Merge pull request #136 from dshanske/header

Add nag notice and new script for checking headers

Author: dshanske

includes/class-indieauth-admin.php

@@ -9,10 +9,42 @@ public function __construct() {
 		// initialize admin settings
 		add_action( 'admin_init', array( $this, 'admin_init' ) );
 		add_action( 'init', array( $this, 'settings' ) );
-
+		add_action( 'login_form_authdiag', array( $this, 'login_form_authdiag' ) );
 		add_action( 'admin_menu', array( $this, 'admin_menu' ) );
 	}
 
+	public function login_form_authdiag() {
+		$return = '';
+		if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {
+			if ( ! empty( $_SERVER['HTTP_AUTHORIZATION'] ) && 'Bearer abc123' === $_SERVER['HTTP_AUTHORIZATION'] ) {
+				$return = '<div class="notice notice-success"><p>' . esc_html__( 'Authorization Header Found. You should be able to use all clients.', 'indieauth' ) . '</p></div>';
+				update_option( 'indieauth_header_check', 1 );
+			} elseif ( ! empty( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) && 'Bearer abc123' === $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) {
+				$return = '<div class="notice-success"><p>' . esc_html__( 'Alternate Header Found. You should be able to use all clients.', 'indieauth' ) . '</p></div>';
+				update_option( 'indieauth_header_check', 1 );
+			}
+			if ( empty( $return ) ) {
+				ob_start();
+				include plugin_dir_path( __DIR__ ) . 'templates/authdiagfail.php';
+				$return = ob_get_contents();
+				ob_end_clean();
+			}
+			if ( 'application/json' === $_SERVER['HTTP_ACCEPT'] ) {
+				header( 'Content-Type: application/json' );
+				$return = wp_json_encode( array( 'message' => $return ) );
+			}
+			echo $return;
+			exit;
+		}
+		$args = array(
+			'action' => 'authdiag',
+		);
+		$url  = add_query_params_to_url( $args, wp_login_url() );
+		include plugin_dir_path( __DIR__ ) . 'templates/authdiagtest.php';
+		exit;
+	}
+
+
 	public function settings() {
 		register_setting(
 			'indieauth',
@@ -74,6 +106,28 @@ public function admin_menu() {
 	 * Load settings page
 	 */
 	public function settings_page() {
+		$response = wp_remote_post(
+			add_query_params_to_url(
+				array(
+					'action' => 'authdiag',
+				),
+				wp_login_url()
+			),
+			array(
+				'method'  => 'POST',
+				'headers' => array(
+					'Authorization' => 'Bearer abc123',
+					'Accept'        => 'application/json',
+				),
+			)
+		);
+		if ( ! is_wp_error( $response ) ) {
+			$json = json_decode( wp_remote_retrieve_body( $response ) );
+			set_query_var( 'authdiag_message', $json->message );
+		} else {
+			set_query_var( 'authdiag_message', 'Fail' );
+		}
+
 		load_template( plugin_dir_path( __DIR__ ) . '/templates/indieauth-settings.php' );
 	}
 
@@ -85,7 +139,7 @@ public function add_help_tab() {
 				'title'   => __( 'Overview', 'indieauth' ),
 				'content' =>
 					'<p>' . __( 'IndieAuth is a way for doing Web sign-in, where you use your own homepage to sign in to other places.', 'indieauth' ) . '</p>' .
-					'<p>' . __( 'IndieAuth was build on ideas and technology from existing proven technologies like OAuth and OpenID but aims at making it easier for users as well as developers. It also decentralises much of the process so completely separate implementations and services can be used for each part.', 'indieauth' ) . '</p>',
+					'<p>' . __( 'IndieAuth was built on ideas and technology from existing proven technologies like OAuth and OpenID but aims at making it easier for users as well as developers. It also decentralises much of the process so completely separate implementations and services can be used for each part.', 'indieauth' ) . '</p>',
 			)
 		);
 

includes/class-indieauth-authorization-endpoint.php

@@ -11,6 +11,7 @@ class IndieAuth_Authorization_Endpoint {
 	public function __construct() {
 		add_action( 'rest_api_init', array( $this, 'register_routes' ) );
 		add_action( 'login_form_indieauth', array( $this, 'login_form_indieauth' ) );
+
 		$this->tokens = new Token_User( '_indieauth_code_' );
 	}
 

includes/class-indieauth-authorize.php

@@ -162,22 +162,24 @@ public static function verify_authorization_code( $post_args ) {
 	 * @return string|null Authorization header if set, null otherwise
 	 */
 	public function get_authorization_header() {
+		$auth = null;
 		if ( ! empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
-			return wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] );
-		}
-
-		// When Apache speaks via FastCGI with PHP, then the authorization header is often available as REDIRECT_HTTP_AUTHORIZATION.
-		if ( ! empty( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
-			return wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] );
-		}
-		$headers = getallheaders();
-		// Check for the authorization header case-insensitively
-		foreach ( $headers as $key => $value ) {
-			if ( strtolower( $key ) === 'authorization' ) {
-				return $value;
+			$auth = wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] );
+		} elseif ( ! empty( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
+			// When Apache speaks via FastCGI with PHP, then the authorization header is often available as REDIRECT_HTTP_AUTHORIZATION.
+			$auth = wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] );
+		} else {
+			$headers = getallheaders();
+			// Check for the authorization header case-insensitively
+			foreach ( $headers as $key => $value ) {
+				if ( strtolower( $key ) === 'authorization' ) {
+					$auth = wp_unslash( $value );
+					break;
+				}
 			}
 		}
-		return null;
+
+		return $auth;
 	}
 
 	/**

includes/class-indieauth-token-endpoint.php

@@ -78,10 +78,22 @@ public function get_token( $token, $hash = true ) {
 	}
 
 	public function get( $request ) {
-		$params       = $request->get_params();
-		$access_token = $this->get_token_from_bearer_header( $request->get_header( 'Authorization' ) );
+		$params = $request->get_params();
+		$header = $request->get_header( 'Authorization' );
+		if ( ! $header && ! empty( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
+			$header = wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] );
+		}
+		$access_token = $this->get_token_from_bearer_header( $header );
 		if ( ! $access_token ) {
-			return new WP_OAuth_Response( 'parameter_absent', __( 'Bearer Token Not Supplied', 'indieauth' ), 400 );
+			return new WP_OAuth_Response(
+				'parameter_absent',
+				__(
+					'Bearer Token Not Supplied or Server Misconfigured to Not Pass Token. Run diagnostic script in WordPress Admin 
+				IndieAuth Settings Page',
+					'indieauth'
+				),
+				400
+			);
 		}
 		$token = $this->get_token( $access_token );
 		if ( ! $token ) {
@@ -164,7 +176,23 @@ public function request( $params ) {
 			}
 			if ( $token ) {
 				// Return only the standard keys in the response
-				return( wp_array_slice_assoc( $token, array( 'access_token', 'token_type', 'scope', 'me', 'profile' ) ) );
+				return new WP_REST_Response(
+					wp_array_slice_assoc(
+						$token,
+						array(
+							'access_token',
+							'token_type',
+							'scope',
+							'me',
+							'profile',
+						)
+					),
+					200, // Status Code
+					array(
+						'Cache-Control' => 'no-store',
+						'Pragma'        => 'no-cache',
+					)
+				);
 			}
 		} else {
 			return new WP_OAuth_Response( 'invalid_grant', __( 'This authorization code was issued with no scope, so it cannot be used to obtain an access token', 'indieauth' ), 400 );

indieauth.php

@@ -3,7 +3,7 @@
  * Plugin Name: IndieAuth
  * Plugin URI: https://github.com/indieweb/wordpress-indieauth/
  * Description: IndieAuth is a way to allow users to use their own domain to sign into other websites and services
- * Version: 3.3.1
+ * Version: 3.3.2
  * Author: IndieWebCamp WordPress Outreach Club
  * Author URI: https://indieweb.org/WordPress_Outreach_Club
  * License: MIT
@@ -53,6 +53,17 @@ public function __construct() {
 		if ( WP_DEBUG ) {
 			require_once plugin_dir_path( __FILE__ ) . 'includes/class-indieauth-debug.php';
 		}
+
+		add_action( 'admin_notices', array( $this, 'admin_notices' ) );
+	}
+
+	public function admin_notices() {
+		if ( ! get_option( 'indieauth_header_check', 0 ) ) {
+			echo '<p class="notice notice-warning">';
+			_e( 'In order to ensure IndieAuth tokens will work please perform this check:', 'indieauth' );
+			printf( ' <a href="%1s">%2$s</a>', add_query_arg( 'action', 'authdiag', wp_login_url() ), __( 'Check Script', 'indieauth' ) );
+			echo '</p>';
+		}
 	}
 
 	public function pre_user_url( $user_url ) {