Merge pull request #186 from dshanske/newspec

Tries to Adopt some of the New IndieAuth Changes

Author: dshanske

composer.json

@@ -17,7 +17,7 @@
     "installer-name": "indieauth"
   },
   "require": {
-    "php": ">=5.4.0",
+    "php": ">=5.6.0",
     "composer/installers": "~1.0"
   },
   "require-dev": {

includes/class-indieauth-admin.php

@@ -11,9 +11,6 @@ public function __construct() {
 		add_action( 'init', array( $this, 'settings' ) );
 		add_action( 'login_form_authdiag', array( $this, 'login_form_authdiag' ) );
 		add_action( 'admin_menu', array( $this, 'admin_menu' ) );
-		add_filter( 'wp_pre_insert_user_data', array( $this, 'unique_user_url' ), 10, 3 );
-		add_filter( 'manage_users_columns', array( $this, 'add_user_url_column' ) );
-		add_filter( 'manage_users_custom_column', array( $this, 'user_url_column' ), 10, 3 );
 		add_filter( 'site_status_tests', array( $this, 'add_indieauth_tests' ) );
 	}
 
@@ -26,10 +23,6 @@ public function add_indieauth_tests( $tests ) {
 			'label' => __( 'SSL Test', 'indieauth' ),
 			'test'  => array( $this, 'site_health_https_test' ),
 		);
-		$tests['direct']['indieauth_users']  = array(
-			'label' => __( 'Unique User URL Test', 'indieauth' ),
-			'test'  => array( $this, 'site_health_users_test' ),
-		);
 		return $tests;
 	}
 
@@ -63,34 +56,6 @@ public function site_health_https_test() {
 		return $result;
 	}
 
-	public function site_health_users_test() {
-		$result = array(
-			'label'       => __( 'Unique User URLs Check Passed', 'indieauth' ),
-			'status'      => 'good',
-			'badge'       => array(
-				'label' => __( 'IndieAuth', 'indieauth' ),
-				'color' => 'green',
-			),
-			'description' => sprintf(
-				'<p>%s</p>',
-				__( 'You are using HTTPS and IndieAuth will be secure', 'indieauth' )
-			),
-			'actions'     => '',
-			'test'        => 'indieauth_headers',
-		);
-
-		if ( $this->check_dupe_user_urls() ) {
-			$result['status']      = 'critical';
-			$result['label']       = __( 'Unique User URLs Test Failed', 'indieauth' );
-			$result['description'] = sprintf(
-				'<p>%s</p>',
-				__( 'Multiple user accounts have the same URL set. This is not permitted as this value is used by IndieAuth for login. Please resolve', 'indieauth' )
-			);
-			$result['actions']     = __( 'Under IndieAuth, your URL is your identity. Two accounts cannot have the same website URL in their user profile as this might allow one user to gain the credentials of another', 'indieauth' );
-		}
-		return $result;
-	}
-
 	public function site_health_header_test() {
 		$result = array(
 			'label'       => __( 'Authorization Header Passed', 'indieauth' ),
@@ -120,63 +85,6 @@ public function site_health_header_test() {
 		return $result;
 	}
 
-	public function user_url_column( $val, $column_id, $user_id ) {
-		if ( 'user_url' === $column_id ) {
-			$user = get_user_by( 'id', $user_id );
-			if ( ! wp_http_validate_url( $user->user_url ) ) {
-				return __( 'None', 'indieauth' );
-			}
-			$url = esc_url( $user->user_url );
-			return sprintf( '<a href="%1s">%1$s</a>', $url );
-		}
-		return $val;
-	}
-
-	public function add_user_url_column( $column ) {
-		$column['user_url'] = __( 'Website', 'indieauth' );
-		return $column;
-	}
-
-	/**
-	 * Ensure all user URL fields are unique
-	 *
-	 */
-	public function unique_user_url( $data, $update, $id ) {
-		if ( empty( $data['user_url'] ) ) {
-			return $data;
-		}
-		$data['user_url'] = normalize_url( $data['user_url'] );
-		$users            = get_users(
-			array(
-				'search'         => '*' . wp_parse_url( $data['user_url'], PHP_URL_HOST ) . '*',
-				'search_columns' => array( 'user_url' ),
-				'fields'         => array( 'ID', 'user_url' ),
-			)
-		);
-
-		$url = normalize_url( $data['user_url'], true );
-		foreach ( $users as $user ) {
-			if ( ( normalize_url( $user->user_url, true ) === $url ) && $user->ID !== $id ) {
-				$data['user_url'] = '';
-			}
-		}
-		return $data;
-	}
-
-	public function check_dupe_user_urls() {
-		$urls = get_users(
-			array(
-				'fields' => array( 'user_url' ),
-			)
-		);
-		$urls = array_filter( wp_list_pluck( $urls, 'user_url' ) );
-		$urls = array_map( 'normalize_url', $urls );
-		if ( count( array_unique( $urls ) ) === count( $urls ) ) {
-			return false;
-		}
-		return true;
-	}
-
 	public function login_form_authdiag() {
 		$return = '';
 		if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {

includes/class-indieauth-authorization-endpoint.php

@@ -26,36 +26,81 @@ public function register_routes() {
 					'methods'             => WP_REST_Server::READABLE,
 					'callback'            => array( $this, 'request' ),
 					'args'                => array(
-						'response_type' => array(),
-						'client_id'     => array(
+						/* Code is currently the only type as of IndieAuth 1.1 and a response_type is now required, but not requiring it here yet.
+						 * Indicates to the authorization server that an authorization code should be returned as the response.
+						 */
+						'response_type'         => array(
+							'default' => 'code',
+						),
+						// The Client URL.
+						'client_id'             => array(
 							'validate_callback' => 'rest_is_valid_url',
 							'sanitize_callback' => 'esc_url_raw',
+							'required'          => true,
 						),
-						'redirect_uri'  => array(
+						// The redirect URL indicating where the user should be redirected to after approving the request.
+						'redirect_uri'          => array(
 							'validate_callback' => 'rest_is_valid_url',
 							'sanitize_callback' => 'esc_url_raw',
+							'required'          => true,
 						),
-						'me'            => array(
+						/* A parameter set by the client which will be included when the user is redirected back to the client.
+						 * This is used to prevent CSRF attacks. The authorization server MUST return the unmodified state value back to the client.
+						 */
+						'state'                 => array(
+							'required' => true,
+						),
+						/* Code Challenge.
+						 * IndieAuth 1.1 requires PKCE, but for now these parameters will remain optional to give time for other implementers.
+						 */
+						'code_challenge'        => array(),
+						/* The hashing method used to calculate the code challenge, e.g. "S256"
+						 */
+						'code_challenge_method' => array(),
+
+						/* A space-separated list of scopes the client is requesting, e.g. "profile", or "profile create".
+						 * If the client omits this value, the authorization server MUST NOT issue an access token for this authorization code.
+						 * Only the user's profile URL may be returned without any scope requested. See Profile Information for details about
+						 * which scopes to request to return user profile information. Optional.
+						 */
+						'scope'                 => array(),
+						/* The Profile URL the user entered. Optional.
+						 */
+						'me'                    => array(
 							'validate_callback' => 'rest_is_valid_url',
 							'sanitize_callback' => 'esc_url_raw',
 						),
-						'state'         => array(),
 					),
 					'permission_callback' => '__return_true',
 				),
 				array(
 					'methods'             => WP_REST_Server::CREATABLE,
 					'callback'            => array( $this, 'verify' ),
 					'args'                => array(
-						'code'         => array(),
-						'client_id'    => array(
+						/* grant_type=authorization_code is the only one supported right now. This remains optional as not required in
+						 * the original IndieAuth spec, but will eventually be mandatory.
+						 */
+						'grant_type'    => array(
+							'default' => 'authorization_code',
+						),
+						/* The authorization code received from the authorization endpoint in the redirect.
+						 */
+						'code'          => array(),
+						/* The client's URL, which MUST match the client_id used in the authentication request.
+						*/
+						'client_id'     => array(
 							'validate_callback' => 'rest_is_valid_url',
 							'sanitize_callback' => 'esc_url_raw',
 						),
-						'redirect_uri' => array(
+						/* The client's redirect URL, which MUST match the initial authentication request.
+						 */
+						'redirect_uri'  => array(
 							'validate_callback' => 'rest_is_valid_url',
 							'sanitize_callback' => 'esc_url_raw',
 						),
+						/* The original plaintext random string generated before starting the authorization request.
+						 */
+						'code_verifier' => array(),
 					),
 					'permission_callback' => '__return_true',
 				),
@@ -82,7 +127,8 @@ public static function scopes( $scope = 'all' ) {
 			'channels' => __( 'Allows the application to manage channels', 'indieauth' ),
 			'save'     => __( 'Allows the application to save content for later retrieval', 'indieauth' ),
 			// Profile
-			'profile'  => __( 'Returns a complete profile to the application. Without this only a display name, avatar, and url will be returned', 'indieauth' ),
+			'profile'  => __( 'Allows access to the users default profile information which includes name, photo, and url', 'indieauth' ),
+			'email'    => __( 'Allows access to the users email address', 'indieauth' ),
 		);
 		if ( 'all' === $scope ) {
 			return $scopes;
@@ -91,15 +137,28 @@ public static function scopes( $scope = 'all' ) {
 		return apply_filters( 'indieauth_scope_description', $description, $scope );
 	}
 
+	/*
+	 * Output a list of checkboxes to select scopes.
+	 *
+	 * @param array $scopes Scopes to Output.
+	 */
+	public static function scope_list( $scopes ) {
+		if ( ! empty( $scopes ) ) {
+			foreach ( $scopes as $s ) {
+				printf( '<li><input type="checkbox" name="scope[]" value="%1$s" %2$s /><strong>%1$s</strong> - %3$s</li>', $s, checked( true, true, false ), self::scopes( $s ) );
+			}
+		}
+	}
+
 	public function request( $request ) {
 		$params = $request->get_params();
-		if ( ! isset( $params['response_type'] ) ) {
-			$params['response_type'] = 'id';
+		if ( ! isset( $params['response_type'] ) || 'id' === $params['response_type'] ) {
+			$params['response_type'] = 'code';
 		}
-		if ( 'code' !== $params['response_type'] && 'id' !== $params['response_type'] ) {
+		if ( 'code' !== $params['response_type'] ) {
 			return new WP_OAuth_Response( 'unsupported_response_type', __( 'Unsupported Response Type', 'indieauth' ), 400 );
 		}
-		$required = array( 'redirect_uri', 'client_id', 'state', 'me' );
+		$required = array( 'redirect_uri', 'client_id', 'state' );
 		foreach ( $required as $require ) {
 			if ( ! isset( $params[ $require ] ) ) {
 				// translators: Name of missing parameter
@@ -113,18 +172,22 @@ public function request( $request ) {
 				'_wpnonce'              => wp_create_nonce( 'wp_rest' ),
 				'response_type'         => $params['response_type'],
 				'client_id'             => $params['client_id'],
-				'me'                    => $params['me'],
+				'me'                    => isset( $params['me'] ) ? $params['me'] : null,
 				'state'                 => $params['state'],
 				'code_challenge'        => isset( $params['code_challenge'] ) ? $params['code_challenge'] : null,
 				'code_challenge_method' => isset( $params['code_challenge_method'] ) ? $params['code_challenge_method'] : null,
 			)
 		);
 
 		if ( 'code' === $params['response_type'] ) {
-			$args['scope'] = isset( $params['scope'] ) ? $params['scope'] : 'create update';
+			$args['scope'] = isset( $params['scope'] ) ? $params['scope'] : '';
 			if ( ! preg_match( '@^([\x21\x23-\x5B\x5D-\x7E]+( [\x21\x23-\x5B\x5D-\x7E]+)*)?$@', $args['scope'] ) ) {
 				return new WP_OAuth_Response( 'invalid_grant', __( 'Invalid scope request', 'indieauth' ), 400 );
 			}
+			$scopes = explode( ' ', $args['scope'] );
+			if ( in_array( 'email', $scopes, true ) && ! in_array( 'profile', $scopes, true ) ) {
+				return new WP_OAuth_Response( 'invalid_grant', __( 'Cannot request email scope without profile scope', 'indieauth' ), 400 );
+			}
 		}
 		$url = add_query_params_to_url( $args, $url );
 
@@ -147,14 +210,18 @@ public function delete_code( $code, $user_id = null ) {
 	}
 
 	public function verify( $request ) {
-		$params   = $request->get_params();
-		$required = array( 'redirect_uri', 'client_id', 'code' );
+		$params = $request->get_params();
+
+		$required = array( 'redirect_uri', 'client_id', 'code', 'grant_type' );
 		foreach ( $required as $require ) {
 			if ( ! isset( $params[ $require ] ) ) {
 				// translators: Name of missing parameter
 				return new WP_OAuth_Response( 'parameter_absent', sprintf( __( 'Missing Parameter: %1$s', 'indieauth' ), $require ), 400 );
 			}
 		}
+		if ( 'authorization_code' !== $params['grant_type'] ) {
+			return new WP_OAuth_Response( 'invalid_grant', __( 'Endpoint only accepts authorization_code grant_type', 'indieauth' ), 400 );
+		}
 		$params = wp_array_slice_assoc( $params, array( 'client_id', 'redirect_uri' ) );
 		$code   = $request->get_param( 'code' );
 		$token  = $this->get_code( $code );
@@ -185,7 +252,7 @@ public function verify( $request ) {
 		if ( array() === array_diff_assoc( $params, $token ) ) {
 			$this->delete_code( $code, $token['user'] );
 
-			$return = array( 'me' => get_url_from_user( $user->ID ) );
+			$return = array( 'me' => $token['me'] );
 
 			if ( isset( $token['scope'] ) ) {
 				$return['scope'] = $token['scope'];
@@ -218,7 +285,7 @@ public function authorize() {
 		$client_icon = $info->get_icon();
 		$redirect_uri  = isset( $_GET['redirect_to'] ) ? wp_unslash( $_GET['redirect_to'] ) : null;
 		$scope         = isset( $_GET['scope'] ) ? wp_unslash( $_GET['scope'] ) : null;
-		$scopes        = explode( ' ', $scope );
+		$scopes        = array_filter( explode( ' ', $scope ) );
 		$state         = isset( $_GET['state'] ) ? $_GET['state'] : null;
 		$me            = isset( $_GET['me'] ) ? wp_unslash( $_GET['me'] ) : null;
 		$response_type = isset( $_GET['response_type'] ) ? wp_unslash( $_GET['response_type'] ) : null;
@@ -238,34 +305,45 @@ public function authorize() {
 			)
 		);
 		$url    = add_query_params_to_url( $args, wp_login_url() );
-		if ( 'code' === $_GET['response_type'] ) {
-			include plugin_dir_path( __DIR__ ) . 'templates/indieauth-authorize-form.php';
-		} elseif ( 'id' === $_GET['response_type'] ) {
+		if ( empty( $scopes ) || empty( array_diff( $scopes, array( 'profile', 'email' ) ) ) ) {
 			include plugin_dir_path( __DIR__ ) . 'templates/indieauth-authenticate-form.php';
+		} else {
+			include plugin_dir_path( __DIR__ ) . 'templates/indieauth-authorize-form.php';
 		}
+
 		include plugin_dir_path( __DIR__ ) . 'templates/indieauth-auth-footer.php';
 	}
 
 	public function confirmed() {
 		$current_user = wp_get_current_user();
+		$user         = $current_user->ID;
 		// phpcs:disable
 		$client_id     = wp_unslash( $_POST['client_id'] ); // WPCS: CSRF OK
 		$redirect_uri  = isset( $_POST['redirect_uri'] ) ? wp_unslash( $_POST['redirect_uri'] ) : null;
 		$scope         = isset( $_POST['scope'] ) ? $_POST['scope'] : array();
 		$code_challenge  = isset( $_POST['code_challenge'] ) ? wp_unslash( $_POST['code_challenge'] ) : null;
 		$code_challenge_method  = isset( $_POST['code_challenge_method'] ) ? wp_unslash( $_POST['code_challenge_method'] ) : null;
+
+		// Do not allow the post scope as deprecated. For compatibility, instead update the offering to the more limited but functionally identical create/update.
 		$search = array_search( 'post', $scope, true );
 		if ( is_numeric( $search ) ) {
 			unset( $scope[ $search ] );
 			$scope = array_unique( array_merge( $scope, array( 'create', 'update' ) ) );
 		}
+
 		$scope = implode( ' ', $scope );
 
 		$state         = isset( $_POST['state'] ) ? $_POST['state'] : null;
-		$me            = isset( $_POST['me'] ) ? wp_unslash( $_POST['me'] ) : null;
+		
+		// In IndieAuth 1.1, me parameter is optional. Me should actually be derived only from the logged in user not from this parameter.
+		// In other implementations, there may be multiple identities permitted for a single user, but this is not currently practical on a 
+		// WordPress site, so we will just ignore the optional me parameter and always return our own.
+		$me = get_url_from_user( $user );
+
+
 		$response_type = isset( $_POST['response_type'] ) ? wp_unslash( $_POST['response_type'] ) : null;
 		/// phpcs:enable
-		$token = compact( 'response_type', 'client_id', 'redirect_uri', 'scope', 'me', 'code_challenge', 'code_challenge_method' );
+		$token = compact( 'response_type', 'client_id', 'redirect_uri', 'scope', 'me', 'code_challenge', 'code_challenge_method', 'user' );
 		$token = array_filter( $token );
 		$code  = self::set_code( $current_user->ID, $token );
 		$url   = add_query_params_to_url(

includes/class-indieauth-authorize.php

@@ -273,10 +273,10 @@ public function get_token_from_bearer_header( $header ) {
 	 * @return string|null Token on success, null on failure.
 	 */
 	public function get_token_from_request() {
-		if ( empty( $_POST['access_token'] ) ) {
+		if ( empty( $_POST['access_token'] ) ) { // phpcs:ignore
 			return null;
 		}
-		$token = $_POST['access_token'];
+		$token = $_POST['access_token']; // phpcs:ignore
 
 		if ( is_string( $token ) ) {
 			return $token;

includes/class-indieauth-local-authorize.php

@@ -35,6 +35,7 @@ public function verify_access_token( $token ) {
 			return $return;
 		}
 		$return['last_accessed'] = time();
+		$return['last_ip']       = $_SERVER['REMOTE_ADDR'];
 		$tokens->update( $token, $return );
 		return $return;
 	}