wp-config-patch.sh

#!/bin/bash
set -e

WP_CONFIG="/var/www/html/wp-config.php"

# Wait for WordPress core to exist (in case first-run init populates it)
if [ ! -f "$WP_CONFIG" ]; then
  sleep 2
fi

# Already patched?
if grep -q "Force WordPress to use SQLite drop-in early" "$WP_CONFIG"; then
  exit 0
fi

PLUGIN_VER=$(unzip -p /tmp/sqlite.zip sqlite-database-integration/readme.txt 2>/dev/null | grep -m1 '^Stable tag:' | awk '{print $3}')
[[ -z "$PLUGIN_VER" ]] && PLUGIN_VER="2.2.14"

# PHP block to inject (no debug echos)
PATCH_BLOCK=$(cat <<'PHPBLOCK'
// --- Force WordPress to use SQLite drop-in early + normalize proxy envs ---
/**
 * 1) Normalize HTTP_HOST: remove any :port (especially :7860 used internally)
 * 2) Determine canonical $site (prefer SITE_URL env; otherwise build from host & scheme)
 * 3) Force SERVER_PORT to 80 (or 443 for https) so WP doesn't add container port
 * 4) Define WP_HOME/WP_SITEURL early (before wp-settings.php)
 */

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = 443;
    $_SERVER['HTTP_HOST'] = preg_replace('/:\d+$/', '', $_SERVER['HTTP_HOST'] ?? '');
}

if (isset($_SERVER['HTTP_CF_VISITOR'])) {
    $visitor = json_decode($_SERVER['HTTP_CF_VISITOR']);
    if ($visitor && $visitor->scheme === 'https') {
        $_SERVER['HTTPS'] = 'on';
    }
}

define('COOKIE_DOMAIN', '');
define('COOKIEPATH', '/');
define('SITECOOKIEPATH', '/');
define('ADMIN_COOKIE_PATH', '/');
define('PLUGINS_COOKIE_PATH', '/');

if (isset($_SERVER['HTTP_HOST'])) {
    // Remove explicit :<port> from host header (common when container listens on nonstandard port)
    $_SERVER['HTTP_HOST'] = preg_replace('/:\d+$/', '', $_SERVER['HTTP_HOST']);
}

// Prefer SITE_URL env if provided (set in HF Space secrets)
// If not provided, build from detected scheme + host (host was normalized above)
$site_env = getenv('SITE_URL') ?: '';
if ($site_env) {
    $site = rtrim($site_env, '/');
} else {
    $scheme = (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
              || (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https' : 'http';
    $host = $_SERVER['HTTP_HOST'] ?? '127.0.0.1';
    $site = $scheme . '://' . $host;
}

// Ensure server port matches scheme (so WP won't append container port)
if (stripos($site, 'https://') === 0) {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = 443;
    if (!defined('FORCE_SSL_ADMIN')) define('FORCE_SSL_ADMIN', true);
} else {
    $_SERVER['HTTPS'] = 'off';
    $_SERVER['SERVER_PORT'] = $_SERVER['SERVER_PORT'] ?? 80;
    if (!defined('FORCE_SSL_ADMIN')) define('FORCE_SSL_ADMIN', false);
}

// Always set WP_HOME and WP_SITEURL early (no port)
if (!defined('WP_HOME')) define('WP_HOME', $site);
if (!defined('WP_SITEURL')) define('WP_SITEURL', $site);

// Standard SQLite / plugin constants
if (!defined('WP_CONTENT_DIR')) define('WP_CONTENT_DIR', __DIR__ . '/wp-content');
if (!defined('WP_CONTENT_URL')) define('WP_CONTENT_URL', '/wp-content');
if (!defined('ABSPATH')) define('ABSPATH', __DIR__ . '/');
if (file_exists(WP_CONTENT_DIR . '/db.php')) @define('DB_ENGINE', 'sqlite');
if (!defined('SQLITE_DB_DROPIN_VERSION')) define('SQLITE_DB_DROPIN_VERSION', '${PLUGIN_VER}');
PHPBLOCK
)

# Inject before wp-settings.php line
awk -v block="$PATCH_BLOCK" '
/require_once ABSPATH . '\''wp-settings.php'\'';/ {
  print block "\n" $0;
  next;
}
{ print }
' "$WP_CONFIG" > "${WP_CONFIG}.patched" && mv "${WP_CONFIG}.patched" "$WP_CONFIG"

# Add hardening and defaults if missing
grep -q "AUTOMATIC_UPDATER_DISABLED" "$WP_CONFIG" || cat <<'EXTRA' >> "$WP_CONFIG"

 // === Extra hardening and SQLite defaults ===
 if (!defined('AUTOMATIC_UPDATER_DISABLED')) define('AUTOMATIC_UPDATER_DISABLED', true);
 if (!defined('WP_AUTO_UPDATE_CORE')) define('WP_AUTO_UPDATE_CORE', false);
 if (!defined('DISALLOW_FILE_EDIT')) define('DISALLOW_FILE_EDIT', true);
 if (!defined('FS_METHOD')) define('FS_METHOD', 'direct');
EXTRA

exit 0