Merge branch 'develop' into update/composer-dependencies

.phpcs.ruleset.xml

@@ -24,6 +24,12 @@
 			https://github.com/PHPCompatibility/PHPCompatibilityWP -->
 	<rule ref="PHPCompatibilityWP"/>
 
+	<!-- Use the VIP Go ruleset. -->
+	<rule ref="WordPress-VIP-Go" />
+
+	<!-- Use the WordPress.com VIP ruleset. -->
+	<rule ref="WordPressVIPMinimum" />
+
 	<!-- For help in understanding this testVersion:
 		https://github.com/PHPCompatibility/PHPCompatibility#sniffing-your-code-for-compatibility-with-specific-php-versions -->
 	<config name="testVersion" value="5.3-"/>

composer.json

@@ -17,6 +17,7 @@
     "slowprog/composer-copy-file": "0.2.1",
     "wp-coding-standards/wpcs": "*",
     "xwp/wp-dev-lib": "^1.6.5"
+    "automattic/vipwpcs": "^2.0"
   },
   "scripts": {
     "phpcs": [

wp-includes/rest-api/auth/class-wp-rest-key-pair.php

@@ -96,14 +96,14 @@ public function register_routes() {
 			'callback'            => array( $this, 'generate_key_pair' ),
 			'permission_callback' => '__return_true',
 			'args'                => array(
-				'name'    => array(
+				'name'               => array(
 					'description'       => esc_html__( 'The name of the key-pair.', 'jwt-auth' ),
 					'type'              => 'string',
 					'required'          => true,
 					'sanitize_callback' => 'sanitize_text_field',
 					'validate_callback' => 'rest_validate_request_arg',
 				),
-				'user_id' => array(
+				'user_id'            => array(
 					'description'       => esc_html__( 'The ID of the user.', 'jwt-auth' ),
 					'type'              => 'integer',
 					'required'          => true,
@@ -120,7 +120,7 @@ public function register_routes() {
 			'callback'            => array( $this, 'delete_all_key_pairs' ),
 			'permission_callback' => '__return_true',
 			'args'                => array(
-				'user_id' => array(
+				'user_id'            => array(
 					'description'       => esc_html__( 'The ID of the user.', 'jwt-auth' ),
 					'type'              => 'integer',
 					'required'          => true,
@@ -136,14 +136,14 @@ public function register_routes() {
 			'callback'            => array( $this, 'delete_key_pair' ),
 			'permission_callback' => '__return_true',
 			'args'                => array(
-				'user_id' => array(
+				'user_id'            => array(
 					'description'       => esc_html__( 'The ID of the user.', 'jwt-auth' ),
 					'type'              => 'integer',
 					'required'          => true,
 					'sanitize_callback' => 'absint',
 					'validate_callback' => 'rest_validate_request_arg',
 				),
-				'api_key' => array(
+				'api_key'            => array(
 					'description'       => esc_html__( 'The API key being revoked.', 'jwt-auth' ),
 					'type'              => 'string',
 					'required'          => true,
@@ -359,11 +359,14 @@ public function authenticate( $user, WP_REST_Request $request ) {
 
 		$found    = false;
 		$keypairs = $this->get_user_key_pairs( $get_user->ID );
+
+		// Update the "Last IP" which accessed the keypair. This may not work
+		// in some environments due to caching.
 		foreach ( $keypairs as $_key => $item ) {
 			if ( isset( $item['api_key'] ) && $item['api_key'] === $key ) {
 				$keypairs[ $_key ]['last_used'] = time();
 
-				$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null;
+				$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__
 				if ( $ip ) {
 					$keypairs[ $_key ]['last_ip'] = $ip;
 				}
@@ -708,6 +711,7 @@ public function template_new_key_pair() {
 	 * @since 0.1
 	 */
 	public function template_new_token_key_pair() {
+		// phpcs:disable WordPressVIPMinimum.Security.Mustache.OutputNotation
 		?>
 		<script type="text/html" id="tmpl-new-token-key-pair">
 			<div class="new-key-pair notification-dialog-wrap" data-api_key="{{ data.api_key }}"  data-name="{{ data.name }}">
@@ -764,6 +768,7 @@ public function template_new_token_key_pair() {
 			</div>
 		</script>
 		<?php
+		// phpcs:enable WordPressVIPMinimum.Security.Mustache.OutputNotation
 	}
 
 	/**

wp-includes/rest-api/auth/class-wp-rest-token.php

@@ -109,13 +109,13 @@ public function register_routes() {
 			'callback'            => array( $this, 'generate_token' ),
 			'permission_callback' => '__return_true',
 			'args'                => array(
-				'api_key'    => array(
+				'api_key'            => array(
 					'description'       => __( 'The API key of the user; requires also setting the api_secret.', 'jwt-auth' ),
 					'type'              => 'string',
 					'sanitize_callback' => 'sanitize_text_field',
 					'validate_callback' => 'rest_validate_request_arg',
 				),
-				'api_secret' => array(
+				'api_secret'         => array(
 					'description'       => __( 'The API secret of the user; requires also setting the api_key.', 'jwt-auth' ),
 					'type'              => 'string',
 					'sanitize_callback' => 'sanitize_text_field',
@@ -346,7 +346,7 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) {
 			if ( isset( $item['api_key'] ) && $item['api_key'] === $token->data->user->api_key ) {
 				$keypairs[ $_key ]['last_used'] = time();
 
-				$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null;
+				$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__
 				if ( $ip ) {
 					$keypairs[ $_key ]['last_ip'] = $ip;
 				}