whether the current request is a guarded target. Checks both URL paths (`interceptor_paths`) and action slugs (`interceptor_actions`); a positive match in either list guards the request.
is_rest_request()  : bool
Whether the request path points at the REST API.
should_bypass()  : bool
The bypass chain. Evaluation order = listing order. Action-based protection overrides the `is_admin()` step (and only that step) so named-action endpoints in wp-admin/admin-post.php and admin-ajax.php can be guarded.

Constants

EXCLUDED_SCRIPTS

Script basenames that are never guarded. The module-1 core-form integrations own these; a second verification here would consume the challenge and make the subsequent hook verification fail as a replay.

private mixed EXCLUDED_SCRIPTS = ['wp-login.php', 'wp-comments-post.php', 'wp-cron.php', 'xmlrpc.php']

Methods

match_path()

Matches a request path against a list of `*`-wildcard patterns, with `!`-prefixed entries acting as hard exclusions (allow-list semantics).

public static match_path(string $path, array<int, string> $patterns) : bool

Returns true iff at least one positive pattern matches AND no !-pattern matches. Order in the list is irrelevant — a single !-match short-circuits the whole list to false.

Public and static so the matching can be exercised in isolation; also reused for action-name matching (the algorithm is charset-agnostic).

Parameters
$path : string

Request path or action slug.

$patterns : array<int, string>

Wildcard patterns; !-prefixed = exclude.

Return values
bool

run()

Runs the interceptor for the current request. Registered on `init` at priority 1. Terminates the request when verification fails.

public run() : void

context()

Builds the request context. Adds an `action` field read from $_POST['action'] (preferred) or $_GET['action'] for action-based protection.

private context() : array{path: string, method: string, script: string, is_ajax: bool, action: string}
Return values
array{path: string, method: string, script: string, is_ajax: bool, action: string}

fail()

Sends the fail-closed response and terminates the request — see spec §10.

private fail(array{path: string, method: string, script: string, is_ajax: bool} $context) : void
Parameters
$context : array{path: string, method: string, script: string, is_ajax: bool}

Request context.

is_ajax_request()

Best-effort detection of a JSON/AJAX request.

private is_ajax_request() : bool
Return values
bool

is_guarded()

Whether the current request is a guarded target. Checks both URL paths (`interceptor_paths`) and action slugs (`interceptor_actions`); a positive match in either list guards the request.

private is_guarded(array{path: string, method: string, script: string, is_ajax: bool, action: string} $context) : bool
Parameters
$context : array{path: string, method: string, script: string, is_ajax: bool, action: string}

Request context.

Return values
bool

is_rest_request()

Whether the request path points at the REST API.

private is_rest_request(string $path) : bool
Parameters
$path : string
Return values
bool

should_bypass()

The bypass chain. Evaluation order = listing order. Action-based protection overrides the `is_admin()` step (and only that step) so named-action endpoints in wp-admin/admin-post.php and admin-ajax.php can be guarded.

private should_bypass(array{path: string, method: string, script: string, is_ajax: bool, action: string} $context) : bool
Parameters
$context : array{path: string, method: string, script: string, is_ajax: bool, action: string}

Request context.

Return values
bool 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results