Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for subdomains and different scheme URLs for redirect #512

Merged
merged 2 commits into from
Aug 3, 2018
Merged

Add support for subdomains and different scheme URLs for redirect #512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ea6283a
Add support for subdomains and different sheme URLs for redirect
joshcanhelp Jul 31, 2018
a71aad6
PR feedback
joshcanhelp Aug 2, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 41 additions & 14 deletions lib/admin/WP_Auth0_Admin_Advanced.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -769,27 +769,54 @@ public function link_accounts_validation( $old_options, $input ) {
return $this->rule_validation( $old_options, $input, 'link_auth0_users', WP_Auth0_RulesLib::$link_accounts['name'] . '-' . get_auth0_curatedBlogName(), $link_script );
}

/**
* Validate the URL used to redirect users after a successful login.
*
* @param array $old_options - Previously-saved options.
* @param array $input - Options to save.
*
* @return array
*/
public function loginredirection_validation( $old_options, $input ) {
$new_redirect_url = strtolower( $input['default_login_redirection'] );
$old_redirect_url = strtolower( $old_options['default_login_redirection'] );

// No change so no validation needed.
if ( $new_redirect_url === $old_redirect_url ) {
return $input;
}

$home_url = home_url();

if ( empty( $input['default_login_redirection'] ) ) {
// Set the default redirection URL to be the homepage.
if ( empty( $new_redirect_url ) ) {
$input['default_login_redirection'] = $home_url;
} else {
if ( strpos( $input['default_login_redirection'], $home_url ) !== 0 ) {
if ( strpos( $input['default_login_redirection'], 'http' ) === 0 ) {
$input['default_login_redirection'] = $home_url;
$error = __( "The 'Login redirect URL' cannot point to a foreign page.", 'wp-auth0' );
$this->add_validation_error( $error );
}
}
return $input;
}

if ( strpos( $input['default_login_redirection'], 'action=logout' ) !== false ) {
$input['default_login_redirection'] = $home_url;
$home_url_host = wp_parse_url( $home_url, PHP_URL_HOST );
$redirect_url_host = wp_parse_url( $new_redirect_url, PHP_URL_HOST );

$error = __( "The 'Login redirect URL' cannot point to the logout page. ", 'wp-auth0' );
$this->add_validation_error( $error );
}
// Same host name so it's safe to redirect.
if ( $redirect_url_host === $home_url_host ) {
return $input;
}

// The redirect can be a subdomain of the home_url or vice versa.
$min_host = min( strlen( $redirect_url_host ), strlen( $home_url_host ) );
if ( substr( $redirect_url_host, -$min_host ) === substr( $home_url_host, -$min_host ) ) {
return $input;
}

// If we get here, the redirect URL is a page outside of the WordPress install.
$error = __( 'Advanced > "Login Redirection URL" cannot point to another site.', 'wp-auth0' );
$this->add_validation_error( $error );

// Either revert to the previous (validated) value or set as the homepage.
$input['default_login_redirection'] = ! empty( $old_options['default_login_redirection'] ) ?
$old_options['default_login_redirection'] :
$home_url;

return $input;
}

Expand Down
75 changes: 75 additions & 0 deletions tests/testAdvancedOptionsValidation.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
<?php
/**
* Contains Class TestAdvancedOptionsValidation.
*
* @package WP-Auth0
* @since 3.7.0
*/

use PHPUnit\Framework\TestCase;

/**
* Class TestAdvancedOptionsValidation.
* Tests that Advanced settings are validated properly.
*/
class TestAdvancedOptionsValidation extends TestCase {

use setUpTestDb;

/**
* Test validation for the login redirection URL.
*/
public function testLoginRedirectValidation() {
$opts = new WP_Auth0_Options();
$router = new WP_Auth0_Routes( $opts );
$admin = new WP_Auth0_Admin_Advanced( $opts, $router );
$home_url = home_url();
$home_url_host = wp_parse_url( $home_url )['host'];
$home_url_scheme = wp_parse_url( $home_url )['scheme'];
$invalid_url = 'https://auth0.com';

// Test that no validation happens if the new value is the same as the old value.
$input = [ 'default_login_redirection' => $invalid_url ];
$old_input = [ 'default_login_redirection' => $invalid_url ];
$valid_input = $admin->loginredirection_validation( $old_input, $input );
$this->assertEquals( $invalid_url, $valid_input['default_login_redirection'] );

// Test that the default is set when the input is empty.
$input = [ 'default_login_redirection' => '' ];
$old_input = [ 'default_login_redirection' => $home_url . '/path' ];
$valid_input = $admin->loginredirection_validation( $old_input, $input );
$this->assertEquals( $home_url, $valid_input['default_login_redirection'] );

// Test that the defaults is set if URL is another site.
$input = [ 'default_login_redirection' => $invalid_url ];
$old_input = [ 'default_login_redirection' => $home_url . '/path' ];
$valid_input = $admin->loginredirection_validation( $old_input, $input );
$this->assertEquals( $old_input['default_login_redirection'], $valid_input['default_login_redirection'] );
$old_input = [ 'default_login_redirection' => '' ];
$valid_input = $admin->loginredirection_validation( $old_input, $input );
$this->assertEquals( $home_url, $valid_input['default_login_redirection'] );

// Test that a URL with the same host as home_url will be saved.
$input = [ 'default_login_redirection' => $home_url . '/path' ];
$valid_input = $admin->loginredirection_validation( $old_input, $input );
$this->assertEquals( $input['default_login_redirection'], $valid_input['default_login_redirection'] );

// Test that a URL with a different scheme will be saved.
$test_scheme = 'http' === $home_url_scheme ? 'https' : 'http';
$input = [ 'default_login_redirection' => $test_scheme . '://' . $home_url_host . '/path' ];
$valid_input = $admin->loginredirection_validation( $old_input, $input );
$this->assertEquals( $input['default_login_redirection'], $valid_input['default_login_redirection'] );

// Test that a subdomain of a main site can be used.
$input = [ 'default_login_redirection' => $home_url_scheme . '://www.auth0.' . $home_url_host ];
$valid_input = $admin->loginredirection_validation( $old_input, $input );
$this->assertEquals( $input['default_login_redirection'], $valid_input['default_login_redirection'] );

// Test that a main site of a subdomain can be used.
$input = [ 'default_login_redirection' => $home_url ];
update_option( 'home_url', $home_url_scheme . '://www.auth0.' . $home_url_host );
$valid_input = $admin->loginredirection_validation( $old_input, $input );
$this->assertEquals( $input['default_login_redirection'], $valid_input['default_login_redirection'] );
update_option( 'home_url', $home_url );
}
}