Creating a new client grant on install and adding the app_type for th…

…e client created; DB version upgrade to 16 and resulting changes needed (client grant and app_type update); notice and flag for failed client grant addition; set app_token_audience and check for client grant flag when saving a new app token; helper functions for converting client_id to a key

WP_Auth0.php

@@ -10,8 +10,9 @@
 define( 'WPA0_PLUGIN_DIR', trailingslashit( plugin_dir_path( __FILE__ ) ) );
 define( 'WPA0_PLUGIN_URL', trailingslashit( plugin_dir_url( __FILE__ ) ) );
 define( 'WPA0_LANG', 'wp-auth0' ); // deprecated; do not use for translations
-define( 'AUTH0_DB_VERSION', 15 );
+define( 'AUTH0_DB_VERSION', 16 );
 define( 'WPA0_VERSION', '3.4.0' );
+define( 'WPA0_CACHE_GROUP', 'wp_auth0' );
 
 /**
  * Main plugin class
@@ -22,6 +23,7 @@ class WP_Auth0 {
 	protected $a0_options;
 	protected $social_amplificator;
 	protected $router;
+	protected $basename;
 
 	/**
 	 * Initialize the plugin and its modules setting all the hooks
@@ -30,6 +32,8 @@ public function init() {
 
 		spl_autoload_register( array( $this, 'autoloader' ) );
 
+		$this->basename = plugin_basename( __FILE__ );
+
 		$ip_checker = new WP_Auth0_Ip_Check();
 		$ip_checker->init();
 
@@ -63,8 +67,7 @@ public function init() {
 
 		add_filter( 'query_vars', array( $this, 'a0_register_query_vars' ) );
 
-		$plugin = plugin_basename( __FILE__ );
-		add_filter( "plugin_action_links_$plugin", array( $this, 'wp_add_plugin_settings_link' ) );
+		add_filter( 'plugin_action_links_' . $this->basename, array( $this, 'wp_add_plugin_settings_link' ) );
 
 		if ( isset( $_GET['message'] ) ) {
 			add_action( 'wp_footer', array( $this, 'a0_render_message' ) );
@@ -117,9 +120,7 @@ public function init() {
 
 		$this->check_signup_status();
 
-		if ( wp_doing_ajax() ) {
-			WP_Auth0_Email_Verification::init();
-		}
+		WP_Auth0_Email_Verification::init();
 	}
 
 	/**
@@ -173,7 +174,7 @@ function my_custom_avatar( $avatar, $id_or_email, $size, $default, $alt ) {
 
 	function on_activate_redirect( $plugin ) {
 
-		if ( !defined( 'WP_CLI' ) && $plugin == plugin_basename( __FILE__ ) ) {
+		if ( !defined( 'WP_CLI' ) && $plugin == $this->basename ) {
 
 			$this->router->setup_rewrites();
 			flush_rewrite_rules();

lib/WP_Auth0_Api_Client.php

@@ -47,8 +47,12 @@ public static function get_connect_info( $opt = '' ) {
 				'client_id' => $a0_options->get( 'client_id' ),
 				'client_secret' => $a0_options->get( 'client_secret' ),
 				'connection' => $a0_options->get( 'db_connection_name' ),
-				'audience' => self::get_endpoint( 'api/v2/' ),
+				'audience' => $a0_options->get( 'auth0_app_token_audience' ),
 			);
+
+			if ( empty( self::$connect_info[ 'audience' ] ) ) {
+				self::$connect_info[ 'audience' ] = self::get_endpoint( 'api/v2/' );
+			}
 		}
 
 		if ( empty( $opt ) ) {
@@ -533,6 +537,42 @@ public static function delete_rule( $domain, $app_token, $id ) {
 		return json_decode( $response['body'] );
 	}
 
+	/**
+	 * Create a client grant for the management API
+	 *
+	 * @param $app_token
+	 * @param $client_id
+	 *
+	 * @return array|bool|mixed|object
+	 */
+	public static function create_client_grant( $app_token, $client_id ) {
+
+		$data = array(
+			'client_id' => $client_id,
+			'audience' => self::get_connect_info( 'audience' ),
+			'scope' => self::ConsentRequiredScopes()
+		);
+
+		$response = wp_remote_post( self::get_endpoint( 'api/v2/client-grants' ), array(
+			'headers' => self::get_headers( $app_token ),
+			'body' => json_encode( $data ),
+		) );
+
+		if ( $response instanceof WP_Error ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, $response );
+			error_log( $response->get_error_message() );
+			return false;
+		}
+
+		if ( $response['response']['code'] != 201 ) {
+			WP_Auth0_ErrorManager::insert_auth0_error(  __METHOD__, $response['body'] );
+			error_log( $response['body'] );
+			return false;
+		}
+
+		return json_decode( $response['body'] );
+	}
+
 	public static function create_connection( $domain, $app_token, $payload ) {
 		$endpoint = "https://$domain/api/v2/connections";
 

lib/WP_Auth0_DBManager.php

@@ -14,7 +14,9 @@ public function init() {
 		if ($this->current_db_version === 0) {
 			$this->current_db_version = (int)get_site_option( 'auth0_db_version', 0 );
 		}
+
 		add_action( 'plugins_loaded', array( $this, 'check_update' ) );
+		add_action( 'admin_notices', array( $this, 'notice_failed_client_grant' ) );
 	}
 
 	public function check_update() {
@@ -23,10 +25,23 @@ public function check_update() {
 		}
 	}
 
-	public function install_db() {
+	public function install_db( $version_to_install = null, $app_token = '' ) {
+
+		wp_cache_set( 'doing_db_update', TRUE, WPA0_CACHE_GROUP );
 
 		$options = WP_Auth0_Options::Instance();
 
+		if ( empty( $app_token ) ) {
+			$app_token = $options->get( 'auth0_app_token' );
+		}
+
+		$connection_id = $options->get( 'db_connection_id' );
+		$migration_token = $options->get( 'migration_token' );
+		$client_id = $options->get( 'client_id' );
+		$client_secret = $options->get( 'client_secret' );
+		$domain = $options->get( 'domain' );
+		$sso = $options->get( 'sso' );
+
 		if ($this->current_db_version === 0) {
 			$options->set('auth0_table', false);
 		} elseif($options->get('auth0_table') === null) {
@@ -38,16 +53,13 @@ public function install_db() {
 		if ( $this->current_db_version <= 7 ) {
 			if ( $options->get( 'db_connection_enabled' ) ) {
 
-				$app_token = $options->get( 'auth0_app_token' );
-				$connection_id = $options->get( 'db_connection_id' );
-				$migration_token = $options->get( "migration_token" );
-
 				$operations = new WP_Auth0_Api_Operations( $options );
+
 				if ( !empty( $app_token ) &&
 					!empty( $connection_id ) &&
 					!empty( $migration_token ) ) {
 
-					$response = $operations->update_wordpress_connection(
+					$operations->update_wordpress_connection(
 						$app_token,
 						$connection_id,
 						$options->get( 'password_policy' ),
@@ -92,56 +104,159 @@ public function install_db() {
 
 		if ( $this->current_db_version < 12 ) {
 
-      if ( strpos( $cdn_url, '10.' ) === false ) {
-        $options->set('use_lock_10', false);
-      } else {
-        $options->set('use_lock_10', true);
-      }
+			if ( strpos( $cdn_url, '10.' ) === false ) {
+				$options->set('use_lock_10', false);
+			} else {
+				$options->set('use_lock_10', true);
+			}
 
-    }
+		}
 
-    if ( $this->current_db_version < 13 ) {
-      $ips = $options->get('migration_ips');
-      $oldips = '138.91.154.99,54.221.228.15,54.183.64.135,54.67.77.38,54.67.15.170,54.183.204.205,54.173.21.107,54.85.173.28';
+		if ( $this->current_db_version < 13 ) {
+			$ips = $options->get('migration_ips');
+			$oldips = '138.91.154.99,54.221.228.15,54.183.64.135,54.67.77.38,54.67.15.170,54.183.204.205,54.173.21.107,54.85.173.28';
 
-      $ipCheck = new WP_Auth0_Ip_Check($options);
+			$ipCheck = new WP_Auth0_Ip_Check($options);
 
-      if ( $ips === $oldips ) {
-        $options->set('migration_ips', $ipCheck->get_ip_by_region('us'));
-      }
-    }
+			if ( $ips === $oldips ) {
+				$options->set('migration_ips', $ipCheck->get_ip_by_region('us'));
+			}
+		}
 
-	if ( $this->current_db_version < 14 && is_null($options->get('client_secret_b64_encoded' ))) {
-		if ( $options->get('client_id' )) {
-			$options->set('client_secret_b64_encoded', true);
-		} else {
-			$options->set('client_secret_b64_encoded', false);
+		if ( $this->current_db_version < 14 && is_null($options->get('client_secret_b64_encoded' ))) {
+			if ( $options->get('client_id' )) {
+				$options->set('client_secret_b64_encoded', true);
+			} else {
+				$options->set('client_secret_b64_encoded', false);
+			}
 		}
-	}
 
-	if ( $this->current_db_version < 15 ) {
-		$options->set('use_lock_10', true);
-		$options->set('cdn_url', '//cdn.auth0.com/js/lock/11.0.0/lock.min.js');
-		$options->set('auth0js-cdn', '//cdn.auth0.com/js/auth0/9.0.0/auth0.min.js');
-		$options->set('cache_expiration', 1440);
+		// 3.4.0
 
-		// Update Client
-		$client_id = $options->get( 'client_id' );
-		$domain = $options->get( 'domain' );
-		if (!empty($client_id) && !empty($domain)) {
-			$app_token = $options->get( 'auth0_app_token' );
-			$sso = $options->get( 'sso' );
-			$payload = array(
-				"cross_origin_auth" => true,
-				"cross_origin_loc" => site_url('index.php?auth0fallback=1','https'),
-				"web_origins" => ( home_url() === site_url() ? array( home_url() ) : array( home_url(), site_url() ) )
-			);
-			$updateClient = WP_Auth0_Api_Client::update_client($domain, $app_token, $client_id, $sso, $payload);
-			$options->set('client_signing_algorithm', 'HS256');
+		if ( $this->current_db_version < 15 || 15 === $version_to_install  ) {
+
+			$options->set('use_lock_10', true);
+			$options->set('cdn_url', '//cdn.auth0.com/js/lock/11.0.0/lock.min.js');
+			$options->set('auth0js-cdn', '//cdn.auth0.com/js/auth0/9.0.0/auth0.min.js');
+			$options->set('cache_expiration', 1440);
+
+			// Update Client
+			if (!empty($client_id) && !empty($domain)) {
+				$payload = array(
+					"cross_origin_auth" => true,
+					"cross_origin_loc" => site_url('index.php?auth0fallback=1','https'),
+					"web_origins" => ( home_url() === site_url() ? array( home_url() ) : array( home_url(), site_url() ) )
+				);
+				WP_Auth0_Api_Client::update_client($domain, $app_token, $client_id, $sso, $payload);
+				$options->set('client_signing_algorithm', 'HS256');
+			}
 		}
-	}
+
+
+		// 3.4.1
+		if ( ( $this->current_db_version < 16 && 0 !== $this->current_db_version ) || 16 === $version_to_install ) {
+			$client_grant_created = FALSE;
+
+			// Need a valid app token to update audience and client grant
+			if ( ! empty( $app_token ) ) {
+
+				$decoded_token = null;
+				$token_parts = explode( '.', $app_token );
+
+				try {
+					$header = json_decode( JWT::urlsafeB64Decode( $token_parts[0] ) );
+					$decoded_token = JWT::decode(
+						$app_token,
+						$options->convert_client_secret_to_key( $client_secret, FALSE, 'RS256' === $header->alg, $domain ),
+						array( $header->alg )
+					);
+				} catch ( Exception $e ) {
+					WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, $e->getMessage() );
+				}
+
+				if ( $decoded_token ) {
+
+					if ( ! empty( $decoded_token->aud ) ) {
+						$options->set( 'auth0_app_token_audience', $decoded_token->aud );
+					}
+
+					$payload = array(
+						'app_type' => 'regular_web',
+						'callbacks' => array(
+							site_url( 'index.php?auth0=1' ),
+							wp_login_url()
+						)
+					);
+
+					// Update the WP-created client
+					$client_updated = WP_Auth0_Api_Client::update_client( $domain, $app_token, $client_id, $sso, $payload );
+
+					// Create the client grant to the management API for the WP app client
+					if ( $client_updated ) {
+						$client_grant_created = WP_Auth0_Api_Client::create_client_grant( $app_token, $client_id );
+					}
+				}
+			}
+
+			if ( $client_grant_created ) {
+				delete_option( 'wp_auth0_client_grant_failed' );
+			} else {
+				WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, sprintf(
+					__( 'Unable to automatically create client grant. Please go to your Auth0 Dashboard '
+					    . 'and authorize your client %s for management API scopes %s.',
+						'wp-auth0' ),
+					$options->get( 'client_id' ),
+					implode( ', ', WP_Auth0_Api_Client::ConsentRequiredScopes() )
+				) );
+				update_option( 'wp_auth0_client_grant_failed', 1 );
+			}
+		}
+
 		$this->current_db_version = AUTH0_DB_VERSION;
 		update_option( 'auth0_db_version', AUTH0_DB_VERSION );
+
+		wp_cache_set( 'doing_db_update', FALSE, WPA0_CACHE_GROUP );
+	}
+
+	public function notice_failed_client_grant() {
+
+		if ( get_option( 'wp_auth0_client_grant_failed' ) && current_user_can( 'update_plugins' ) ) {
+
+			$token = WP_Auth0_Api_Client::get_token(
+				WP_Auth0_Api_Client::get_connect_info( 'domain' ),
+				WP_Auth0_Api_Client::get_connect_info( 'client_id' ),
+				WP_Auth0_Api_Client::get_connect_info('client_secret' ),
+				'client_credentials',
+				array(
+					'audience' => WP_Auth0_Api_Client::get_connect_info( 'audience' )
+				)
+			);
+
+			if ( 200 === $token[ 'response' ][ 'code' ] ) {
+				delete_option( 'wp_auth0_client_grant_failed' );
+			} else {
+				?>
+				<div class="notice notice-error">
+					<p><strong><?php _e( 'IMPORTANT!', 'wp-auth0' ) ?></strong></p>
+					<p><?php
+						printf(
+							__( 'WP-Auth0 has upgraded to %s but could not complete the upgrade in your Auth0 dashboard.', 'wp-auth0' ),
+							WPA0_VERSION
+						); ?>
+						<?php _e( 'This can be fixed one of 2 ways:', 'wp-auth0' ) ?></p>
+					<p><strong>1.</strong>
+						<a href="https://auth0.com/docs/api/management/v2/tokens#get-a-token-manually" target="_blank"><?php
+							_e( 'Create a new Management API token', 'wp-auth0' ) ?></a>
+						<?php _e( 'and save it in the Auth0 > Settings > Basic tab > API Token field.', 'wp-auth0' ) ?>
+						<?php _e( 'This will run the update process again.', 'wp-auth0' ) ?></p>
+					<p><strong>2.</strong> <a href="https://auth0.com/docs/cms/wordpress/configuration" target="_blank"><?php
+							_e( 'Follow the configuration steps here', 'wp-auth0' ) ?></a>
+						<?php _e( 'to manually complete the setup.', 'wp-auth0' ) ?></p>
+					<p><?php _e( 'This banner will disappear once the process is complete.', 'wp-auth0' ) ?></p>
+				</div>
+				<?php
+			}
+		}
 	}
 
 	protected function migrate_users_data() {

lib/WP_Auth0_LoginManager.php

@@ -529,15 +529,15 @@ protected function query_vars( $key ) {
     if ( isset( $_REQUEST[$key] ) ) return $_REQUEST[$key];
     return null;
   }
-  
-  /**
-   * DEPRECATED 3.4.1
-   *
-   * @param $userinfo
-   * @param $id_token
-   */
-  private function dieWithVerifyEmail( $userinfo, $id_token = '' ) {
-    trigger_error( __( 'Method dieWithVerifyEmail is deprecated.', 'wp-auth0' ), E_USER_DEPRECATED);
-    WP_Auth0_Email_Verification::render_die( $userinfo );
-  }
+
+	/**
+	 * DEPRECATED 3.4.1
+	 *
+	 * @param $userinfo
+	 * @param $id_token
+	 */
+	private function dieWithVerifyEmail( $userinfo, $id_token = '' ) {
+		trigger_error( __( 'Method dieWithVerifyEmail is deprecated.', 'wp-auth0' ), E_USER_DEPRECATED);
+		WP_Auth0_Email_Verification::render_die( $userinfo );
+	}
 }