Add back JTI checking and tests

lib/WP_Auth0_Routes.php

@@ -170,15 +170,15 @@ protected function migration_ws_login() {
 			}
 		}
 
-		$authorization   = trim( str_replace( 'Bearer ', '', $this->getAuthorizationHeader() ) );
-		$migration_token = $this->a0_options->get( 'migration_token' );
+		$authorization = $this->getAuthorizationHeader();
+		$authorization = trim( str_replace( 'Bearer ', '', $authorization ) );
 
 		try {
 			if ( empty( $authorization ) ) {
 				throw new Exception( __( 'Unauthorized: missing authorization header', 'wp-auth0' ), 401 );
 			}
 
-			if ( $authorization !== $migration_token ) {
+			if ( ! $this->valid_token( $authorization ) ) {
 				throw new Exception( __( 'Invalid token', 'wp-auth0' ), 401 );
 			}
 
@@ -230,17 +230,16 @@ protected function migration_ws_get_user() {
 			}
 		}
 
-		$authorization   = trim( str_replace( 'Bearer ', '', $this->getAuthorizationHeader() ) );
-		$migration_token = $this->a0_options->get( 'migration_token' );
-
-		$user = null;
+		$authorization = $this->getAuthorizationHeader();
+		$authorization = trim( str_replace( 'Bearer ', '', $authorization ) );
+		$user          = null;
 
 		try {
 			if ( empty( $authorization ) ) {
 				throw new Exception( __( 'Unauthorized: missing authorization header', 'wp-auth0' ), 401 );
 			}
 
-			if ( $authorization !== $migration_token ) {
+			if ( ! $this->valid_token( $authorization ) ) {
 				throw new Exception( __( 'Invalid token', 'wp-auth0' ), 401 );
 			}
 
@@ -307,6 +306,32 @@ private function error_return_array( $code ) {
 					'status' => 403,
 					'error'  => __( 'Forbidden', 'wp-auth0' ),
 				);
+				break;
+		}
+	}
+
+	/**
+	 * Check if a token or token JTI is the same as what is stored.
+	 *
+	 * @param string $authorization - Incoming migration token;
+	 *
+	 * @return bool
+	 */
+	private function valid_token( $authorization ) {
+		$token = $this->a0_options->get( 'migration_token' );
+		if ( $token === $authorization ) {
+			return true;
+		}
+		$client_secret = $this->a0_options->get( 'client_secret' );
+		if ( $this->a0_options->get( 'client_secret_base64_encoded' ) ) {
+			$client_secret = JWT::urlsafeB64Decode( $client_secret );
+		}
+
+		try {
+			$decoded = JWT::decode( $token, $client_secret, array( 'HS256' ) );
+			return isset( $decoded->jti ) && $decoded->jti === $this->a0_options->get( 'migration_token_id' );
+		} catch ( Exception $e ) {
+			return false;
 		}
 	}
 }

lib/admin/WP_Auth0_Admin.php

@@ -145,22 +145,7 @@ public function create_account_message() {
 		);
 	}
 
-	/**
-	 * Output the settings page with a generic settings saved message if none is present.
-	 */
 	public function render_settings_page() {
-		$notifications      = get_settings_errors();
-		$message            = __( 'Settings saved.', 'wp-auth0' );
-		$add_settings_saved = true;
-		foreach ( $notifications as $notification ) {
-			if ( $message === $notification['message'] ) {
-				$add_settings_saved = false;
-				break;
-			}
-		}
-		if ( $add_settings_saved ) {
-			add_settings_error( 'wp_auth0_settings', 'wp_auth0_settings', $message, 'updated' );
-		}
 		include WPA0_PLUGIN_DIR . 'templates/settings.php';
 	}
 }

lib/admin/WP_Auth0_Admin_Advanced.php

@@ -93,7 +93,7 @@ public function init() {
 				'function' => 'render_auto_provisioning',
 			),
 			array(
-				'name'     => __( 'User Migration', 'wp-auth0' ),
+				'name'     => __( 'User Migration Endpoints', 'wp-auth0' ),
 				'opt'      => 'migration_ws',
 				'id'       => 'wpa0_migration_ws',
 				'function' => 'render_migration_ws',
@@ -375,9 +375,10 @@ public function render_migration_ws( $args = array() ) {
 
 		if ( $value ) {
 			$this->render_field_description(
-				__( 'Users migration is enabled. ', 'wp-auth0' ) .
-				__( 'If you disable this setting, it must be re-enabled manually in the ', 'wp-auth0' ) .
-				$this->get_dashboard_link()
+				__( 'User migration endpoints activated. ', 'wp-auth0' ) .
+				__( 'See below for the token to use. ', 'wp-auth0' ) .
+				__( 'The custom database scripts need to be configured manually as described ', 'wp-auth0' ) .
+				$this->get_docs_link( 'users/migrations/automatic' )
 			);
 			$this->render_field_description( 'Security token:' );
 			if ( $this->options->has_constant_val( 'migration_token' ) ) {
@@ -389,9 +390,9 @@ public function render_migration_ws( $args = array() ) {
 			);
 		} else {
 			$this->render_field_description(
-				__( 'Users migration is disabled. ', 'wp-auth0' ) .
-				__( 'Enabling this exposes migration webservices but the Connection must be updated manually. ', 'wp-auth0' ) .
-				$this->get_docs_link( 'users/migrations/automatic', __( 'More information here', 'wp-auth0' ) )
+				__( 'User migration endpoints deactivated. ', 'wp-auth0' ) .
+				__( 'Custom database connections can be deactivated in the ', 'wp-auth0' ) .
+				$this->get_dashboard_link( 'connections/database' )
 			);
 		}
 	}
@@ -715,41 +716,34 @@ public function basic_validation( $old_options, $input ) {
 	 * @return array
 	 */
 	public function migration_ws_validation( array $old_options, array $input ) {
-		$input['migration_ws'] = isset( $input['migration_ws'] ) ? $input['migration_ws'] : 0;
+		$input['migration_ws'] = (int) ! empty( $input['migration_ws'] );
 
-		// No longer using the token ID for validation.
-		$input['migration_token_id'] = null;
-
-		// No change to migration endpoints, keep old token data.
-		if ( $old_options['migration_ws'] === $input['migration_ws'] ) {
-			$input['migration_token'] = $old_options['migration_token'];
-			return $input;
-		}
-
-		// Migration endpoints turned off; warn admin of implications.
+		// Migration endpoints or turned off, nothing to do.
 		if ( empty( $input['migration_ws'] ) ) {
-			$input['migration_token'] = null;
-
-			$error  = __( 'User migration endpoints deactivated. ', 'wp-auth0' );
-			$error .= __( 'Custom database connections can be deactivated in the ', 'wp-auth0' );
-			$error .= $this->get_dashboard_link( 'connections/database' );
-			$this->add_validation_error( $error, 'updated' );
 			return $input;
 		}
 
+		$input['migration_token_id'] = null;
+		$this->router->setup_rewrites();
+		flush_rewrite_rules();
+
 		// If we don't have a token yet, generate one.
 		if ( empty( $input['migration_token'] ) ) {
-			$input['migration_token'] = base64_encode( openssl_random_pseudo_bytes( 64 ) );
+			$input['migration_token'] = JWT::urlsafeB64Encode( openssl_random_pseudo_bytes( 64 ) );
+			return $input;
 		}
 
-		$error  = __( 'User migration endpoints activated. ', 'wp-auth0' );
-		$error .= __( 'The custom database scripts needs to be configured manually as described ', 'wp-auth0' );
-		$error .= $this->get_docs_link( 'users/migrations/automatic' ) . '. ';
-		$error .= __( 'Please see Advanced > Users Migration below for the token to use.', 'wp-auth0' );
-		$this->add_validation_error( $error, 'updated' );
-
-		$this->router->setup_rewrites();
-		flush_rewrite_rules();
+		// If we do have a token, try to decode and store the JTI.
+		$secret = $input['client_secret'];
+		if ( ! empty( $input['client_secret_b64_encoded'] ) ) {
+			$secret = base64_decode( $input['client_secret'] );
+		}
+		try {
+			$token_decoded               = JWT::decode( $input['migration_token'], $secret, array( 'HS256' ) );
+			$input['migration_token_id'] = isset( $token_decoded->jti ) ? $token_decoded->jti : null;
+		} catch ( Exception $e ) {
+			// If the JWT cannot be decoded then we use the token as-is without storing the JTI.
+		}
 
 		return $input;
 	}

lib/admin/WP_Auth0_Admin_Generic.php

@@ -89,7 +89,12 @@ public function input_validator( $input, $old_options = null ) {
 	 * @param string $type - Notice type, "error" by default or "updated".
 	 */
 	protected function add_validation_error( $error, $type = 'error' ) {
-		add_settings_error( $this->_option_name, $this->_option_name, $error, $type );
+		add_settings_error(
+			$this->_option_name,
+			$this->_option_name,
+			$error,
+			$type
+		);
 	}
 
 	protected function rule_validation( $old_options, $input, $key, $rule_name, $rule_script ) {
@@ -227,7 +232,7 @@ protected function render_radio_buttons( array $buttons, $id, $input_name, $curr
 	 * @param string $text - description text to display
 	 */
 	protected function render_field_description( $text ) {
-		$period = ! in_array( $text[ strlen( $text ) - 1 ], array( '.', ':', '>' ) ) ? '.' : '';
+		$period = ! in_array( $text[ strlen( $text ) - 1 ], array( '.', ':' ) ) ? '.' : '';
 		printf( '<div class="subelement"><span class="description">%s%s</span></div>', $text, $period );
 	}