Removing state checking, fixed in #406

auth0 · Mar 3, 2018 · 000c621 · 000c621
1 parent 9bf927b
commit 000c621
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 62 deletions.
diff --git a/WP_Auth0.php b/WP_Auth0.php
@@ -13,7 +13,6 @@
 define( 'AUTH0_DB_VERSION', 17 );
 define( 'WPA0_VERSION', '3.5.2' );
 define( 'WPA0_CACHE_GROUP', 'wp_auth0' );
-define( 'WPA0_UUID_COOKIE', 'auth0_uuid' );
 
 /**
  * Main plugin class
@@ -520,18 +519,5 @@ function get_auth0_curatedBlogName() {
 	}
 }
 
-if ( ! function_exists( 'get_auth0_uniqid' ) ) {
-	/**
-	 * Generate a pseudo-random ID (not cryptographically secure)
-	 *
-	 * @see https://stackoverflow.com/a/1846229/728480
-	 *
-	 * @return string
-	 */
-	function get_auth0_uniqid() {
-		return md5( uniqid( rand(), true ) );
-	}
-}
-
 $a0_plugin = new WP_Auth0();
-$a0_plugin->init();
+$a0_plugin->init();
diff --git a/lib/WP_Auth0_Api_Client.php b/lib/WP_Auth0_Api_Client.php
@@ -1091,6 +1091,7 @@ public static function JWKfetch($domain) {
 		if ($cache_expiration !== 0) {
 			set_transient( 'WP_Auth0_JWKS_cache', $secret, $cache_expiration * MINUTE_IN_SECONDS );
 		}
+
 	}
 
   return $secret;

diff --git a/lib/WP_Auth0_Lock10_Options.php b/lib/WP_Auth0_Lock10_Options.php
@@ -105,9 +105,7 @@ public function get_state_obj( $redirect_to = null ) {
       $interim_login = false;
     }
 
-	  $uniq_id = get_auth0_uniqid();
-	  setcookie( WPA0_UUID_COOKIE, $uniq_id, time() + MINUTE_IN_SECONDS );
-	  $stateObj = array( "interim" => $interim_login, "uuid" =>$uniq_id );
+    $stateObj = array( "interim" => $interim_login, "uuid" =>uniqid() );
     if ( !empty( $redirect_to ) ) {
       $stateObj["redirect_to"] = addslashes( $redirect_to );
     }

diff --git a/lib/WP_Auth0_Lock_Options.php b/lib/WP_Auth0_Lock_Options.php
@@ -103,9 +103,7 @@ public function get_state_obj( $redirect_to = null ) {
 		} else {
 			$interim_login = false;
 		}
-		$uniq_id = get_auth0_uniqid();
-		setcookie( WPA0_UUID_COOKIE, $uniq_id, time() + MINUTE_IN_SECONDS );
-		$stateObj = array( "interim" => $interim_login, "uuid" =>$uniq_id );
+    $stateObj = array( "interim" => $interim_login, "uuid" =>uniqid() );
 		if ( !empty( $redirect_to ) ) {
 			$stateObj["redirect_to"] = addslashes( $redirect_to );
 		}

diff --git a/lib/WP_Auth0_LoginManager.php b/lib/WP_Auth0_LoginManager.php
@@ -96,11 +96,9 @@ public function login_auto() {
 		$base_url = add_query_arg( 'redirect_uri', $this->a0_options->get_wp_auth0_url(), $base_url );
 
 		// Build state param
-		$uniq_id = get_auth0_uniqid();
-		setcookie( WPA0_UUID_COOKIE, $uniq_id, time() + MINUTE_IN_SECONDS );
 		$state_arr = array(
 			'interim' => false,
-			'uuid' => $uniq_id,
+			'nonce' => uniqid(),
 			'redirect_to' => ! empty( $_GET['redirect_to'] ) && filter_var( $_GET['redirect_to'], FILTER_VALIDATE_URL )
 				? esc_url( $_GET['redirect_to'] )
 				: $this->a0_options->get( 'default_login_redirection' )
@@ -178,15 +176,6 @@ public function init_auth0() {
       $this->die_on_login( $_GET[ 'error_description' ], $_GET[ 'error' ] );
     }
 
-    // Check for valid state UUID
-    $state_decoded = json_decode( base64_decode( $_REQUEST[ 'state' ] ), TRUE );
-    if (
-      isset( $state_decoded[ 'uuid' ] ) &&
-      ( empty( $_COOKIE[ WPA0_UUID_COOKIE ] ) || $state_decoded[ 'uuid' ] !== $_COOKIE[ WPA0_UUID_COOKIE ] )
-    ) {
-      $this->die_on_login( __( 'Invalid state', 'wp-auth0' ) );
-     }
-
     try {
       if ( $this->query_vars( 'auth0' ) === 'implicit' ) {
         $this->implicit_login();
@@ -211,7 +200,9 @@ public function init_auth0() {
   public function redirect_login() {
 
     $code = $this->query_vars( 'code' );
-    $state_decoded = json_decode( base64_decode( $this->query_vars( 'state' ) ), TRUE );
+    $state = $this->query_vars( 'state' );
+
+    $stateFromGet = json_decode( base64_decode( $state ) );
 
     $response = WP_Auth0_Api_Client::get_token(
       $this->a0_options->get( 'domain' ),
@@ -258,12 +249,12 @@ public function redirect_login() {
 
       $userinfo = json_decode( $response['body'] );
       if ( $this->login_user( $userinfo, $data->id_token, $data->access_token ) ) {
-        if ( null !== $state_decoded && isset( $state_decoded->interim ) && $state_decoded->interim ) {
+        if ( ! empty( $stateFromGet->interim ) ) {
           include WPA0_PLUGIN_DIR . 'templates/login-interim.php';
           exit();
         } else {
-          if ( null !== $state_decoded && isset( $state_decoded->redirect_to ) ) {
-            $redirectURL = $state_decoded->redirect_to;
+          if ( ! empty( $stateFromGet->redirect_to ) && wp_login_url() !== $stateFromGet->redirect_to ) {
+            $redirectURL = $stateFromGet->redirect_to;
           } else {
             $redirectURL = $this->a0_options->get( 'default_login_redirection' );
           }
@@ -533,31 +524,31 @@ protected function query_vars( $key ) {
     return null;
   }
 
-	/**
-	 * Die during login process with a message
-	 *
-	 * @param string $msg - translated error message to display
-	 * @param string|int $code - error code, if given
-	 * @param bool $login_link - TRUE for login link, FALSE for logout link
-	 */
-	protected function die_on_login( $msg = '', $code = 0, $login_link = TRUE ) {
-
-		wp_die( sprintf(
-			'%s: %s [%s: %s]<br><br><a href="%s">%s</a>',
-			$login_link
-				? __( 'There was a problem with your log in', 'wp-auth0' )
-				: __( 'You have logged in successfully, but there is a problem accessing this site', 'wp-auth0' ),
-			! empty( $msg )
-				? sanitize_text_field( $msg )
-				: __( 'Please see the site administrator', 'wp-auth0' ),
-			__( 'error code', 'wp-auth0' ),
-			sanitize_text_field( $code ),
-			$login_link ? wp_login_url() : wp_logout_url(),
-			$login_link
-				? __( '← Login', 'wp-auth0' )
-				: __( '← Logout', 'wp-auth0' )
-		) );
-	}
+  /**
+   * Die during login process with a message
+   *
+   * @param string $msg - translated error message to display
+   * @param string|int $code - error code, if given
+   * @param bool $login_link - TRUE for login link, FALSE for logout link
+   */
+  protected function die_on_login( $msg = '', $code = 0, $login_link = TRUE ) {
+
+    wp_die( sprintf(
+      '%s: %s [%s: %s]<br><br><a href="%s">%s</a>',
+      $login_link
+        ? __( 'There was a problem with your log in', 'wp-auth0' )
+        : __( 'You have logged in successfully, but there is a problem accessing this site', 'wp-auth0' ),
+      ! empty( $msg )
+        ? sanitize_text_field( $msg )
+        : __( 'Please see the site administrator', 'wp-auth0' ),
+      __( 'error code', 'wp-auth0' ),
+      $code ? sanitize_text_field( $code ) : __( 'unknown', 'wp-auth0' ),
+      $login_link ? wp_login_url() : wp_logout_url(),
+      $login_link
+        ? __( '← Login', 'wp-auth0' )
+        : __( '← Logout', 'wp-auth0' )
+    ) );
+  }
 
 	/**
 	 * DEPRECATED 3.5.0
-Original file line number
+Diff line change
@@ Expand Up / @@ -1091,6 +1091,7 @@ public static function JWKfetch($domain) { @@
     		if ($cache_expiration !== 0) {
     			set_transient( 'WP_Auth0_JWKS_cache', $secret, $cache_expiration * MINUTE_IN_SECONDS );
     		}
     	}
       return $secret;
@@ Expand Down @@