diff --git a/.phpcs.ruleset.xml b/.phpcs.ruleset.xml index 87a70d8..599af99 100644 --- a/.phpcs.ruleset.xml +++ b/.phpcs.ruleset.xml @@ -24,6 +24,12 @@ https://github.com/PHPCompatibility/PHPCompatibilityWP --> + + + + + + diff --git a/composer.json b/composer.json index 58b5c19..7c6aab7 100644 --- a/composer.json +++ b/composer.json @@ -17,6 +17,7 @@ "slowprog/composer-copy-file": "0.2.1", "wp-coding-standards/wpcs": "*", "xwp/wp-dev-lib": "^1.6.5" + "automattic/vipwpcs": "^2.0" }, "scripts": { "phpcs": [ diff --git a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php index aa7f4a6..f2338b6 100644 --- a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php +++ b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php @@ -96,14 +96,14 @@ public function register_routes() { 'callback' => array( $this, 'generate_key_pair' ), 'permission_callback' => '__return_true', 'args' => array( - 'name' => array( + 'name' => array( 'description' => esc_html__( 'The name of the key-pair.', 'jwt-auth' ), 'type' => 'string', 'required' => true, 'sanitize_callback' => 'sanitize_text_field', 'validate_callback' => 'rest_validate_request_arg', ), - 'user_id' => array( + 'user_id' => array( 'description' => esc_html__( 'The ID of the user.', 'jwt-auth' ), 'type' => 'integer', 'required' => true, @@ -120,7 +120,7 @@ public function register_routes() { 'callback' => array( $this, 'delete_all_key_pairs' ), 'permission_callback' => '__return_true', 'args' => array( - 'user_id' => array( + 'user_id' => array( 'description' => esc_html__( 'The ID of the user.', 'jwt-auth' ), 'type' => 'integer', 'required' => true, @@ -136,14 +136,14 @@ public function register_routes() { 'callback' => array( $this, 'delete_key_pair' ), 'permission_callback' => '__return_true', 'args' => array( - 'user_id' => array( + 'user_id' => array( 'description' => esc_html__( 'The ID of the user.', 'jwt-auth' ), 'type' => 'integer', 'required' => true, 'sanitize_callback' => 'absint', 'validate_callback' => 'rest_validate_request_arg', ), - 'api_key' => array( + 'api_key' => array( 'description' => esc_html__( 'The API key being revoked.', 'jwt-auth' ), 'type' => 'string', 'required' => true, @@ -359,11 +359,14 @@ public function authenticate( $user, WP_REST_Request $request ) { $found = false; $keypairs = $this->get_user_key_pairs( $get_user->ID ); + + // Update the "Last IP" which accessed the keypair. This may not work + // in some environments due to caching. foreach ( $keypairs as $_key => $item ) { if ( isset( $item['api_key'] ) && $item['api_key'] === $key ) { $keypairs[ $_key ]['last_used'] = time(); - $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; + $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__ if ( $ip ) { $keypairs[ $_key ]['last_ip'] = $ip; } @@ -708,6 +711,7 @@ public function template_new_key_pair() { * @since 0.1 */ public function template_new_token_key_pair() { + // phpcs:disable WordPressVIPMinimum.Security.Mustache.OutputNotation ?> array( $this, 'generate_token' ), 'permission_callback' => '__return_true', 'args' => array( - 'api_key' => array( + 'api_key' => array( 'description' => __( 'The API key of the user; requires also setting the api_secret.', 'jwt-auth' ), 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', 'validate_callback' => 'rest_validate_request_arg', ), - 'api_secret' => array( + 'api_secret' => array( 'description' => __( 'The API secret of the user; requires also setting the api_key.', 'jwt-auth' ), 'type' => 'string', 'sanitize_callback' => 'sanitize_text_field', @@ -346,7 +346,7 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) { if ( isset( $item['api_key'] ) && $item['api_key'] === $token->data->user->api_key ) { $keypairs[ $_key ]['last_used'] = time(); - $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; + $ip = isset( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : null; // phpcs:ignore WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__ if ( $ip ) { $keypairs[ $_key ]['last_ip'] = $ip; }