Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add/protect blocked send email #8117

Merged
merged 13 commits into from
Nov 13, 2017
Merged

Add/protect blocked send email #8117

merged 13 commits into from
Nov 13, 2017

Conversation

roccotripaldi
Copy link
Member

@roccotripaldi roccotripaldi commented Nov 4, 2017
edited
Loading

Todo:
Jetpack side

  • New UI form to send email to the user
  • add to protect class to verify token that we get from .com and check that it is still valid.
  • Only allow user to login with a specific email. Even though the user uses the right email

.COM side

  • new POST API endpoint to send out the email
  • new GET API endpoint to verify the email in the key and redirect the user to the jetpack side
  • new GET API endpoint that jetpack side uses to check if the api key is still valid
  • new email template
  • new token generation class

Testing instructions / p2 post on it's way...

@roccotripaldi roccotripaldi requested a review from a team as a code owner November 4, 2017 19:33
@roccotripaldi
Jetpack Protect: blocked login page
7f9582c 
- adds a better UI on the blocked login page
- allows folks to temporarily unblock themselves with a magic link
@roccotripaldi roccotripaldi force-pushed the add/protect-blocked-send-email branch from dbddbd1 to 7f9582c Compare November 6, 2017 11:46
@jeherve jeherve added [Feature] Protect Also known as Brute Force Attack Protection [Pri] Normal [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. [Type] Feature Request labels Nov 6, 2017
gititon
gititon reviewed Nov 9, 2017
View reviewed changes
modules/protect.php Outdated
@@ -541,7 +541,7 @@ function block_with_math() {
* Kill a login attempt
*/
function kill_login() {
$ip = jetpack_protect_get_ip();
$ip = jetpack_protect_get_ip();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the spacing off here?

gititon
gititon reviewed Nov 9, 2017
View reviewed changes
modules/protect.php Outdated
array ( 'response' => 403 )
);
require_once dirname( __FILE__ ) . '/protect/blocked-login-page.php';
$blocked_login_page = Jetpack_Protect_Blocked_Login_Page::instance( $ip );
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spacing appears off.

gititon
gititon suggested changes Nov 9, 2017
View reviewed changes
Copy link
Contributor

@gititon gititon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There appear to be indentation issues throughout, but otherwise it looks good. Smeelay!

gititon
gititon reviewed Nov 10, 2017
View reviewed changes
modules/protect/blocked-login-page.php Outdated

public function add_args_to_lostpassword_redirect_url( $url ) {
if ( $this->valid_blocked_user_id ) {
$url = ( empty( $url ) ) ? wp_login_url() : $url;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

paren around empty unnecessary

gititon
gititon reviewed Nov 10, 2017
View reviewed changes
modules/protect/blocked-login-page.php
return false;
}

if ( $this->valid_blocked_user_id ) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe put this case first?

gititon
gititon reviewed Nov 10, 2017
View reviewed changes
modules/protect/blocked-login-page.php
$user = get_user_by( 'email', trim( $email ) );

if ( ! $user ) {
return new WP_Error( 'invalid_user', __( 'Oops, could not find a user with that email address.', 'jetpack' ) );
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this somehow be used by a hacker who is already ip blocked to test for valid email addresses/accounts on the site/domain?

gititon
gititon reviewed Nov 10, 2017
View reviewed changes
modules/protect/blocked-login-page.php Outdated
$code = wp_remote_retrieve_response_code( $response );
$result = json_decode( wp_remote_retrieve_body( $response ) );

if ( 429 === $code ) {
Copy link
Contributor

@gititon gititon Nov 10, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider a constant like HTTP_STATUS_TOO_MANY_REQUESTS rather than a "magic number"

gititon
gititon reviewed Nov 10, 2017
View reviewed changes
modules/protect/blocked-login-page.php Outdated


function get_html_blocked_login_message() {
//
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean to remove this comment?

gititon
gititon reviewed Nov 10, 2017
View reviewed changes
modules/protect/blocked-login-page.php Outdated
<?php printf(
__( '<p><span style="float:left; display:block; margin-right:10px;">%1$s</span>Your IP (%2$s) has been flagged for potential security violations. <a href="%3$s">Learn More</a></p>', 'jetpack' ),
$icon,
str_replace( 'http://', '', esc_url( 'http://' . $this->ip_address ) ),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not determine this value before ob_start like you do for $icon?

@roccotripaldi roccotripaldi merged commit 1bd1e8e into master Nov 13, 2017
@matticbot matticbot removed the [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. label Nov 13, 2017
@jeherve jeherve deleted the add/protect-blocked-send-email branch November 13, 2017 21:37
@jeherve jeherve added [Status] Needs Changelog [Status] Needs Testing We need to add this change to the testing call for this month's release labels Nov 13, 2017
@oskosk oskosk added this to the 5.6 milestone Nov 22, 2017
@jeherve jeherve added [Status] Has Changelog and removed [Status] Needs Changelog [Status] Needs Testing We need to add this change to the testing call for this month's release labels Nov 24, 2017
jeherve added a commit that referenced this pull request Nov 24, 2017
@jeherve
Changelog: add #8117
202a91e
oskosk pushed a commit that referenced this pull request Nov 28, 2017
@jeherve @oskosk
Changelog 5.6: running changelog. (#8192)
7844644 
* Changelog 5.6: create base for changelog.

* Update changelog with 5.5.1 info.

* Changelog: add #7930 and #8238

* Changelog: add #8076

* Changelog: add #8100

* Changelog: add #8117

* Changelog: add #8141

* Changelog: add #8143

* Changelog: add #8147

* Changelog: add #8149

* Changelog: add #8153

* Changelog: add #8173

* Changelog: add #8184

* Changelog: add #8196

* Changelog: add #8199

* Changelog: add #8093

* Changelog: add #8171

* Changelog: add #8182

* Changelog: add #8202, #8222

* Changelog: add #8228

* Changelog: add #8240

* Changelog: add #8251

* remove AL card change
@richardmtl richardmtl mentioned this pull request Dec 6, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gititon gititon gititon approved these changes

@samhotchkiss samhotchkiss Awaiting requested review from samhotchkiss

@dereksmart dereksmart Awaiting requested review from dereksmart

@kraftbj kraftbj Awaiting requested review from kraftbj

@jeherve jeherve Awaiting requested review from jeherve

Assignees
No one assigned
Labels
[Feature] Protect Also known as Brute Force Attack Protection [Pri] Normal [Type] Feature Request
Projects
None yet
Milestone
5.6
Development

Successfully merging this pull request may close these issues.
6 participants
@roccotripaldi @gititon @jeherve @oskosk @matticbot @enejb