fix for faulty user authentication in bb-presence

[g000m]

Jira Issue:

no Jira issue

Summary

BB_Presence::bb_cookie_support() parses the WordPress auth cookie but only extracts the username and looks it up in the database. It never validates the HMAC signature, expiration, or session token. This allows any unauthenticated request with a forged cookie containing a valid username to pass the presence endpoint's authentication check.

Reproduction

curl -kX POST "https://example.com/wp-json/buddyboss/v1/members/presence" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    --cookie "wordpress_logged_in=admin%7C1%7Cfake%7Cfake" \
    -d '{"ids":[1,2]}'

This returns a 200 with the online/offline status of the requested user IDs, despite the cookie having a completely invalid HMAC, an expired timestamp (1), and a fake session token. The only requirement is that admin (or whatever username is used) exists on the site.

Fix

Replace the manual cookie parsing and username lookup with wp_validate_auth_cookie()

[welcome]

Thanks for your pull request. It looks like this may be your first contribution to the BuddyBoss Platform open source project. Please note that this project and all contributions to it are public and bounded by the GPL v2.0 license, and that a record of the contribution (including all personal information you submit with it, including your full name and email address) is maintained indefinitely and may be redistributed with this project. If you are not okay with these terms, please close this pull request. Alternatively, you can let us know about your concerns by adding a comment to this pull request.

[Copilot]

Pull request overview

This PR hardens BuddyBoss Presence “pre-user” authentication by replacing manual WordPress auth cookie parsing with WordPress core cookie validation, preventing forged cookies from bypassing auth on the presence REST endpoint.

Changes:

• Replace username-only cookie parsing + DB lookup with wp_validate_auth_cookie() to enforce HMAC/expiry/token validation.
• Ensure required WordPress pluggable functions and cookie constants are loaded when running at MU level.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

wp_validate_auth_cookie() expects a cookie scheme of auth, secure_auth, or logged_in. Passing the value from the auth_redirect_scheme filter (often http/https or empty) can cause WordPress to validate the wrong cookie (auth cookie scoped to /wp-admin) and fail to authenticate normal front-end/REST requests that only send the wordpress_logged_in_* cookie. Consider validating explicitly with the logged_in scheme (or otherwise selecting the appropriate scheme for this endpoint) so logged-in sessions are correctly recognized while still enforcing HMAC/expiration/token checks.

Suggested change

	$scheme = apply_filters( 'auth_redirect_scheme', '' );
	$scheme = 'logged_in';