Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor migration token validation and match entire token on endpoints #602

Merged
merged 3 commits into from
Dec 18, 2018
Merged

Refactor migration token validation and match entire token on endpoints #602

merged 3 commits into from
Dec 18, 2018

Conversation

joshcanhelp
Copy link
Contributor

@joshcanhelp joshcanhelp commented Dec 13, 2018
edited
Loading

Changes

This PR makes changes to how the migration token is used for user migration scenarios:

  • Migration tokens will now be compared first char-to-char with what was sent, then by decoding and checking for a jti attribute.
  • No connection updates are attempted when turning the endpoints on/off (this was not working anyways as the connection ID is not stored)
  • New tokens generated when the service is turned on for the first time are not JWTs
  • Admin documentation clarified

Testing

  • This change adds unit test coverage
  • This change has been tested on the latest version of WP

Checklist

  • All existing and new tests complete without errors
  • All code quality tools/guidelines in the Contribution guide have been run/followed
  • All active GitHub CI checks have passed

joshcanhelp
joshcanhelp commented Dec 14, 2018
View reviewed changes
lib/WP_Auth0_Routes.php
@@ -158,7 +158,7 @@ protected function getAuthorizationHeader() {
protected function migration_ws_login() {

// Migration web service is not turned on.
if ( $this->a0_options->get( 'migration_ws' ) == 0 ) {
if ( ! $this->a0_options->get( 'migration_ws' ) ) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More accurate checking for this setting.

@joshcanhelp joshcanhelp force-pushed the improve-migration-ws-validation branch from 72385a1 to 7cb8902 Compare December 14, 2018 00:29
joshcanhelp
joshcanhelp commented Dec 14, 2018
View reviewed changes
lib/WP_Auth0_Routes.php
@@ -173,18 +173,13 @@ protected function migration_ws_login() {
$authorization = $this->getAuthorizationHeader();
$authorization = trim( str_replace( 'Bearer ', '', $authorization ) );

$secret = $this->a0_options->get_client_secret_as_key( true );
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to $this->valid_token

joshcanhelp
joshcanhelp commented Dec 14, 2018
View reviewed changes
lib/WP_Auth0_Routes.php
@@ -223,7 +218,7 @@ protected function migration_ws_login() {
protected function migration_ws_get_user() {

// Migration web service is not turned on.
if ( $this->a0_options->get( 'migration_ws' ) == 0 ) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More accurate checking for this setting.

joshcanhelp
joshcanhelp commented Dec 14, 2018
View reviewed changes
lib/admin/WP_Auth0_Admin_Advanced.php
@@ -705,63 +706,51 @@ public function basic_validation( $old_options, $input ) {
return $input;
}

public function migration_ws_validation( $old_options, $input ) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rewritten, probably best to review the final file.

@auth0 auth0 deleted a comment from codecov-io Dec 14, 2018
@joshcanhelp joshcanhelp force-pushed the improve-migration-ws-validation branch from 7cb8902 to c31607f Compare December 14, 2018 01:01
joshcanhelp
joshcanhelp commented Dec 14, 2018
View reviewed changes
lib/WP_Auth0_Routes.php
@@ -237,21 +232,15 @@ protected function migration_ws_get_user() {

$authorization = $this->getAuthorizationHeader();
$authorization = trim( str_replace( 'Bearer ', '', $authorization ) );

$secret = $this->a0_options->get_client_secret_as_key( true );
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to $this->valid_token

@joshcanhelp joshcanhelp added this to the 3.9.0 milestone Dec 14, 2018
@joshcanhelp joshcanhelp force-pushed the improve-migration-ws-validation branch from c31607f to 224c436 Compare December 14, 2018 04:13
@auth0 auth0 deleted a comment from codecov-io Dec 14, 2018
@codecov-io
Copy link

codecov-io commented Dec 14, 2018
edited
Loading

Codecov Report

Merging #602 into master will increase coverage by 0.82%.
The diff coverage is 79.59%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master     #602      +/-   ##
============================================
+ Coverage     33.19%   34.02%   +0.82%     
- Complexity     1313     1317       +4     
============================================
  Files            54       54              
  Lines          4191     4174      -17     
============================================
+ Hits           1391     1420      +29     
+ Misses         2800     2754      -46
Impacted Files Coverage Δ Complexity Δ
lib/admin/WP_Auth0_Admin_Generic.php 44.35% <100%> (ø) 46 <1> (ø) ⬇️
...ib/initial-setup/WP_Auth0_InitialSetup_Consent.php 61.05% <100%> (-2.32%) 26 <0> (ø)
lib/admin/WP_Auth0_Admin_Advanced.php 26.26% <66.66%> (+7.18%) 64 <6> (-1) ⬇️
lib/WP_Auth0_Routes.php 76.55% <88.88%> (+7.98%) 56 <5> (+5) ⬆️
lib/WP_Auth0_Options.php 84.15% <0%> (-1%) 28% <0%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bbce30c...858ab8f. Read the comment docs.

@joshcanhelp joshcanhelp changed the title [WIP] Replace token ID check with full token check; improve validation process Refactor migration token validation and match entire token on endpoints Dec 14, 2018
@joshcanhelp joshcanhelp force-pushed the improve-migration-ws-validation branch from 224c436 to 9651ae4 Compare December 14, 2018 17:06
cocojoe
cocojoe reviewed Dec 17, 2018
View reviewed changes
lib/WP_Auth0_Routes.php
*
* @return bool
*/
private function valid_token( $authorization ) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It possible to end up in some kind of RS256 situation? or it can only ever be HS256?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. Original token was always created with HS256 but this new version compares char to char so the algorithm doesn't matter any longer.

cocojoe
cocojoe approved these changes Dec 18, 2018
View reviewed changes
Copy link
Member

@cocojoe cocojoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thought I had already approved this last night 😄

@joshcanhelp joshcanhelp merged commit ab4683a into master Dec 18, 2018
@joshcanhelp joshcanhelp deleted the improve-migration-ws-validation branch December 18, 2018 15:37
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@cocojoe cocojoe cocojoe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.9.0
Development

Successfully merging this pull request may close these issues.
3 participants
@joshcanhelp @codecov-io @cocojoe