switch to GET method when taking user consent

Currently bshaffer oauth library has a bug when POST is used on AuthorizeEndpoint along with nonce (optional parameter) which fails to set the nonce in id_token
Automattic · Sep 21, 2022 · ebd4033 · ebd4033
1 parent 48515e6
commit ebd4033
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/Http/Handlers/AuthorizeHandler.php b/src/Http/Handlers/AuthorizeHandler.php
@@ -36,7 +36,7 @@ public function handle( Request $request, Response $response ): Response {
 
  $user = wp_get_current_user();
  if ( $this->consent_storage->needs_consent( $user->ID ) ) {
- if ( ! isset( $_POST['authorize'] ) || 'Authorize' !== $_POST['authorize'] ) {
+ if ( ! isset( $_REQUEST['authorize'] ) || 'Authorize' !== $_REQUEST['authorize'] ) {
  $response->send();
  exit;
  }

diff --git a/templates/authenticate/form.php b/templates/authenticate/form.php
@@ -1,6 +1,6 @@
 <?php /** @var stdClass $data */ ?>
 
-<form method="post" action="<?php echo esc_url( $data->form_url ); ?>">
+<form method="GET" action="<?php echo esc_url( $data->form_url ); ?>">
  <?php wp_nonce_field( 'wp_rest' ); /* The nonce will give the REST call the userdata. */ ?>
  <?php foreach ( $data->form_fields as $key => $value ) : ?>
  <input type="hidden" name="<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $value ); ?>"/>