Fix SLO redirect, SLO on when SSO off, SSO setting not pushed to dashboard #466
Conversation
| @@ -140,7 +141,7 @@ public function render_password_policy( $args = array() ) { | |||
| * @see add_settings_field() | |||
| */ | |||
| public function render_sso( $args = array() ) { | |||
| $this->render_switch( $args['label_for'], $args['opt_name'] ); | |||
| $this->render_switch( $args['label_for'], $args['opt_name'], 'wpa0_singlelogout' ); | |||
There was a problem hiding this comment.
since this method is named after sso. What is this slo line doing? I understand that is displaying a "toggle button" for enabling slo
There was a problem hiding this comment.
What is this slo line doing? I understand that is displaying a "toggle button" for enabling slo
Seems like you're answering your own question here ... can you rephrase?
| webAuth.checkSession( { 'responseType' : 'token', 'redirectUri' : window.location.href }, function ( err ) { | ||
| if ( err && err.error ==='login_required' ) { | ||
| window.location = '<?php echo esc_url( wp_logout_url( get_permalink() ) . '&SLO=1' ); ?>'; | ||
| var sloOptions = { 'responseType' : 'token id_token', 'redirectUri' : '<?php echo home_url() ?>' }; |
There was a problem hiding this comment.
Would it be better if this options are obtained through a method, like the one you already have ...Lock10_Options#get_sso_options()?
There was a problem hiding this comment.
That method exists to check settings and decide what is passed to checkSession. In this case, we're just checking whether someone is logged in or not, which does not depend on site options. Using that method would be overly complicated, IMHO.
| var sloOptions = { 'responseType' : 'token id_token', 'redirectUri' : '<?php echo home_url() ?>' }; | ||
| webAuth.checkSession( sloOptions, function ( err ) { | ||
| if ( err && err.error && 'login_required' === err.error ) { | ||
| window.location = '<?php echo $logout_url ?>'; |
There was a problem hiding this comment.
if an error happens, you show the log out page. But if the session is still valid? Should you do anything with the new received tokens?
There was a problem hiding this comment.
But if the session is still valid? Should you do anything with the new received tokens?
No. We're checking for an Auth0 session and, if one is not found, they get logged out. This only runs if someone is logged in so if this SLO check finds a session, they already have a WP session and nothing should change.
| $error .= '<a href="https://auth0.com/docs/sso/single-sign-on#1">HERE</a>.'; | ||
| $this->add_validation_error( $error ); | ||
|
|
||
| $is_sso = ! empty( $input['sso'] ); |
There was a problem hiding this comment.
the line above sets a 0 if the value is not available. Is that 0 being treated as "empty" on this line? or would it make sense to just define this line above the one below and use $is_sso as conditional for the ? if clause above.
There was a problem hiding this comment.
I don't want to change how the validation actually works (see the original) since it does work. I'm just forcing a boolean to check more clearly in this method.
| * @param array $input - new option values being saved. | ||
| * | ||
| * @return array | ||
| */ | ||
| public function sso_validation( $old_options, $input ) { | ||
| $input['sso'] = ( isset( $input['sso'] ) ? $input['sso'] : 0 ); |
There was a problem hiding this comment.
maybe it would be nice if this method doesn't modify the "original values" passed as parameters and instead, creates a copy of them or just new vars for the values it's going to use. e.g. don't overwrite $input['sso']
There was a problem hiding this comment.
Not an option, this is how forms are validated in WP. Overwriting the $input array is necessary to validate what's being saved (security with sanitization and reliability with making sure we expect the correct values later)
| if ( $app_token ) { | ||
| $update_result = WP_Auth0_Api_Client::update_client( $input['domain'], $app_token, $input['client_id'], true ); | ||
| if ( $update_result ) { | ||
| $app_update_failed = false; |
There was a problem hiding this comment.
supposing update_client returns a boolean value, there's no need to have this if
$app_update_failed = ! $update_result |
|
||
| if ( ! $is_sso ) { | ||
| // SLO does not function without SSO. | ||
| unset( $input['singlelogout'] ); |
There was a problem hiding this comment.
I'd flip this 2 if clauses since that would simplify the now second condition
if ( ! $is_sso ) {
//
}
else if ( $old_options['sso'] !== $input['sso'] ) {
//
}Also. Wouldn't this "unset" already "be set" if the "old config sso" is equal to the "new config sso" ? If that's the case, you can return way earlier in the method. Like:
if ($old_options['sso'] === $input['sso']){
return $input;
}if (! $is_sso) {
// unset..
} else {
//all that other stuff
}
return $input;Anyway, a few notes:
- I don't like multiple exit paths. The way you have this code today is mostly how I'd do it. But if that is adding a lot of indentation, conditions, etc; I'd rather exit early.
- I don't like modifying the original parameters. However, if you're doing so (e.g. the
unsetcall) there's no need to "return the modded version" as the changes are already contained on the variable passed as parameter in the method call. (Correct me if I'm wrong). - Following on the above, the method only modifies the
$inputvariable on the! $is_ssoclause. The rest of the logic doesn't touch that var. So what's the point on returning the$inputobject anyway?
There was a problem hiding this comment.
I agree with the exit process changing and I like the early return, that's a standard I follow elsewhere.
I don't like modifying the original parameters.
Mentioned above but that's how this middleware works. It's a "functional" model, like a filter in other places.
So what's the point on returning the $input object anyway?
If I return nothing then the input is blank and all the values are deleted. Has to return the values that should be saved (or handed to the next validation middleware)
joshcanhelp
force-pushed
the
fix-slo-sso-templates
branch
from
0906727
to
9aa938b
Compare
The SLO functionality (loads a
checkSessioncall on front-end pages if the user is logged in) was using an incorrectredirectUrivalue and also redirected to a malformed logout link (prompted the user to logout instead of doing it automatically). Also:codecheck in SSOcheckSessioncallresponseTypehandling