Fixed the nonce check

almirbi · almirbi · commit 121ed8b78313 · 2017-06-19T21:26:43.000+02:00
diff --git a/inc/authentication/namespace.php b/inc/authentication/namespace.php
@@ -75,7 +75,7 @@ function attempt_authentication( $user = null ) {
 			array(
 				'status' => WP_Http::FORBIDDEN,
 				'token' => $token_value,
-			),
+			)
 		);
 	}
 
diff --git a/inc/endpoints/class-authorization.php b/inc/endpoints/class-authorization.php
@@ -13,7 +13,6 @@ class Authorization {
 	 */
 	public function register_hooks() {
 		add_action( 'login_form_' . static::LOGIN_ACTION, array( $this, 'handle_request' ) );
-		add_action( 'oauth2_authorize_form', array( $this, 'render_page_fields' ) );
 	}
 
 	public function handle_request() {
@@ -22,7 +21,7 @@ public function handle_request() {
 
 		switch ( $type ) {
 			case 'code':
-				$handler = new Types\Authorization_Code();
+				$handler = new Types\AuthorizationCode();
 				break;
 
 			case 'token':
@@ -42,8 +41,4 @@ public function handle_request() {
 			wp_die( $result->get_error_message() );
 		}
 	}
-
-	public function render_page_fields() {
-		wp_nonce_field( 'json_oauth2_authorize' );
-	}
 }
diff --git a/inc/tokens/class-token.php b/inc/tokens/class-token.php
@@ -29,5 +29,5 @@ public function is_valid() {
 	public function get_meta_key() {
 		return static::get_meta_prefix() . $this->get_key();
 	}
-	public function to_meta_value();
+	public abstract function to_meta_value();
 }
diff --git a/inc/types/class-base.php b/inc/types/class-base.php
@@ -46,7 +46,6 @@ public function handle_authorisation() {
 			return $this->render_form( $client );
 		}
 
-
 		// Check nonce.
 		$nonce = wp_unslash( $_POST['_wpnonce'] );
 		if ( ! wp_verify_nonce( $nonce, $this->get_nonce_action( $client ) ) ) {
@@ -56,8 +55,6 @@ public function handle_authorisation() {
 			);
 		}
 
-
-
 		$submit = wp_unslash( $_POST['wp-submit'] );
 		if ( empty( $submit ) ) {
 			return new WP_Error();
@@ -118,6 +115,7 @@ public function render_form( Client $client ) {
 	 * @param Client $client Client to generate nonce for.
 	 */
 	protected function get_nonce_action( Client $client ) {
-		return sprintf( 'oauth2_authorize:%s', $client->get_post_id() );
+		// return sprintf( 'oauth2_authorize:%s', $client->get_post_id() );
+		return 'json_oauth2_authorize';
 	}
 }
diff --git a/lib/class-wp-rest-oauth2-ui.php b/lib/class-wp-rest-oauth2-ui.php
@@ -28,7 +28,6 @@ class WP_REST_OAuth2_UI {
 	 */
 	public function register_hooks() {
 		add_action( 'login_form_oauth2_authorize', array( $this, 'handle_request' ) );
-		// add_action( 'oauth2_authorize_form', array( $this, 'page_fields' ) );
 	}
 
 	/**
@@ -59,55 +58,6 @@ public function render_page() {
 		$auth_code->handle_authorisation();
 	}
 
-	/**
-	 * Output required hidden fields
-	 *
-	 * Outputs the required hidden fields for the authorization page, including
-	 * nonce field.
-	 */
-	public function page_fields() {
-		wp_nonce_field( sprintf( 'oauth2_authorize:%s', $this->client->get_post_id() ) );
-	}
-
-	/**
-	 * Handle redirecting the user after authorization
-	 *
-	 * @param string $verifier Verification code
-	 * @return null|WP_Error Null on success, error otherwise
-	 */
-	/*public function handle_callback_redirect( $verifier ) {
-		if ( empty( $this->token['callback'] ) || $this->token['callback'] === 'oob' ) {
-			// No callback registered, display verification code to the user
-			login_header( __( 'Access Token', 'rest_oauth1' ) );
-			echo '<p>' . sprintf( __( 'Your verification token is <code>%s</code>', 'rest_oauth1' ), $verifier ) . '</p>';
-			login_footer();
-
-			return null;
-		}
-
-		$callback = $this->token['callback'];
-
-		// Ensure the URL is safe to access
-		$authenticator = new WP_REST_OAuth1();
-		if ( ! $authenticator->check_callback( $callback, $this->token['consumer'] ) ) {
-			return new WP_Error( 'json_oauth1_invalid_callback', __( 'The callback URL is invalid', 'rest_oauth1' ), array( 'status' => 400 ) );
-		}
-
-		$args = array(
-			'oauth_token' => $this->token['key'],
-			'oauth_verifier' => $verifier,
-			'wp_scope' => '*',
-		);
-		$args = apply_filters( 'json_oauth2_callback_args', $args, $this->token );
-		$args = urlencode_deep( $args );
-		$callback = add_query_arg( $args, $callback );
-
-		// Offsite, so skip safety check
-		wp_redirect( $callback );
-
-		return null;
-	}*/
-
 	/**
 	 * Display an error using login page wrapper
 	 *
diff --git a/theme/oauth2-authorize.php b/theme/oauth2-authorize.php
@@ -76,7 +76,7 @@
 	 * Fires inside the lostpassword <form> tags.
 	 */
 	do_action( 'oauth2_authorize_form', $client );
-	wp_nonce_field( 'oauth2_authorize' );
+	wp_nonce_field( 'json_oauth2_authorize' );
 	?>
 
 	<p class="submit">

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ function attempt_authentication( $user = null ) {`
`75`	`75`	`array(`
`76`	`76`	`'status' => WP_Http::FORBIDDEN,`
`77`	`77`	`'token' => $token_value,`
`78`		`- ),`
	`78`	`+ )`
`79`	`79`	`);`
`80`	`80`	`}`
`81`	`81`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,6 @@ class Authorization {`
`13`	`13`	`*/`
`14`	`14`	`public function register_hooks() {`
`15`	`15`	`add_action( 'login_form_' . static::LOGIN_ACTION, array( $this, 'handle_request' ) );`
`16`		`- add_action( 'oauth2_authorize_form', array( $this, 'render_page_fields' ) );`
`17`	`16`	`}`
`18`	`17`
`19`	`18`	`public function handle_request() {`
`@@ -22,7 +21,7 @@ public function handle_request() {`
`22`	`21`
`23`	`22`	`switch ( $type ) {`
`24`	`23`	`case 'code':`
`25`		`- $handler = new Types\Authorization_Code();`
	`24`	`+ $handler = new Types\AuthorizationCode();`
`26`	`25`	`break;`
`27`	`26`
`28`	`27`	`case 'token':`
`@@ -42,8 +41,4 @@ public function handle_request() {`
`42`	`41`	`wp_die( $result->get_error_message() );`
`43`	`42`	`}`
`44`	`43`	`}`
`45`		`-`
`46`		`- public function render_page_fields() {`
`47`		`- wp_nonce_field( 'json_oauth2_authorize' );`
`48`		`- }`
`49`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,5 +29,5 @@ public function is_valid() {`
`29`	`29`	`public function get_meta_key() {`
`30`	`30`	`return static::get_meta_prefix() . $this->get_key();`
`31`	`31`	`}`
`32`		`- public function to_meta_value();`
	`32`	`+ public abstract function to_meta_value();`
`33`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,6 @@ public function handle_authorisation() {`
`46`	`46`	`return $this->render_form( $client );`
`47`	`47`	`}`
`48`	`48`
`49`		`-`
`50`	`49`	`// Check nonce.`
`51`	`50`	`$nonce = wp_unslash( $_POST['_wpnonce'] );`
`52`	`51`	`if ( ! wp_verify_nonce( $nonce, $this->get_nonce_action( $client ) ) ) {`
`@@ -56,8 +55,6 @@ public function handle_authorisation() {`
`56`	`55`	`);`
`57`	`56`	`}`
`58`	`57`
`59`		`-`
`60`		`-`
`61`	`58`	`$submit = wp_unslash( $_POST['wp-submit'] );`
`62`	`59`	`if ( empty( $submit ) ) {`
`63`	`60`	`return new WP_Error();`
`@@ -118,6 +115,7 @@ public function render_form( Client $client ) {`
`118`	`115`	`* @param Client $client Client to generate nonce for.`
`119`	`116`	`*/`
`120`	`117`	`protected function get_nonce_action( Client $client ) {`
`121`		`- return sprintf( 'oauth2_authorize:%s', $client->get_post_id() );`
	`118`	`+ // return sprintf( 'oauth2_authorize:%s', $client->get_post_id() );`
	`119`	`+ return 'json_oauth2_authorize';`
`122`	`120`	`}`
`123`	`121`	`}`