New class for state handling; set cookie for implicit nonce #458
Conversation
lib/WP_Auth0_Nonce_Handler.php
Outdated
| @@ -1,134 +1,24 @@ | |||
| <?php | |||
|
|
|||
| final class WP_Auth0_Nonce_Handler { | |||
There was a problem hiding this comment.
Move to parent class
lib/WP_Auth0_Random_Storage.php
Outdated
| @@ -0,0 +1,121 @@ | |||
| <?php | |||
|
|
|||
| class WP_Auth0_Random_Storage { | |||
There was a problem hiding this comment.
This was previously the WP_Auth0_Nonce_Handler. I added a more generic cookie name and removed the verify method so extending classes can implement it themselves.
joshcanhelp
force-pushed
the
change-state-and-nonce-handling
branch
4 times, most recently
from
0f63a3f
to
9cee822
Compare
| if ( $this->query_vars( 'error' ) || $this->query_vars( 'error_description' ) ) { | ||
| $error_msg = sanitize_text_field( rawurldecode( $_REQUEST[ 'error_description' ] ) ); | ||
| $error_code = sanitize_text_field( rawurldecode( $_REQUEST[ 'error' ] ) ); | ||
| if ( ! empty( $_REQUEST['error'] ) || ! empty( $_REQUEST['error_description'] ) ) { |
There was a problem hiding this comment.
query_vars was causing problems in the state retrieval so I changed that here as well.
| @@ -228,8 +217,7 @@ public function redirect_login() { | |||
|
|
|||
| // Look for clues as to what went wrong. | |||
| $e_message = ! empty( $data->error_description ) ? $data->error_description : __( 'Unknown error', 'wp-auth0' ); | |||
| $e_code = ! empty( $data->error ) ? $data->error : $exchange_resp_code; | |||
| throw new WP_Auth0_LoginFlowValidationException( $e_message, $e_code ); | |||
| throw new WP_Auth0_LoginFlowValidationException( $e_message, $exchange_resp_code ); | |||
There was a problem hiding this comment.
Didn't like the string error code ... found during debugging
| @@ -608,30 +595,30 @@ public static function get_userinfo_scope( $context = '' ) { | |||
| * @return array | |||
| */ | |||
| public static function get_authorize_params( $connection = null, $redirect_to = null ) { | |||
There was a problem hiding this comment.
Mainly whitespace changes in this method
joshcanhelp
force-pushed
the
change-state-and-nonce-handling
branch
2 times, most recently
from
f52c688
to
2bf199a
Compare
lib/WP_Auth0_LoginManager.php
Outdated
| $auth_params = self::get_authorize_params( $connection ); | ||
|
|
||
| $auth_url = 'https://' . $this->a0_options->get( 'domain' ) . '/authorize'; | ||
| $auth_url = add_query_arg( array_map( 'rawurlencode', $auth_params ), $auth_url ); | ||
|
|
||
| setcookie( WPA0_STATE_COOKIE_NAME, $auth_params['state'], time() + WP_Auth0_Nonce_Handler::COOKIE_EXPIRES, '/' ); | ||
| WP_Auth0_State_Handler::get_instance()->setStateCookie( $auth_params['state'] ); |
There was a problem hiding this comment.
I guess this line doesn't check for isset (state) because state is ALWAYS sent, right?
There was a problem hiding this comment.
Correct. That array comes from the get_authorize_params() method in this same class and is always generated.
| @@ -326,7 +314,7 @@ public function implicit_login() { | |||
|
|
|||
| // Validate the nonce if one was included in the request if using auto-login. | |||
| $nonce = isset( $decoded_token->nonce ) ? $decoded_token->nonce : null; | |||
| if ( ! WP_Auth0_Nonce_Handler::getInstance()->validate( $nonce ) ) { | |||
| if ( ! WP_Auth0_Nonce_Handler::get_instance()->validate( $nonce ) ) { | |||
There was a problem hiding this comment.
are you following the same method naming convention everywhere? Asking since I see a misxture for class names, i.e. WP_Auth0_LoginFlowValidationException
There was a problem hiding this comment.
For new methods, I'm following the WP standard, which is snake-case. There was no naming convention, really, up until now.
| /** | ||
| * Contains WP_Auth0_Nonce_Handler. |
There was a problem hiding this comment.
I'm seeing 2 docs for this class definition. Should they be merged?
There was a problem hiding this comment.
It's a file and a class comment. Duplicative but part of the code quality scan.
lib/WP_Auth0_Nonce_Handler.php
Outdated
| * @var WP_Auth0_Nonce_Handler|null | ||
| */ | ||
| protected static $_instance = null; |
There was a problem hiding this comment.
No need to make it protected.
There was a problem hiding this comment.
I actually think that I do in this case. The classes that extend WP_Auth0_Random_Storage use late static binding to call the child class from the parent (static when you see that). A private property here would affect how that functions. If I switch these to private, I get:
Fatal error: Access level to WP_Auth0_Nonce_Handler::$_instance must be protected (as in class WP_Auth0_Random_Storage) or weaker in /Users/josh-cunningham/Sites/wp-auth0-v1/wp-content/plugins/auth0/lib/WP_Auth0_Nonce_Handler.php on line 12
... and they cant be public so there we are.
There was a problem hiding this comment.
you already have a getInstance method (the singleton getter) on the super class. Use that from the child ones.
There was a problem hiding this comment.
Yes, I do have that and do use that but the child classes need to have an _instance property for that to work.
lib/WP_Auth0_State_Handler.php
Outdated
| * | ||
| * @var WP_Auth0_State_Handler|null | ||
| */ | ||
| protected static $_instance = null; |
There was a problem hiding this comment.
No need to make it protected.
lib/WP_Auth0_State_Handler.php
Outdated
| final class WP_Auth0_State_Handler extends WP_Auth0_Random_Storage { | ||
|
|
||
| /** | ||
| * Cookie name used to store nonce |
There was a problem hiding this comment.
nonce is correct in this case. This nonce is added to a state object
lib/WP_Auth0_State_Handler.php
Outdated
| const UNIQID_COOKIE_NAME = 'auth0_state_uniqid'; | ||
|
|
||
| /** | ||
| * Cookie name used to store nonce |
lib/WP_Auth0_Nonce_Handler.php
Outdated
| * @var string | ||
| */ | ||
| const UNIQID_COOKIE_NAME = 'auth0_nonce_uniqid'; |
There was a problem hiding this comment.
shouldn't this be called NONE_COOKIE_NAME or even COOKIE_NAME? Since it's already inside the nonce handler class
There was a problem hiding this comment.
Synonymous as used. The uniqid is used as a nonce in the Nonce class.
lib/WP_Auth0_State_Handler.php
Outdated
| * | ||
| * @var string | ||
| */ | ||
| const STATE_COOKIE_NAME = 'auth0_state'; |
There was a problem hiding this comment.
wait, what's the difference between this one and the uniqid one?
There was a problem hiding this comment.
State is state, nonce is the salt in state.
lib/WP_Auth0_State_Handler.php
Outdated
| * | ||
| * @return bool | ||
| */ | ||
| public function validate() { |
There was a problem hiding this comment.
see my long comment over class inheritance and protected methods.
joshcanhelp
force-pushed
the
change-state-and-nonce-handling
branch
3 times, most recently
from
0112dd4
to
02dc5b5
Compare
| if ( $this->query_vars( 'error' ) || $this->query_vars( 'error_description' ) ) { | ||
| $error_msg = sanitize_text_field( rawurldecode( $_REQUEST[ 'error_description' ] ) ); | ||
| $error_code = sanitize_text_field( rawurldecode( $_REQUEST[ 'error' ] ) ); | ||
| if ( ! empty( $_REQUEST['error'] ) || ! empty( $_REQUEST['error_description'] ) ) { |
There was a problem hiding this comment.
would an error_description by itself be valid? I guess only when error is present. So 2nd clause could be removed.
| $this->die_on_login( $error_msg, $error_code ); | ||
| } | ||
|
|
||
| // Check for valid state nonce, set in WP_Auth0_Lock10_Options::get_state_obj(). | ||
| // See https://auth0.com/docs/protocols/oauth2/oauth-state for more info. | ||
| if ( ! $this->validate_state() ) { | ||
| $state_returned = isset( $_REQUEST['state'] ) ? rawurldecode( $_REQUEST['state'] ) : null; | ||
| if ( ! $state_returned || ! WP_Auth0_State_Handler::get_instance()->validate( $state_returned ) ) { |
There was a problem hiding this comment.
! $state_returned is already covered inside the verify method
lib/WP_Auth0_Nonce_Handler.php
Outdated
| } else { | ||
| // No cookie, need to create one. | ||
| $this->_uniqid = $this->generate_nonce(); |
There was a problem hiding this comment.
don't you need to set the generated value to $_COOKIE?
lib/WP_Auth0_Nonce_Handler.php
Outdated
| * @return bool | ||
| */ | ||
| public function set_cookie() { |
There was a problem hiding this comment.
shouldn't this be called internally after generating a new nonce? (private). It doesn't receive any param so I don't see the point of it being public at all
joshcanhelp
force-pushed
the
change-state-and-nonce-handling
branch
3 times, most recently
from
9912d9d
to
81f15f4
Compare
joshcanhelp
force-pushed
the
change-state-and-nonce-handling
branch
from
81f15f4
to
d13201d
Compare
WP_Auth0_Random_Storageclass.noncecookie for implicit logins during Lock initnoncecookie for implicit auto-logins before redirect