Merge pull request #329 from alleyinteractive/feature/LEDE-1453/reaut…

…h-banner Display a message to users with an invalid auth token
alleyinteractive · Apr 28, 2021 · 94640a1 · 94640a1
2 parents c3440f8 + b88e2bc
commit 94640a1
Show file tree

Hide file tree

Showing 2 changed files with 115 additions and 3 deletions.
diff --git a/inc/integrations/class-application-passwords-auth.php b/inc/integrations/class-application-passwords-auth.php
@@ -8,6 +8,7 @@
 namespace WP_Irving\Integrations;
 
 use WP_Irving\Singleton;
+use WP_Application_Passwords;
 
 // phpcs:ignoreFile WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE
 /**
@@ -31,6 +32,13 @@ class Application_Passwords_Auth {
 	 */
 	const APP_ID_COOKIE_NAME = 'authorizationAppID';
 
+	/**
+	 * Cookie name for the flag which should trigger a new token to be created.
+	 *
+	 * @var string
+	 */
+	const RESET_TOKEN_FLAG_COOKIE_NAME = 'irvingResetToken';
+
 	/**
 	 * Cookie domain for authorization cookies.
 	 *
@@ -50,7 +58,11 @@ public function setup() {
 		// Set or unset the cookie upon init.
 		add_action( 'init', [ $this, 'handle_cookie' ] );
 
+		// Ensure auth errors fail silently, as to not break the Irving frontend.
 		add_filter( 'rest_authentication_errors', [ $this, 'handle_authentication_errors' ], 99 );
+
+		// Add a shortcut to the Tools menu for refreshing the token.
+		add_action( 'admin_menu', [ $this, 'add_tools_link' ] );
 	}
 
 	/**
@@ -84,11 +96,37 @@ public function handle_cookie() {
 			wp_parse_url( home_url(), PHP_URL_HOST )
 		);
 
+		$this->possibly_clear_all_auth();
 		$this->possibly_set_cookie();
 		$this->possibly_remove_cookie();
 		$this->possibly_remove_bearer_cookie();
 	}
 
+	/**
+	 * Reset all cookies and tokens if we have a reset flag.
+	 */
+	public function possibly_clear_all_auth() {
+		if (
+			! isset( $_COOKIE[ self::RESET_TOKEN_FLAG_COOKIE_NAME ] ) // phpcs:ignore
+			&& ! isset( $_GET['refresh-irving-token'] )
+		) {
+			return;
+		}
+
+		$this->remove_cookie();
+		$this->delete_all_application_passwords();
+
+		add_action(
+			'admin_notices',
+			function() {
+				printf(
+					'<div class="notice notice-success is-dismissible"><p>%1$s</p></div>',
+					esc_html__( 'Your login session has been renewed.', 'wp-irving' )
+				);
+			}
+		);
+	}
+
 	/**
 	 * Get a clean token and set the cookie.
 	 *
@@ -167,7 +205,7 @@ public function possibly_remove_cookie(): bool {
 		// Get active application passwords.
 		$passwords = \get_user_meta(
 			get_current_user_id(),
-			\WP_Application_Passwords::USERMETA_KEY_APPLICATION_PASSWORDS,
+			WP_Application_Passwords::USERMETA_KEY_APPLICATION_PASSWORDS,
 			true
 		);
 
@@ -213,6 +251,14 @@ public function remove_cookie() {
 			'/',
 			$this->cookie_domain
 		);
+
+		setcookie(
+			self::RESET_TOKEN_FLAG_COOKIE_NAME,
+			null,
+			-1,
+			'/',
+			$this->cookie_domain
+		);
 	}
 
 	/**
@@ -237,7 +283,7 @@ public function possibly_remove_bearer_cookie() {
 	 */
 	public function delete_all_application_passwords() {
 		$user_id = get_current_user_id();
-		\WP_Application_Passwords::delete_all_application_passwords( $user_id );
+		WP_Application_Passwords::delete_all_application_passwords( $user_id );
 	}
 
 	/**
@@ -250,7 +296,7 @@ public function create_application_password() : array {
 		$app_name = get_bloginfo( 'name' ) . ' Irving App, user ' . $user_id;
 
 		// Set the new request with the new key and secret.
-		$app_pass_data = \WP_Application_Passwords::create_new_application_password(
+		$app_pass_data = WP_Application_Passwords::create_new_application_password(
 			$user_id,
 			[
 				'name'   => $app_name,
@@ -267,4 +313,19 @@ public function create_application_password() : array {
 			'app_id'   => $app_pass_data[1]['app_id'] ?? '',
 		];
 	}
+
+	/**
+	 * Add an admin bar shortcut to refresh the token.
+	 */
+	public function add_tools_link() {
+		add_submenu_page(
+			'tools.php',
+			__( 'Generate New Authentication Token', 'wp-irving' ),
+			__( 'Generate New Authentication Token', 'wp-irving' ),
+			'edit_posts',
+			add_query_arg( 'refresh-irving-token', true, admin_url() ),
+			null,
+			10
+		);
+	}
 }
diff --git a/inc/templates/admin-bar.php b/inc/templates/admin-bar.php
@@ -48,6 +48,57 @@ function setup_admin_bar(
 
 	// Only show the admin bar if logged in.
 	if ( ! is_user_logged_in() ) {
+
+		// Get and validate headers.
+		$headers = [];
+		if ( function_exists( 'getallheaders' ) ) {
+			$headers = getallheaders();
+		}
+
+		if ( ! isset( $headers['Authorization'] ) ) {
+			return $data;
+		}
+
+		array_unshift(
+			$data['page'],
+			new Component(
+				'irving/wp-admin-bar',
+				[
+					'config'   => [
+						'cookie_domain' => apply_filters(
+							'wp_irving_jwt_token_cookie_domain',
+							wp_parse_url( home_url(), PHP_URL_HOST )
+						),
+					],
+					'children' => [
+						[
+							'name'     => 'irving/container',
+							'config'   => [
+								'style' => [
+									'text-align' => 'center',
+									'padding'    => '1rem',
+								],
+							],
+							'children' => [
+								[
+									'name'   => 'irving/text',
+									'config' => [
+										'content' => sprintf(
+											'%1$s<a href="%3$s">%2$s</a>',
+											esc_html__( 'Looks like your session has expired. ', 'wp-irving' ),
+											esc_html__( 'Click here to generate a new token.', 'wp-irving' ),
+											admin_url()
+										),
+										'html'    => true,
+									],
+								],
+							],
+						],
+					],
+				]
+			)
+		);
+
 		return $data;
 	}