Release 3.6.0

CHANGELOG.md

@@ -1,5 +1,102 @@
 # Change Log
 
+## [3.6.0](https://github.com/auth0/wp-auth0/tree/3.6.0) (2018-06-05)
+[Full Changelog](https://github.com/auth0/wp-auth0/compare/3.5.2...3.6.0)
+
+
+
+**NOTES**
+
+- Passwordless was reconfigured completely to use the combined Lock library (currently hard-coded to 11.5). All current settings will be migrated to the new configuration so your login process should not change. Lock initiation has also been refactored to improve maintainability and adhere to WordPress standards. 
+- The Setup Wizard has been adjusted to more clearly explain the process and options available. This only affects new installations using the Setup Wizard for configuration.
+- The settings page has been rearranged and improved overall. New settings descriptions have also been added along with links to documentation, where appropriate.
+- State validation was added to both login flows; nonce validation was added to sites using Implicit flow. 
+- OIDC compliant Applications should now function as expected (though this setting is not yet activated by default on installation). OpenID Connect login is now possible by turning off the Client Credentials grant for your WordPress Application. 
+- Dashboard widgets have been removed. This can easily be added back as a plugin, if needed. Please [contact support](https://support.auth0.com/) if you need assistance with this. 
+- A number of new hooks have been added, please see our [docs page on extension](https://auth0.com/docs/cms/wordpress/extending) for a complete inventory with examples. This includes the ability to support refresh tokens. 
+- Federated logout has been removed. 
+
+
+**Closed issues**
+
+- Expose a configurable toggle that allows Users to state if federated logout should be used [\#471](https://github.com/auth0/wp-auth0/issues/471)
+- Updating to 3.5.2 - Fatal error: Uncaught Error: Cannot use object of type stdClass as array in /app/wp-content/plugins/auth0/lib/WP_Auth0_DBManager.php on line 225 [\#464](https://github.com/auth0/wp-auth0/issues/464)
+- Autoloader performance issue [\#461](https://github.com/auth0/wp-auth0/issues/461)
+- Bad request does not raise error [\#432](https://github.com/auth0/wp-auth0/issues/432)
+- Widget URL changes don't save when you are using passwordless [\#430](https://github.com/auth0/wp-auth0/issues/430)
+- Deprecate `oauth/ro` endpoint [\#410](https://github.com/auth0/wp-auth0/issues/410)
+- Handling errors [\#403](https://github.com/auth0/wp-auth0/issues/403)
+- Fallback /api/v2/users/{id} to /userinfo [\#401](https://github.com/auth0/wp-auth0/issues/401)
+- CORS errors [\#400](https://github.com/auth0/wp-auth0/issues/400)
+- Provide Resend verification email only for DB connections [\#345](https://github.com/auth0/wp-auth0/issues/345)
+- SSO disabled, Single Logout enabled causes users to get logged out automatically a few seconds after logging in [\#336](https://github.com/auth0/wp-auth0/issues/336)
+- French translation  : html characters [\#309](https://github.com/auth0/wp-auth0/issues/309)
+- "Invalid authorization code": Access token is requested twice in a row, breaking the login flow [\#305](https://github.com/auth0/wp-auth0/issues/305)
+- Make state work after SSO login [\#302](https://github.com/auth0/wp-auth0/issues/302)
+- Is there a way to use Refresh Tokens and Wordpress? [\#296](https://github.com/auth0/wp-auth0/issues/296)
+- Only decode the payload before user profile fetch in login manager [\#283](https://github.com/auth0/wp-auth0/issues/283)
+- redirect callback errors [\#280](https://github.com/auth0/wp-auth0/issues/280)
+- Linked Users won't be able to login using implicit flow and pipeline 2 [\#272](https://github.com/auth0/wp-auth0/issues/272)
+- Normalize use of shortcode and widget [\#260](https://github.com/auth0/wp-auth0/issues/260)
+- Wrong z-index on modal error message in manual setup [\#252](https://github.com/auth0/wp-auth0/issues/252)
+- Logout does not work when Wordpress is locked down (private site) [\#39](https://github.com/auth0/wp-auth0/issues/39)
+
+**Added**
+
+- Adding refresh token support; adjusting default scope [\#456](https://github.com/auth0/wp-auth0/pull/456) ([joshcanhelp](https://github.com/joshcanhelp))
+- Add code quality tools, improved composer.json [\#454](https://github.com/auth0/wp-auth0/pull/454) ([joshcanhelp](https://github.com/joshcanhelp))
+- Add /userinfo fallback during login [\#423](https://github.com/auth0/wp-auth0/pull/423) ([joshcanhelp](https://github.com/joshcanhelp))
+- State handling during login process for both types [\#406](https://github.com/auth0/wp-auth0/pull/406) ([joshcanhelp](https://github.com/joshcanhelp))
+
+**Changed**
+
+- Change token exchange redirect URL to match what was sent for auth code [\#463](https://github.com/auth0/wp-auth0/pull/463) ([joshcanhelp](https://github.com/joshcanhelp))
+- Hide the signup tab if registrations are turned off [\#460](https://github.com/auth0/wp-auth0/pull/460) ([joshcanhelp](https://github.com/joshcanhelp))
+- New class for state handling; set cookie for implicit nonce [\#458](https://github.com/auth0/wp-auth0/pull/458) ([joshcanhelp](https://github.com/joshcanhelp))
+- Change auto-login action [\#449](https://github.com/auth0/wp-auth0/pull/449) ([joshcanhelp](https://github.com/joshcanhelp))
+- Require telemetry for API calls [\#441](https://github.com/auth0/wp-auth0/pull/441) ([joshcanhelp](https://github.com/joshcanhelp))
+- Change Appearance tab settings output [\#439](https://github.com/auth0/wp-auth0/pull/439) ([joshcanhelp](https://github.com/joshcanhelp))
+- Change Feature settings output [\#436](https://github.com/auth0/wp-auth0/pull/436) ([joshcanhelp](https://github.com/joshcanhelp))
+- Change Basic settings field display; better admin UX [\#433](https://github.com/auth0/wp-auth0/pull/433) ([joshcanhelp](https://github.com/joshcanhelp))
+- Change how Advanced admin settings fields are output [\#429](https://github.com/auth0/wp-auth0/pull/429) ([joshcanhelp](https://github.com/joshcanhelp))
+- Setting titles and option names [\#427](https://github.com/auth0/wp-auth0/pull/427) ([joshcanhelp](https://github.com/joshcanhelp))
+- Clean up admin notices [\#421](https://github.com/auth0/wp-auth0/pull/421) ([joshcanhelp](https://github.com/joshcanhelp))
+- Change asset enqueuing [\#419](https://github.com/auth0/wp-auth0/pull/419) ([joshcanhelp](https://github.com/joshcanhelp))
+- Improve WP_Auth0_Options [\#418](https://github.com/auth0/wp-auth0/pull/418) ([joshcanhelp](https://github.com/joshcanhelp))
+
+**Deprecated**
+
+- Deprecate 2 lookup methods [\#446](https://github.com/auth0/wp-auth0/pull/446) ([joshcanhelp](https://github.com/joshcanhelp))
+- Deprecating wp-admin settings-related methods + classes [\#445](https://github.com/auth0/wp-auth0/pull/445) ([joshcanhelp](https://github.com/joshcanhelp))
+- Deprecating unused Lock Options classes and methods [\#444](https://github.com/auth0/wp-auth0/pull/444) ([joshcanhelp](https://github.com/joshcanhelp))
+- Deprecating admin_enqueue functions [\#443](https://github.com/auth0/wp-auth0/pull/443) ([joshcanhelp](https://github.com/joshcanhelp))
+- Deprecate oauth/ro endpoint [\#413](https://github.com/auth0/wp-auth0/pull/413) ([joshcanhelp](https://github.com/joshcanhelp))
+
+**Removed**
+
+- Remove wp-admin click tracking [\#451](https://github.com/auth0/wp-auth0/pull/451) ([joshcanhelp](https://github.com/joshcanhelp))
+- Remove dashboard widgets [\#428](https://github.com/auth0/wp-auth0/pull/428) ([joshcanhelp](https://github.com/joshcanhelp))
+- Remove and migrate Passwordless setting [\#425](https://github.com/auth0/wp-auth0/pull/425) ([joshcanhelp](https://github.com/joshcanhelp))
+- Remove api_audience settings field [\#422](https://github.com/auth0/wp-auth0/pull/422) ([joshcanhelp](https://github.com/joshcanhelp))
+- Removing dashboard widgets [\#397](https://github.com/auth0/wp-auth0/pull/397) ([joshcanhelp](https://github.com/joshcanhelp))
+
+**Fixed**
+
+- Correcting input field height on settings pages for IE [\#472](https://github.com/auth0/wp-auth0/pull/472) ([joshcanhelp](https://github.com/joshcanhelp))
+- Save sub or user_id if not provided; remove extemporaneous ID token attributes [\#469](https://github.com/auth0/wp-auth0/pull/469) ([joshcanhelp](https://github.com/joshcanhelp))
+- Improve Setup Wizard [\#468](https://github.com/auth0/wp-auth0/pull/468) ([joshcanhelp](https://github.com/joshcanhelp))
+- Fix install and DB update errors [\#467](https://github.com/auth0/wp-auth0/pull/467) ([joshcanhelp](https://github.com/joshcanhelp))
+- Fix SLO redirect, SLO on when SSO off, SSO setting not pushed to dashboard [\#466](https://github.com/auth0/wp-auth0/pull/466) ([joshcanhelp](https://github.com/joshcanhelp))
+- Fixed auto-loader to skip non-WP-Auth0 classes [\#465](https://github.com/auth0/wp-auth0/pull/465) ([joshcanhelp](https://github.com/joshcanhelp))
+- Fix empty path notice on initial setup [\#457](https://github.com/auth0/wp-auth0/pull/457) ([joshcanhelp](https://github.com/joshcanhelp))
+- Fix logout process [\#453](https://github.com/auth0/wp-auth0/pull/453) ([joshcanhelp](https://github.com/joshcanhelp))
+- Fix help tab text and settings tab UX [\#452](https://github.com/auth0/wp-auth0/pull/452) ([joshcanhelp](https://github.com/joshcanhelp))
+- Only show email verification resend for DB connections [\#447](https://github.com/auth0/wp-auth0/pull/447) ([joshcanhelp](https://github.com/joshcanhelp))
+- Fix Passwordless handling; update Lock instantiation [\#434](https://github.com/auth0/wp-auth0/pull/434) ([joshcanhelp](https://github.com/joshcanhelp))
+- Fix Implicit login handling [\#426](https://github.com/auth0/wp-auth0/pull/426) ([joshcanhelp](https://github.com/joshcanhelp))
+- Admin settings refactor - WP_Auth0_Admin_Generic [\#416](https://github.com/auth0/wp-auth0/pull/416) ([joshcanhelp](https://github.com/joshcanhelp))
+- Fix Login Process Error Handling [\#409](https://github.com/auth0/wp-auth0/pull/409) ([joshcanhelp](https://github.com/joshcanhelp))
+
 ## [3.5.2](https://github.com/auth0/wp-auth0/tree/3.5.2) (2018-02-22)
 [Full Changelog](https://github.com/auth0/wp-auth0/compare/3.5.1...3.5.2)
 
@@ -42,7 +139,7 @@
 ## [3.5.0](https://github.com/auth0/wp-auth0/tree/3.5.0) (2018-01-25)
 [Full Changelog](https://github.com/auth0/wp-auth0/compare/3.4.0...3.5.0)
 
-**Please note:** This is a major update that requires changes to your Auth0 Dashboard to be completed. You can save a new [API token](https://auth0.com/docs/api/management/v2/tokens#get-a-token-manually) in your Basic settings in wp-admin before upgrading and the changes will be made automatically during the update. Otherwise, after upgrading, please review your [Client Advanced Settings](https://auth0.com/docs/cms/wordpress/configuration#client-setup), specifically your Grant Types, and [authorize your Client for the Management API](https://auth0.com/docs/cms/wordpress/configuration#authorize-the-client-for-the-management-api). 
+**Please note:** This is a major update that requires changes to your Auth0 Dashboard to be completed. You can save a new [API token](https://auth0.com/docs/api/management/v2/tokens#get-a-token-manually) in your Basic settings in wp-admin before upgrading and the changes will be made automatically during the update. Otherwise, after upgrading, please review your [Application Advanced Settings](https://auth0.com/docs/cms/wordpress/configuration#application-setup), specifically your Grant Types, and [authorize your Client for the Management API](https://auth0.com/docs/cms/wordpress/configuration#authorize-the-client-for-the-management-api). 
 
 **Changed**
 - updating CDN URLs for Lock and Auth.js [\#365](https://github.com/auth0/wp-auth0/pull/365) ([joshcanhelp](https://github.com/joshcanhelp))

README.md

@@ -12,22 +12,48 @@ Single Sign On for Enterprises + Social Login + User/Passwords. For all your Wor
 
 Please see the [Installation docs](https://auth0.com/docs/cms/wordpress/installation) for detailed instructions.
 
-## Extending the plugin
+## API authentication
 
-[Please see the Extending page on auth0.com/docs](https://auth0.com/docs/cms/wordpress/extending)
+Please see the [JWT Authentication docs](https://auth0.com/docs/cms/wordpress/jwt-authentication) for more information. 
 
-We're happy to review and approve new filters and actions that help you integrate even further in this plugin. Please
- see the Contributing section at the bottom of this page.
+## Extending the plugin
 
-## API authentication
+Please see the [Extending docs](https://auth0.com/docs/cms/wordpress/extending) for information on existing hooks.
 
-Please see the [JWT Authentication docs](https://auth0.com/docs/cms/wordpress/jwt-authentication) for more information.
+We're happy to review and approve new filters and actions that help you integrate even further in this plugin. Please see the **Contributing** section below for more information.
 
 ## Contributing
 
-Thank you in advance!
+**Thank you in advance!**
+
+* All PRs must use the `dev` branch as a base
+* Change the least amount of code to achieve the goal; PRs with lots of whitespace changes and abstraction combined with a feature add or bug fix are difficult to review and may be rejected
+* Use the latest version of WordPress and turn `WP_DEBUG` on
+* If other plugins are installed during testing that might affect behavior, please list those in the PR description
+* Make sure to test against the lowest PHP version supported (see `Requires PHP:` [here](readme.txt#L5)) 
 
-All PR should be done towards the `dev` branch.
+### How to install and configure WordPress for testing
+
+We try to cover as many use cases as possible and one way to do that is with a "headless" WordPress install (core WordPress files in a separate directory). Here's a quick and easy way to set that up on the command line:
+
+```bash
+mkdir wp-doc-root; cd wp-doc-root; mkdir wp;
+mkdir wp-content; mkdir wp-content/themes; mkdir wp-content/plugins;
+
+git clone https://github.com/WordPress/WordPress.git wp;
+# Clones the latest, released version or WordPress (takes a while)
+
+cp ./wp/wp-config-sample.php ./wp-config.php;
+# Add MySQL DB info and set "WP_DEBUG" to TRUE` in ./wp-config.php
+
+cp ./wp/index.php ./index.php; 
+# Replace "/wp-blog-header.php" with "/wp/wp-blog-header.php" in copied ./index.php
+
+git clone https://github.com/joshcanhelp/auth0-wp-test.git ./wp-content/themes/auth0-wp-test
+# Optional, clones the testing theme to assist with development
+```
+
+The main requirement for testing, though, is using the latest version of WordPress with our minimum supported PHP version. 
 
 ### How to build the initial setup assets?
 
@@ -43,28 +69,14 @@ To watch and auto-compile it while working:
 $ stylus -w -o initial-setup.css initial-setup/main.styl
 ```
 
-## Screenshots
-
-![](https://raw.githubusercontent.com/auth0/wp-auth0/master/screenshot-1.png)
-
-![](https://raw.githubusercontent.com/auth0/wp-auth0/master/screenshot-2.png)
-
-![](https://raw.githubusercontent.com/auth0/wp-auth0/master/screenshot-3.png)
-
-![](https://raw.githubusercontent.com/auth0/wp-auth0/master/screenshot-4.png)
-
-![](https://raw.githubusercontent.com/auth0/wp-auth0/master/screenshot-5.png)
-
-![](https://raw.githubusercontent.com/auth0/wp-auth0/master/screenshot-6.png)
-
 ## Issue Reporting
 
-If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
+If you find a bug or if you have a feature request, please report them in the [Issues tab](https://github.com/auth0/wp-auth0/issues). Please do not report security vulnerabilities in a public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
 
 ## Author
 
-* [Auth0](auth0.com)
+* [Auth0](https://auth0.com)
 
 ## License
 
-This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.
+This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.