Merge pull request #3 from newfold-labs/legacy-support

Adds legacy support
newfold-labs · Jul 5, 2022 · a67c88f · a67c88f
2 parents eb941bc + f9d641d
commit a67c88f
Show file tree

Hide file tree

Showing 4 changed files with 117 additions and 1 deletion.
diff --git a/bootstrap.php b/bootstrap.php
@@ -8,6 +8,11 @@
 		'plugins_loaded',
 		function () {
 
+			// Unregister actions from the sso.php mu-plugin in case they exist
+			// This ensures that this code always takes priority for SSO handling
+			remove_action( 'wp_ajax_nopriv_sso-check', 'sso_check' );
+			remove_action( 'wp_ajax_sso-check', 'sso_check' );
+
 			register(
 				[
 					'name'     => 'sso',

diff --git a/includes/SSO_AJAX_Handler.php b/includes/SSO_AJAX_Handler.php
@@ -9,7 +9,10 @@ class SSO_AJAX_Handler {
 	 */
 	public function __construct() {
 
-		$actions = [ SSO_Helpers::ACTION => 'login' ];
+		$actions = [
+			SSO_Helpers::ACTION        => 'login',
+			SSO_Helpers_Legacy::ACTION => 'legacyLogin',
+		];
 
 		foreach ( $actions as $action => $methodName ) {
 			add_action( "wp_ajax_{$action}", [ $this, $methodName ] );
@@ -25,4 +28,15 @@ public function login() {
 		SSO_Helpers::handleLogin( filter_input( INPUT_GET, 'token', FILTER_SANITIZE_STRING ) );
 	}
 
+	/**
+	 * Handle legacy SSO login attempts.
+	 */
+	public function legacyLogin() {
+
+		$nonce = filter_input( INPUT_GET, 'nonce', FILTER_SANITIZE_STRING );
+		$salt  = filter_input( INPUT_GET, 'salt', FILTER_SANITIZE_STRING );
+
+		SSO_Helpers_Legacy::handleLegacyLogin( $nonce, $salt );
+	}
+
 }
diff --git a/includes/SSO_Helpers.php b/includes/SSO_Helpers.php
@@ -129,6 +129,8 @@ public static function shouldThrottle() {
 	 */
 	public static function triggerFailure() {
 
+		self::logFailure();
+
 		// Enable legacy action when necessary
 		if ( has_action( 'eig_sso_fail' ) ) {
 			do_action( 'eig_sso_fail' );
@@ -187,6 +189,20 @@ public static function getSuccessUrl() {
 			}
 		}
 
+		if ( $url ) {
+			$params = $_GET;
+
+			unset( $params['bounce'] );
+			unset( $params['nonce'] );
+			unset( $params['redirect'] );
+			unset( $params['salt'] );
+			unset( $params['token'] );
+			unset( $params['user'] );
+
+			// Persist all query params not used for SSO
+			$url .= $params ? '?' . http_build_query( $params ) : '';
+		}
+
 		if ( ! $url ) {
 			$url = apply_filters( 'newfold_sso_success_url_default', admin_url() );
 		}

diff --git a/includes/SSO_Helpers_Legacy.php b/includes/SSO_Helpers_Legacy.php
@@ -0,0 +1,81 @@
+<?php
+
+namespace NewFoldLabs\WP\Module\SSO;
+
+class SSO_Helpers_Legacy extends SSO_Helpers {
+
+	/**
+	 * SSO AJAX action.
+	 */
+	const ACTION = 'sso-check';
+
+	/**
+	 * Handle SSO login.
+	 *
+	 * @param string $token
+	 */
+	public static function handleLegacyLogin( $nonce, $salt ) {
+
+		// Not doing sso
+		if ( ! $nonce || ! $salt ) {
+			wp_safe_redirect( wp_login_url() );
+			exit;
+		}
+
+		// Too many failed attempts
+		if ( self::shouldThrottle() ) {
+			self::triggerFailure();
+			exit;
+		}
+
+		// Find user
+		$user = self::getUser();
+		if ( ! $user ) {
+			self::triggerFailure();
+			exit;
+		}
+
+		// Validate token
+		$token = substr( base64_encode( hash( 'sha256', $nonce . $salt, false ) ), 0, 64 );
+		if ( get_transient( 'sso_token' ) !== $token ) {
+			self::triggerFailure();
+			exit;
+		}
+
+		// Do login
+		self::triggerSuccess( $user );
+	}
+
+	/**
+	 * Get the user to login with.
+	 *
+	 * @return \WP_User|false
+	 */
+	public static function getUser() {
+		$user = false;
+
+		$user_reference = filter_input( INPUT_GET, 'user' );
+
+		if ( $user_reference ) {
+			if ( is_email( $user_reference ) ) {
+				$user = get_user_by( 'email', sanitize_email( $user_reference ) );
+			} else {
+				$user_id = absint( $user_reference );
+				if ( $user_id ) {
+					$user = get_user_by( 'id', $user_id );
+				}
+			}
+		}
+
+		// If user wasn't found, find first admin user
+		if ( ! $user ) {
+			$users = get_users( array( 'role' => 'administrator', 'number' => 1 ) );
+			if ( isset( $users[0] ) && is_a( $users[0], 'WP_User' ) ) {
+				$user = $users[0];
+			}
+		}
+
+		return $user;
+	}
+
+}