From ae813f7239b8a381c34a858d18f6561c73b0cbd3 Mon Sep 17 00:00:00 2001 From: David Stone Date: Wed, 27 May 2026 18:49:30 -0600 Subject: [PATCH] fix: route sso grant attach urls --- inc/sso/class-sso.php | 4 ++++ tests/WP_Ultimo/SSO/SSO_Test.php | 15 +++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/inc/sso/class-sso.php b/inc/sso/class-sso.php index 2c9b548a8..cb0c1dbda 100644 --- a/inc/sso/class-sso.php +++ b/inc/sso/class-sso.php @@ -488,6 +488,8 @@ public function handle_requests(): void { $return_type = wp_is_jsonp_request() ? 'jsonp' : 'redirect'; + $action = (string) preg_replace('/-grant\/?$/', '', $action); + $action = str_replace($this->get_url_path(), 'sso', $action); $action = trim(wu_replace_dashes($action), '/'); @@ -654,6 +656,7 @@ private function generate_sso_token(int $user_id, string $audience): string { // HMAC-signed token. $hmac = hash_hmac('sha256', $payload, wp_salt('auth')); + // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode -- Encodes an HMAC-signed SSO token for URL transport. return rtrim(strtr(base64_encode($hmac . '::' . $payload), '+/', '-_'), '='); } @@ -775,6 +778,7 @@ private function validate_sso_token(string $token) { $token .= str_repeat('=', 4 - $padding); } + // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode -- Decodes the URL-safe HMAC-signed SSO token generated above. $decoded = base64_decode($token, true); if ( ! $decoded || false === strpos($decoded, '::') ) { diff --git a/tests/WP_Ultimo/SSO/SSO_Test.php b/tests/WP_Ultimo/SSO/SSO_Test.php index 9371923ae..af3ec9b0b 100644 --- a/tests/WP_Ultimo/SSO/SSO_Test.php +++ b/tests/WP_Ultimo/SSO/SSO_Test.php @@ -745,6 +745,21 @@ public function test_handle_requests_returns_early_without_sso_action(): void { $this->assertTrue(true); } + /** + * Test handle_requests normalizes sso-grant URLs before dispatching. + */ + public function test_handle_requests_source_normalizes_sso_grant_to_server_action(): void { + $source = file_get_contents( + dirname(__DIR__, 3) . '/inc/sso/class-sso.php' + ); + + $this->assertStringContainsString( + "preg_replace('/-grant\\/?$/', '', \$action)", + $source, + 'handle_requests() must normalize sso-grant requests to the sso server action' + ); + } + // ------------------------------------------------------------------ // Session handler // ------------------------------------------------------------------