Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions inc/sso/class-sso.php
Original file line number Diff line number Diff line change
Expand Up @@ -298,12 +298,12 @@
* Registration is deferred to plugins_loaded so we can check whether
* GlotPress is actually active before adding the hook.
*/
add_action('plugins_loaded', function (): void {

Check warning on line 301 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Only one argument is allowed per line in a multi-line function call

Check warning on line 301 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Opening parenthesis of a multi-line function call must be the last content on the line

if (defined('GP_VERSION')) {
add_action('gp_head', [$this, 'enqueue_script']);
}
});

Check warning on line 306 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Closing parenthesis of a multi-line function call must be on a line by itself

/**
* Allow plugin developers to add additional hooks, if needed.
Expand Down Expand Up @@ -491,11 +491,11 @@

printf(
'wu.sso(%s, %d);',
wp_json_encode([

Check warning on line 494 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Opening parenthesis of a multi-line function call must be the last content on the line
'code' => 200,
'verify' => 'login-required',
'return_url' => $this->input('return_url', ''),
]),

Check warning on line 498 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Closing parenthesis of a multi-line function call must be on a line by itself
200
);

Expand Down Expand Up @@ -529,11 +529,11 @@

printf(
'wu.sso(%s, %d);',
wp_json_encode([

Check warning on line 532 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Opening parenthesis of a multi-line function call must be the last content on the line
'code' => 200,
'verify' => $verification_code,
'return_url' => $return_url,
]),

Check warning on line 536 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Closing parenthesis of a multi-line function call must be on a line by itself
200
);

Expand All @@ -553,8 +553,8 @@
*
* @since 2.0.11
*
* @param string $redirect_to The default redirect URL.

Check warning on line 556 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Expected 2 spaces after parameter type; 1 found
* @param string $requested_redirect_to The redirect URL requested by user.

Check warning on line 557 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Expected 2 spaces after parameter type; 1 found
* @param WP_User $user The user who logged in.
* @return string The redirect URL.
*/
Expand Down Expand Up @@ -593,7 +593,7 @@
$expiry = time() + 300;
$jti = wp_generate_uuid4();

$payload = wp_json_encode([

Check warning on line 596 in inc/sso/class-sso.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

Opening parenthesis of a multi-line function call must be the last content on the line
'user_id' => $user_id,
'exp' => $expiry,
'aud' => $audience_host,
Expand Down Expand Up @@ -1063,6 +1063,26 @@
*/
public function convert_bearer_into_auth_cookies(): void {

/*
* Bail out early when $current_blog has not been fully populated yet.
*
* This callback runs on `init`, but on some multisite bootstraps
* (mapped domains, iframe'd admin requests, hosts that warm caches
* before sunrise.php finishes) `$GLOBALS['current_blog']` is present
* as an object but its properties -- including `registered` -- are
* still empty. `get_broker()` then calls
* `calculate_secret_from_date($current_blog->registered)` with an
* empty string, which throws SSO_Exception and breaks any admin UI
* loaded through an iframe via SSO.
*
* Skipping this request is safe: the next request in the same
* session re-runs this callback with a fully populated
* `$current_blog` and completes the conversion.
*/
if (empty($GLOBALS['current_blog']) || empty($GLOBALS['current_blog']->registered)) {
return;
}

$broker = $this->get_broker();

if (is_user_logged_in() && $broker && $broker->isAttached()) {
Expand Down Expand Up @@ -1336,6 +1356,27 @@
*/
public function calculate_secret_from_date($date) {

/*
* Fall back to the main site's registration date when $date is
* empty.
*
* This guards against the same multisite bootstrap race that
* `convert_bearer_into_auth_cookies()` skips: a caller can still
* reach this method with an empty $date (for example, custom code
* that builds an SSO secret from `$current_blog->registered` before
* sunrise.php finishes populating it). Throwing SSO_Exception here
* breaks the parent request, which on iframe'd admin pages renders
* the whole panel blank.
*
* Using the main site's registration date as a fallback keeps the
* secret stable across requests for the same network and avoids
* cascading failures during early boot.
*/
if (empty($date)) {
$main_site = function_exists('get_site') ? get_site(function_exists('get_main_site_id') ? get_main_site_id() : 1) : null;
$date = ($main_site && ! empty($main_site->registered)) ? $main_site->registered : '2024-01-01 00:00:00';
}

$tz = new \DateTimeZone('GMT');

try {
Expand Down
Loading