Security Overview
OneTap Login for WooCommerce implements multiple layers of security to protect your site and users. This guide covers all security measures and best practices.
Security Philosophy
Defense in Depth
OneTap Login employs multiple security layers:
Layer 1: Google Authentication
↓
Layer 2: JWT Token Validation
↓
Layer 3: CSRF Protection
↓
Layer 4: Rate Limiting
↓
Layer 5: Role Restrictions
↓
Layer 6: 2FA Detection
↓
Layer 7: Input Sanitization
↓
User Authenticated
Each layer provides independent protection.
Security Measures Summary
| Measure | Protection | Location |
|---|---|---|
| JWT Validation | Token authenticity | Server-side |
| CSRF Protection | Cross-site forgery | WordPress nonces |
| Rate Limiting | Brute force | 10 req/5 min/IP |
| Role Security | Privilege escalation | Forbidden roles |
| 2FA Detection | Weak authentication | Plugin integration |
| HTTPS Required | Data interception | Transport layer |
| Input Sanitization | Injection attacks | All inputs |
| Output Escaping | XSS attacks | All outputs |
| Webhook Signatures | Payload tampering | HMAC-SHA256 |
| Session Security | Session hijacking | WordPress sessions |
1. JWT Token Validation
What It Does
Every Google sign-in includes a JWT (JSON Web Token) that OneTap validates:
User signs in with Google
↓
Google returns JWT token
↓
OneTap validates with Google API
↓
Valid → Proceed with login
↓
Invalid → Reject and log
Validation Checks
| Check | Purpose |
|---|---|
| Signature | Token not tampered |
| Issuer (iss) | From Google |
| Audience (aud) | For your Client ID |
| Expiration (exp) | Not expired |
| Issued At (iat) | Not too old |
| Email verified | Google verified email |
Implementation
// Simplified validation flow
$payload = $client->verifyIdToken($token);
if (!$payload) {
// Invalid token - reject
throw new Exception('Invalid token');
}
if ($payload['aud'] !== $client_id) {
// Wrong audience - reject
throw new Exception('Invalid audience');
}
if ($payload['email_verified'] !== true) {
// Email not verified - reject
throw new Exception('Email not verified');
}
Learn more about JWT Validation →
2. CSRF Protection
What It Does
Prevents Cross-Site Request Forgery attacks:
Attacker's site cannot:
├── Trigger Google sign-in on your behalf
├── Intercept callback
└── Hijack authentication
Implementation
- WordPress nonces in forms
- State parameter in OAuth flow
- Origin validation on callbacks
// Nonce verification
if (!wp_verify_nonce($_POST['_wpnonce'], 'onetap_action')) {
wp_die('Security check failed');
}
// State parameter validation
if ($_GET['state'] !== $stored_state) {
wp_die('Invalid state');
}
3. Rate Limiting
What It Does
Prevents abuse and brute force attempts:
| Limit | Value |
|---|---|
| Requests | 10 |
| Time window | 5 minutes |
| Per | IP address |
Behavior
Request 1-10: ✅ Allowed
Request 11+: ❌ Blocked (429 error)
Wait 5 minutes: Reset counter
Why It Matters
- Prevents credential stuffing
- Stops automated attacks
- Protects server resources
- Compliant with Google's ToS
Learn more about Rate Limiting →
4. Role Security
Forbidden Roles
These roles cannot be assigned via Google sign-in:
| Role | Reason |
|---|---|
| Administrator | Full site control |
| Editor | Content management |
| Shop Manager | Store management |
Allowed Roles
Safe roles for new registrations:
| Role | Default | Capabilities |
|---|---|---|
| Subscriber | No | Read only |
| Contributor | No | Write drafts |
| Author | No | Publish own |
| Customer | Yes (WC) | Shop + orders |
Why Restrictions Exist
Prevents privilege escalation:
Attacker cannot:
├── Register as admin via Google
├── Gain store management
└── Escalate from customer
Learn more about Role Security →
5. Two-Factor Authentication Detection
Supported 2FA Plugins
| Plugin | Detection |
|---|---|
| Two Factor | ✅ |
| Wordfence 2FA | ✅ |
| WP 2FA | ✅ |
| iThemes Security | ✅ |
| Google Authenticator | ✅ |
| miniOrange 2FA | ✅ |
Flow
Google auth successful
↓
Check if user has 2FA
↓
Yes → Redirect to 2FA prompt
↓
No → Login complete
Learn more about 2FA Detection →
6. HTTPS Requirement
Why Required
Google OAuth requires HTTPS:
- Token transmitted securely
- No man-in-the-middle attacks
- Google enforces for production
Exception
Localhost development allowed:
http://localhostworks- For testing only
- Production must use HTTPS
7. Input Sanitization
All Inputs Sanitized
// Email sanitization
$email = sanitize_email($google_email);
// Text sanitization
$name = sanitize_text_field($google_name);
// URL sanitization
$redirect = esc_url_raw($redirect_url);
SQL Injection Prevention
// Prepared statements
$wpdb->prepare(
"SELECT * FROM {$wpdb->users} WHERE user_email = %s",
$email
);
8. Output Escaping
All Outputs Escaped
// HTML escaping
echo esc_html($user_name);
// Attribute escaping
echo '<input value="' . esc_attr($value) . '">';
// URL escaping
echo '<a href="' . esc_url($url) . '">';
// JavaScript escaping
echo 'var data = ' . wp_json_encode($data) . ';';
9. Webhook Signatures (PRO)
HMAC-SHA256 Signatures
Webhooks include signature header:
X-OneTap-Signature: sha256=abc123...
Verification
$expected = hash_hmac('sha256', $payload, $secret);
$received = $_SERVER['HTTP_X_ONETAP_SIGNATURE'];
if (!hash_equals('sha256=' . $expected, $received)) {
// Invalid signature - reject
http_response_code(401);
exit;
}
Learn more about Webhook Signatures →
10. Session Security
WordPress Sessions
OneTap uses WordPress's session management:
- Secure session cookies
- HTTP-only flag
- Same-site attribute
- Proper expiration
After Login
// Session regeneration
wp_set_auth_cookie($user_id, $remember);
// Update session tokens
update_user_meta($user_id, 'session_tokens', $tokens);
Security Audit Checklist
Before Launch
- HTTPS configured
- Client ID/Secret secure
- Forbidden roles enforced
- Rate limiting active
- Error messages generic
- Debug mode disabled
- Logs not public
Regular Checks
- Review admin users
- Check authentication logs
- Update plugin regularly
- Monitor for anomalies
- Test authentication flow
Data Protection
What OneTap Stores
| Data | Storage | Purpose |
|---|---|---|
| Google ID | User meta | Account linking |
| WordPress user | Account identification | |
| Name | WordPress user | Display name |
| Avatar URL | Not stored | Real-time from Google |
What OneTap Doesn't Store
- Google access tokens (temporary only)
- Passwords (not applicable)
- Sensitive Google data
- Payment information
GDPR Considerations
Data Processing
- Email: Legitimate interest (login functionality)
- Name: Contract performance
- Google ID: Technical necessity
Data Subject Rights
- Export: Included in WordPress export
- Erasure: Deleted with user account
- Access: Visible in user profile
Privacy Policy
Add to your privacy policy:
- Google sign-in is used
- What data is collected
- How it's processed
- Link to Google's policy
Security Best Practices
For Site Owners
- Keep updated: Always run latest version
- Use HTTPS: Never allow HTTP in production
- Restrict roles: Use minimal necessary roles
- Monitor logs: Check for anomalies
- Enable 2FA: For admin accounts
- Secure credentials: Never expose secrets
For Developers
- Sanitize inputs: Always validate
- Escape outputs: Prevent XSS
- Use nonces: For all forms
- Validate tokens: Every request
- Log security events: For audit
- Follow OWASP: Best practices
Reporting Security Issues
If you discover a security vulnerability:
- Do not disclose publicly
- Email: security@onetapwoo.com
- Include detailed description
- Allow time for fix
- Coordinated disclosure
Next Steps
- JWT Validation - Token verification details
- Rate Limiting - Abuse prevention
- Role Security - Privilege restrictions
- 2FA Detection - Two-factor integration
- Webhook Signatures - Payload verification