Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions inc/sso/class-sso.php
Original file line number Diff line number Diff line change
Expand Up @@ -488,6 +488,8 @@ public function handle_requests(): void {

$return_type = wp_is_jsonp_request() ? 'jsonp' : 'redirect';

$action = (string) preg_replace('/-grant\/?$/', '', $action);

$action = str_replace($this->get_url_path(), 'sso', $action);

$action = trim(wu_replace_dashes($action), '/');
Expand Down Expand Up @@ -654,6 +656,7 @@ private function generate_sso_token(int $user_id, string $audience): string {
// HMAC-signed token.
$hmac = hash_hmac('sha256', $payload, wp_salt('auth'));

// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode -- Encodes an HMAC-signed SSO token for URL transport.
return rtrim(strtr(base64_encode($hmac . '::' . $payload), '+/', '-_'), '=');
}

Expand Down Expand Up @@ -775,6 +778,7 @@ private function validate_sso_token(string $token) {
$token .= str_repeat('=', 4 - $padding);
}

// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode -- Decodes the URL-safe HMAC-signed SSO token generated above.
$decoded = base64_decode($token, true);

if ( ! $decoded || false === strpos($decoded, '::') ) {
Expand Down
15 changes: 15 additions & 0 deletions tests/WP_Ultimo/SSO/SSO_Test.php
Original file line number Diff line number Diff line change
Expand Up @@ -640,7 +640,7 @@
* when sso_verify is 'invalid', preventing redirect loops.
*/
public function test_handle_broker_source_sets_denied_cookie_on_invalid_verify(): void {
$source = file_get_contents(

Check warning on line 643 in tests/WP_Ultimo/SSO/SSO_Test.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

file_get_contents() is discouraged. Use wp_remote_get() for remote URLs instead.
dirname(__DIR__, 3) . '/inc/sso/class-sso.php'
);

Expand All @@ -658,7 +658,7 @@
* so that later code (handle_auth_redirect, enqueue_script) sees it immediately.
*/
public function test_handle_broker_source_sets_cookie_superglobal_on_invalid_verify(): void {
$source = file_get_contents(

Check warning on line 661 in tests/WP_Ultimo/SSO/SSO_Test.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

file_get_contents() is discouraged. Use wp_remote_get() for remote URLs instead.
dirname(__DIR__, 3) . '/inc/sso/class-sso.php'
);

Expand All @@ -675,7 +675,7 @@
* instead of leaving the user on the /sso 404 page.
*/
public function test_handle_broker_source_redirects_to_return_url_on_invalid_verify(): void {
$source = file_get_contents(

Check warning on line 678 in tests/WP_Ultimo/SSO/SSO_Test.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

file_get_contents() is discouraged. Use wp_remote_get() for remote URLs instead.
dirname(__DIR__, 3) . '/inc/sso/class-sso.php'
);

Expand All @@ -698,7 +698,7 @@
* causes an infinite redirect loop.
*/
public function test_handle_broker_source_returns_jsonp_error_for_unattached_broker(): void {
$source = file_get_contents(

Check warning on line 701 in tests/WP_Ultimo/SSO/SSO_Test.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

file_get_contents() is discouraged. Use wp_remote_get() for remote URLs instead.
dirname(__DIR__, 3) . '/inc/sso/class-sso.php'
);

Expand All @@ -717,7 +717,7 @@
* redirect -> sso_verify=invalid -> redirect -> repeat.
*/
public function test_sso_js_does_not_contain_incognito_redirect(): void {
$source = file_get_contents(

Check warning on line 720 in tests/WP_Ultimo/SSO/SSO_Test.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

file_get_contents() is discouraged. Use wp_remote_get() for remote URLs instead.
dirname(__DIR__, 3) . '/assets/js/sso.js'
);

Expand Down Expand Up @@ -745,6 +745,21 @@
$this->assertTrue(true);
}

/**
* Test handle_requests normalizes sso-grant URLs before dispatching.
*/
public function test_handle_requests_source_normalizes_sso_grant_to_server_action(): void {
$source = file_get_contents(

Check warning on line 752 in tests/WP_Ultimo/SSO/SSO_Test.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

file_get_contents() is discouraged. Use wp_remote_get() for remote URLs instead.
dirname(__DIR__, 3) . '/inc/sso/class-sso.php'
);

$this->assertStringContainsString(
"preg_replace('/-grant\\/?$/', '', \$action)",
$source,
'handle_requests() must normalize sso-grant requests to the sso server action'
);
}

// ------------------------------------------------------------------
// Session handler
// ------------------------------------------------------------------
Expand Down Expand Up @@ -888,7 +903,7 @@
* call before the printf to guard against regressions.
*/
public function test_handle_server_source_sets_javascript_content_type_for_jsonp(): void {
$source = file_get_contents(

Check warning on line 906 in tests/WP_Ultimo/SSO/SSO_Test.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

file_get_contents() is discouraged. Use wp_remote_get() for remote URLs instead.
dirname(__DIR__, 3) . '/inc/sso/class-sso.php'
);

Expand All @@ -912,7 +927,7 @@
* 4. handle_main_site_logged_in_user JSONP success response
*/
public function test_handle_broker_source_sets_javascript_content_type_for_jsonp(): void {
$source = file_get_contents(

Check warning on line 930 in tests/WP_Ultimo/SSO/SSO_Test.php

View workflow job for this annotation

GitHub Actions / Code Quality Checks

file_get_contents() is discouraged. Use wp_remote_get() for remote URLs instead.
dirname(__DIR__, 3) . '/inc/sso/class-sso.php'
);

Expand Down
Loading