Prevent fatal error when AUTH_KEY/SECURE_AUTH_KEY are undefined

mrcasual · mrcasual · commit 20873bbee2f7 · 2026-03-06T06:43:14.000-05:00
diff --git a/gravityforms-zero-spam.php b/gravityforms-zero-spam.php
@@ -3,7 +3,7 @@
  * Plugin Name:       Gravity Forms Zero Spam
  * Plugin URI:        https://www.gravitykit.com?utm_source=plugin&utm_campaign=zero-spam&utm_content=pluginuri
  * Description:       Enhance Gravity Forms to include effective anti-spam measures—without using a CAPTCHA.
- * Version:           1.7.0
+ * Version:           1.7.1
  * Author:            GravityKit
  * Author URI:        https://www.gravitykit.com?utm_source=plugin&utm_campaign=zero-spam&utm_content=authoruri
  * Requires PHP:      7.4
diff --git a/includes/class-gf-zero-spam-token.php b/includes/class-gf-zero-spam-token.php
@@ -152,7 +152,24 @@ public static function validate( string $token, int $expected_form_id ): array {
 	 * @return string The derived HMAC secret.
 	 */
 	public static function get_site_secret( int $salt_version ): string {
-		return hash_hmac( 'sha256', $salt_version . '|' . AUTH_KEY, SECURE_AUTH_KEY );
+		$auth_key        = defined( 'AUTH_KEY' ) ? AUTH_KEY : '';
+		$secure_auth_key = defined( 'SECURE_AUTH_KEY' ) ? SECURE_AUTH_KEY : '';
+
+		// Fall back to a DB-stored secret if wp-config.php salts are missing.
+		if ( '' === $auth_key && '' === $secure_auth_key ) {
+			$fallback = get_option( 'gf_zero_spam_fallback_secret' );
+
+			if ( ! $fallback ) {
+				$fallback = wp_generate_password( 64, true, true );
+
+				update_option( 'gf_zero_spam_fallback_secret', $fallback, false );
+			}
+
+			$auth_key        = $fallback;
+			$secure_auth_key = $fallback;
+		}
+
+		return hash_hmac( 'sha256', $salt_version . '|' . $auth_key, $secure_auth_key );
 	}
 
 	/**
diff --git a/readme.txt b/readme.txt
@@ -3,7 +3,7 @@ Contributors: gravityview
 Tags: gravity forms, spam, captcha, honeypot, anti-spam
 Requires at least: 4.7
 Tested up to: 6.9.1
-Stable tag: 1.7.0
+Stable tag: 1.7.1
 Requires PHP: 7.4
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -110,6 +110,10 @@ You can enable a spam summary report email. This email will be sent to the email
 
 == Changelog ==
 
+= 1.7.1 on March 6, 2026 =
+
+* Fixed: Fatal error on sites where `AUTH_KEY` or `SECURE_AUTH_KEY` constants are not defined in `wp-config.php`
+
 = 1.7.0 on March 5, 2026 =
 
 * Added: Stronger spam prevention using signed, time-limited tokens
