Bad request does not raise error

[Schwankenson]

I found out the reason for the strange Wordpress user from the ticket: https://support.auth0.com/tickets/37419 - The non interactive client I used had no permissions selected.

The bug in the Wordpress Plugin is, that it did not show me an error message. Here is what I found out:

In file lib/WP_Auth0_LoginManager.php the request "WP_Auth0_Api_Client::get_user(...)" in line 252 returns an error:

object(stdClass)#6943 (4) { ["statusCode"]=> int(400) ["error"]=> string(11) "Bad Request" ["message"]=> string(37) "Bad HTTP authentication header format" ["errorCode"]=> string(6) "Bearer" }

After the request, there is the line: "if ( $response instanceof WP_Error ) {", but the error is not detected as instance of WP_Error, so it is not raised. So the Plugin just continues to login the user. Because the Wordpress User does not exist, it tries to create one, with dummy data added in "lib/WP_Auth0_Users.php". line 9, because userinfo is empty because of the bad request.

[joshcanhelp]

Thanks for the issue report here, @Schwankenson!

We've been working on the next version of the plugin and one of the big things we concentrated on was error handling. In this particular case, we'll catch if the client is not configured properly and fallback to the /userinfo endpoint with the access token:

https://github.com/auth0/wp-auth0/blob/dev/lib/WP_Auth0_LoginManager.php#L254

I'll leave this open and close when it's ready for release (and of April/early May).

[joshcanhelp]

Fixed with #409 and merged into dev