I created a plugin updater based on this guide: [https://rudrastyh.com/wordpress/self-hosted-plugin-update.html])
Everything works great, but I have 1 issue I am running into that I am having a hard time figuring out. Essentially the .zip file for my plugin requires authorization headers to download the .zip properly, unfortunately this is required by my job, so the .zip is not publicly accessible.
**Whats the issue?** WP’s built in updater only accepts a URL to the .zip file (**$res->package** value described below), it doesn’t allow me to inject those required headers. So my solution to this problem was I would request the .zip in a wp\_get() call, place that .zip in the plugin directory so I can get a URL to the .zip, this works, but this causes the .zip file to hang around in the directory, even after the update is successful, and this is a problem because that makes the .zip publicly accessible if someone knew the URL
**Relevant code**
WP Hooks called in the update process:
// Hooking class functions into WP hooks as callback functions
add_filter( ‘plugins_api’, [$this, ‘info’], 20, 3 );
add_filter( ‘site_transient_update_plugins’, [$this, ‘update’]);
add_action( ‘upgrader_process_complete’, [$this, ‘purge’], 10, 2 );
My update function that includes the relevant .zip download logic, just a note that the value **$res->package** is the value that takes in the URL for the .zip to be downloaded
public function update( $transient ) {
// If transient-< checked is true, return transient
if (empty($transient->checked)) {
return $transient;
}
// Get plugin info by requesting it from info.json file
$remote = $this->request();
// Conditional checks to see if we need to update
if (
$remote
&& version_compare( $this->version, $remote->version, ‘<‘ )
&& version_compare( $remote->requires, get_bloginfo( ‘version’ ), ‘<=’ )
&& version_compare( $remote->requires_php, PHP_VERSION, ‘<‘ )
)
{
// Lets update
$res = new stdClass(); // New result object
$res->slug = $this->plugin_slug;
$res->plugin = $this->plugin_basename;
$res->new_version = $remote->version;
$res->tested = $remote->tested;
$plugin_filename = $this->plugin_slug . ‘.zip’;
$zip_file = wp_remote_get(
$this->zip_url,
[
‘timeout’ => 10, // Request times out after 10 seconds if no response from server
‘headers’ => [
‘Content-Type’ => ‘application/zip’,
‘Content-Disposition’ => ‘attachment; filename=”‘ . $plugin_filename . ‘”‘,
‘Access-Client-Id’ => $this->client_id,
‘Access-Client-Secret’ => $this->client_secret
]
]
);
// Check if the request was successful
if (is_wp_error($zip_file)) {
$error_message = $zip_file ->get_error_message();
echo “Error: $error_message”;
} else {
$response_code = wp_remote_retrieve_response_code($zip_file );
if ($response_code === 200) {
$save_path = $this->save_path . ‘/’ . $plugin_filename;
$file_saved = file_put_contents($save_path, $zip_file [‘body’]);
} else {
echo “Request failed with response code: $response_code”;
}
}
$base_url = site_url();
$plugin_path = “/wp-content/plugins/” . $this->plugin_slug .”/” . $plugin_filename;
$res->package = $base_url . $plugin_path; // Package up the downloaded .zip
// Update transient
$transient->response[ $res->plugin ] = $res;
}
return $transient;
}
**My question:** Has anyone had to deal with a similar situation? I am struggling with figuring out how to put this sensitive .zip somewhere where it can be leveraged by **$res->package**
One solution I thought would work was to place the wp\_get() logic in a separate .php file that returns the .zip, I could then supply a URL to that file to get the .zip but WordPress was throwing errors that indicated this wouldnt work
If anyone has any thoughts or ideas I am all ears, feel like I am running out of potential solutions to this problem, thank you!
[ad_2]
Can’t you just delete the zip when the update has finished with something like ?