Add apiBaseUrl as a configurable option to Settings

[xecdev]

Add apiBaseUrl as a configurable option to Settings and set the default value to "https://paybutton.org".

Test Plan:

• Open Settings tab
• Scroll down and verify the new API Base URL option

Summary by CodeRabbit

• New Features
  • Adds an Admin setting to configure the API Base URL with a URL input and default https://paybutton.org.
  • Custom API Base URL is saved and applied site-wide (login, paywall, checkout flows).
  • Front-end receives the configured API Base URL for client-side requests.
  • Configuration JSON embedded in pages now preserves slashes for accurate payloads.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a configurable API base URL option stored in WP options, exposed in admin settings, localized to frontend JS and shortcodes, serialized with unescaped slashes, and passed into PayButton.render as api-base-url for frontend API requests.

Changes

Cohort / File(s)	Summary
Admin Settings includes/class-paybutton-admin.php, templates/admin/settings.php	Add paybutton_api_base_url admin field (type=url); sanitize with esc_url_raw, default to https://paybutton.org, persist via update_option; enqueue script version bumped for admin asset.
Public PHP → Frontend Data includes/class-paybutton-public.php	Localize apiBaseUrl into PaywallAjax, include apiBaseUrl in shortcode/WooCommerce config arrays, and use wp_json_encode/wp_localize_script with JSON_UNESCAPED_SLASHES for payloads.
Frontend JS assets/js/paybutton-paywall-cashtab-login.js, assets/js/paywalled-content.js	Pass api-base-url into PayButton.render options (sourced from PaywallAjax.apiBaseUrl or configData.apiBaseUrl).
WooCommerce Integration includes/woocommerce/class-wc-gateway-paybutton.php	Include apiBaseUrl in PayButton config for thank-you/payment pages (from get_option('paybutton_api_base_url', 'https://paybutton.org')) and serialize config with JSON_UNESCAPED_SLASHES.

Sequence Diagram(s)

sequenceDiagram
  participant Admin as Admin UI
  participant WP as WordPress (options/db)
  participant Enqueue as PHP enqueue/localize
  participant Browser as Browser JS
  participant PayButton as PayButton.render
  participant API as External PayButton API

  Admin->>WP: POST paybutton_api_base_url (esc_url_raw → update_option)
  WP->>Enqueue: get_option('paybutton_api_base_url', default)
  Enqueue->>Browser: localize PaywallAjax (include apiBaseUrl) / emit data-config
  Browser->>PayButton: PayButton.render({... 'api-base-url': apiBaseUrl ...})
  PayButton->>API: HTTP requests to provided api-base-url

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Secure “Login via Cashtab” Flow (Server-Verified Login Tokens) #90 — Modifies assets/js/paybutton-paywall-cashtab-login.js PayButton.render usage; touches the same call site as this change.
• Secure “Content Unlocking” Flow (Server-Verified Login Tokens) #93 — Updates frontend render options and token/login handling in assets/js/*, overlapping with the apiBaseUrl option addition.

Suggested labels

enhancement (UI/UX/feature)

Suggested reviewers

• Klakurka

Poem

🐰
I tuck a URL in admin's nest,
PHP cleans it, JS does the rest,
PayButton hops, the requests take flight,
Cookies crunch beneath moonlight,
A rabbit cheers — the API's dressed!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 77.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add apiBaseUrl as a configurable option to Settings' directly and clearly describes the main change—adding a new configurable API base URL option to the plugin settings.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/add-apiBaseUrl-option

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@includes/class-paybutton-admin.php`:
- Around line 128-132: Access to $_POST['paybutton_api_base_url'] must be
guarded and validated: first check isset($_POST['paybutton_api_base_url'])
before using wp_unslash/esc_url_raw, then assign $api_base_url = esc_url_raw(
wp_unslash( $_POST['paybutton_api_base_url'] ) ) and only call
update_option('paybutton_api_base_url', $api_base_url) if $api_base_url is
non-empty (esc_url_raw returns '' for invalid URLs); if empty, do not overwrite
the saved option and surface an error/notice (similar to how
paybutton_public_key is validated) so malformed or missing input isn’t silently
saved.

[coderabbitai]

🧹 Nitpick comments (2)

includes/class-paybutton-public.php (2)

241-242: No sanitization on the apiBaseUrl value before embedding in the config array.

While this value is admin-controlled via get_option and the final output is escaped by esc_attr(wp_json_encode(...)) on line 277, consider applying esc_url to ensure only well-formed URLs are passed through, consistent with WordPress best practices for URL options.

🛡️ Suggested hardening

- 'apiBaseUrl'  => get_option( 'paybutton_api_base_url', 'https://paybutton.org' )
+ 'apiBaseUrl'  => esc_url( get_option( 'paybutton_api_base_url', 'https://paybutton.org' ) )

Apply the same treatment on line 129:

- 'apiBaseUrl'       => get_option( 'paybutton_api_base_url', 'https://paybutton.org' ),
+ 'apiBaseUrl'       => esc_url( get_option( 'paybutton_api_base_url', 'https://paybutton.org' ) ),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@includes/class-paybutton-public.php` around lines 241 - 242, The apiBaseUrl
value retrieved with get_option in the config array (the 'apiBaseUrl' =>
get_option(...) entry in class-paybutton-public.php) is not sanitized; update
the assignment to pass the option through esc_url (e.g., esc_url( get_option(
'paybutton_api_base_url', 'https://paybutton.org' ) )) before embedding in the
config so only well-formed URLs are used, and apply the same esc_url wrapping to
the earlier occurrence noted around the get_option call near the other usage
(referenced at the earlier api option on line 129).

---

129-129: The default URL string 'https://paybutton.org' is duplicated across multiple files.

This default appears in class-paybutton-public.php (lines 129, 242), class-paybutton-admin.php (lines 132, 306), and class-wc-gateway-paybutton.php (line 186). Consider extracting it into a class constant or shared helper to keep the default in one place.

♻️ Example: centralize the default

Define a constant in a shared location:

const PAYBUTTON_DEFAULT_API_BASE_URL = 'https://paybutton.org';

Then reference it everywhere:

- 'apiBaseUrl' => get_option( 'paybutton_api_base_url', 'https://paybutton.org' ),
+ 'apiBaseUrl' => get_option( 'paybutton_api_base_url', PAYBUTTON_DEFAULT_API_BASE_URL ),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@includes/class-paybutton-public.php` at line 129, Extract the duplicated
default URL into a single constant (e.g., PAYBUTTON_DEFAULT_API_BASE_URL) in a
central location (such as the main plugin class or a shared bootstrap/config
class) and replace the hardcoded string occurrences with that constant; update
the usages where the default is provided (the 'apiBaseUrl' default in
class-paybutton-public.php, the similar defaults in class-paybutton-admin.php,
and class-wc-gateway-paybutton.php) to reference the new constant so the default
is maintained in one place.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@includes/class-paybutton-public.php`:
- Around line 241-242: The apiBaseUrl value retrieved with get_option in the
config array (the 'apiBaseUrl' => get_option(...) entry in
class-paybutton-public.php) is not sanitized; update the assignment to pass the
option through esc_url (e.g., esc_url( get_option( 'paybutton_api_base_url',
'https://paybutton.org' ) )) before embedding in the config so only well-formed
URLs are used, and apply the same esc_url wrapping to the earlier occurrence
noted around the get_option call near the other usage (referenced at the earlier
api option on line 129).
- Line 129: Extract the duplicated default URL into a single constant (e.g.,
PAYBUTTON_DEFAULT_API_BASE_URL) in a central location (such as the main plugin
class or a shared bootstrap/config class) and replace the hardcoded string
occurrences with that constant; update the usages where the default is provided
(the 'apiBaseUrl' default in class-paybutton-public.php, the similar defaults in
class-paybutton-admin.php, and class-wc-gateway-paybutton.php) to reference the
new constant so the default is maintained in one place.

[coderabbitai]

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@includes/class-paybutton-admin.php`:
- Around line 128-135: No code changes needed: the handling of the POSTed
paybutton_api_base_url is already correct — it uses isset with wp_unslash,
sanitizes via esc_url_raw, falls back to 'https://paybutton.org' when empty, and
persists via update_option('paybutton_api_base_url'), so leave the logic as-is
and approve the change.