Fix logout process #453
Fix logout process #453
Conversation
| $this->a0_options->get( 'domain' ), | ||
| rawurlencode( home_url() ), | ||
| $this->a0_options->get( 'client_id' ), | ||
| $telemetry_headers['Auth0-Client'] |
There was a problem hiding this comment.
I can't find any GH issues created for refactoring this usage. Are you tracking this?
There was a problem hiding this comment.
Yes, it's in Jira
| } else { | ||
| $redirect_url = home_url(); | ||
| } | ||
| wp_redirect( $redirect_url ); | ||
| exit; |
There was a problem hiding this comment.
at this line $is_sso and $is_auto_login were not used and the function is already returning. Would it make sense to define those variables right above the line that uses it? Would that help this code perform better?
There was a problem hiding this comment.
I think that's less clear and $this->a0_options->get() is just returning an array value so I don't think optimization there is helpful.
| exit; | ||
| } | ||
|
|
||
| if ( $auto_login ) { | ||
| // If auto-login is in use, cannot redirect back to login page. |
There was a problem hiding this comment.
"login page" would be the "authorize page" / HLP?
There was a problem hiding this comment.
No, this is the WP login page. Auto-login forwards to /authorize with a connection param so we need to drop folks logging out somewhere else.
lib/WP_Auth0_LoginManager.php
Outdated
| return; | ||
| // No need to checkSession if already logged in. | ||
| // URL parameter `no_sso` is set to skip checkSession. | ||
| if ( is_user_logged_in() || ! empty( $_GET['no_sso'] ) || ! $this->a0_options->get( 'sso' ) ) { |
There was a problem hiding this comment.
is like the negative (!) of the negative (empty) of the negative (no_). Should this be extracted to a variable for readability ?
| include WPA0_PLUGIN_DIR . 'templates/auth0-sso-handler-lock10.php'; | ||
| } | ||
| wp_enqueue_script( 'wpa0_auth0js', $this->a0_options->get( 'auth0js-cdn' ) ); | ||
| ob_start(); |
There was a problem hiding this comment.
what's this? Can't find it in this diff. Also the one ob_get_clean()
There was a problem hiding this comment.
ob_start() is output buffer, ob_get_clean() returns the buffer and clears it out. This is used to "capture" an echo basically
There was a problem hiding this comment.
So you're creating a new buffer and putting in the contents of the 'templates/auth0-sso-handler-lock10.php' file, and returning $previous_html plus the buffer contents?
There was a problem hiding this comment.
Correct. I would rather this be in an external JS file since it's doing something similar to the implicit flow we have as part of the plugin but this is all being removed on the next minor in favor of UL so I don't want to waste time on it.
| @@ -578,8 +588,6 @@ public function auth0_singlelogout_footer() { | |||
|
|
|||
| /** | |||
| * End the PHP session. | |||
| * | |||
| * TODO: Remove, not necessary! | |||
There was a problem hiding this comment.
this method is necessary now or what?
There was a problem hiding this comment.
Should be deprecated, added that comment below 👇
lib/WP_Auth0_LoginManager.php
Outdated
| @@ -664,7 +672,7 @@ protected function die_on_login( $msg = '', $code = 0, $login_link = true ) { | |||
| : __( 'Please see the site administrator', 'wp-auth0' ), | |||
| __( 'error code', 'wp-auth0' ), | |||
| $code ? sanitize_text_field( $code ) : __( 'unknown', 'wp-auth0' ), | |||
| $login_link ? wp_login_url() : wp_logout_url(), | |||
| $login_link ? add_query_arg( 'no_sso', 1, wp_login_url() ) : wp_logout_url(), | |||
There was a problem hiding this comment.
so add_query_arg will return the modified URL?
Remove federated logout for SSO. Fix SLO link empty issue. Minor code quality fixes.
joshcanhelp
force-pushed
the
fix-logout-process
branch
from
3408d7f
to
a598553
Compare
| return; | ||
| // No need to checkSession if already logged in. | ||
| // URL parameter `skip_sso` is set to skip checkSession. | ||
| if ( is_user_logged_in() || isset( $_GET['skip_sso'] ) || ! $this->a0_options->get( 'sso' ) ) { |
There was a problem hiding this comment.
is like the negative (!) of the negative (empty) of the negative (no_). Should this be extracted to a variable for readability ?
I liked your suggestion here so I changed the param name and now just checking if it's there.
end_sessionmethod call (we're not setting any sessions so we should not be deleting any either)get_permalink()is empty on non-postpages)auth0_sso_footer(cannotechoin filters, must return modified data)no_ssocheck for SSO footer on wp-login.php to skip SSO processing if there was a login error (can cause redirect loops)