Merge pull request #41 from WP-API/add-phpunit-and-cs

Add PHPUnit and coding standards checks

Author: rmccue

.travis.yml

@@ -0,0 +1,9 @@
+language: php
+php:
+  - '7.1'
+install:
+  - composer install
+  - bash tests/install-tests.sh wordpress_test root '' 127.0.0.1 latest
+script:
+  - vendor/bin/phpcs --standard=vendor/humanmade/coding-standards .
+  - phpunit

composer.json

@@ -1,12 +1,15 @@
 {
-  "name": "wp-api/oauth2",
-  "description": "OAuth 2 Server for WordPress",
-  "type": "wordpress-plugin",
-  "license": "GPL2+",
-  "authors": [
-    {
-      "name": "WP-API Team",
-      "homepage": "http://wp-api.org/"
-    }
-  ]
+	"name": "wp-api/oauth2",
+	"description": "OAuth 2 Server for WordPress",
+	"type": "wordpress-plugin",
+	"license": "GPL2+",
+	"authors": [
+		{
+			"name": "WP-API Team",
+			"homepage": "http://wp-api.org/"
+		}
+	],
+	"require-dev": {
+		"humanmade/coding-standards": "dev-master"
+	}
 }

inc/admin/class-listtable.php

@@ -17,12 +17,6 @@ public function prepare_items() {
 		$args = [
 			'post_type'   => Client::POST_TYPE,
 			'post_status' => 'any',
-//			'meta_query'  => [
-//				[
-//					'key'   => 'type',
-//					'value' => 'oauth2',
-//				],
-//			],
 			'paged'       => $paged,
 		];
 
@@ -32,7 +26,7 @@ public function prepare_items() {
 		$pagination_args = [
 			'total_items' => $query->found_posts,
 			'total_pages' => $query->max_num_pages,
-			'per_page'    => $query->get( 'posts_per_page' )
+			'per_page'    => $query->get( 'posts_per_page' ),
 		];
 		$this->set_pagination_args( $pagination_args );
 	}
@@ -62,10 +56,10 @@ public function get_columns() {
 	public function column_cb( $item ) {
 		?>
 		<label class="screen-reader-text"
-		       for="cb-select-<?php echo esc_attr( $item->ID ) ?>"><?php esc_html_e( 'Select consumer', 'oauth2' ); ?></label>
+			   for="cb-select-<?php echo esc_attr( $item->ID ) ?>"><?php esc_html_e( 'Select consumer', 'oauth2' ); ?></label>
 
 		<input id="cb-select-<?php echo esc_attr( $item->ID ) ?>" type="checkbox"
-		       name="consumers[]" value="<?php echo esc_attr( $item->ID ) ?>"/>
+			   name="consumers[]" value="<?php echo esc_attr( $item->ID ) ?>"/>
 
 		<?php
 	}

inc/admin/namespace.php

@@ -110,7 +110,7 @@ function render() {
 			<?php
 			esc_html_e( 'Registered Applications', 'oauth2' );
 
-			if ( current_user_can( 'create_users' ) ): ?>
+			if ( current_user_can( 'create_users' ) ) : ?>
 				<a href="<?php echo esc_url( get_url( 'action=add' ) ) ?>"
 				   class="add-new-h2"><?php echo esc_html_x( 'Add New', 'application', 'oauth2' ); ?></a>
 				<?php
@@ -270,8 +270,16 @@ function render_edit_page() {
 
 	// Handle form submission
 	$messages = [];
-	if ( ! empty( $_POST['submit'] ) ) {
+	$form_data = [];
+	if ( ! empty( $_POST['_wpnonce'] ) ) {
+		if ( empty( $consumer ) ) {
+			check_admin_referer( 'rest-oauth2-add' );
+		} else {
+			check_admin_referer( 'rest-oauth2-edit-' . $consumer->get_post_id() );
+		}
+
 		$messages = handle_edit_submit( $consumer );
+		$form_data = wp_unslash( $_POST );
 	}
 	if ( ! empty( $_GET['did_action'] ) ) {
 		switch ( $_GET['did_action'] ) {
@@ -291,9 +299,9 @@ function render_edit_page() {
 
 	$data = [];
 
-	if ( empty( $consumer ) || ! empty( $_POST['_wpnonce'] ) ) {
+	if ( empty( $consumer ) || ! empty( $form_data ) ) {
 		foreach ( [ 'name', 'description', 'callback', 'type' ] as $key ) {
-			$data[ $key ] = empty( $_POST[ $key ] ) ? '' : wp_unslash( $_POST[ $key ] );
+			$data[ $key ] = empty( $form_data[ $key ] ) ? '' : $form_data[ $key ];
 		}
 	} else {
 		$data['name']        = $consumer->get_name();

inc/admin/profile/namespace.php

@@ -28,7 +28,7 @@ function render_profile_section( WP_User $user ) {
 	$tokens = Access_Token::get_for_user( $user );
 	?>
 	<h2><?php _e( 'Authorized Applications', 'oauth2' ) ?></h2>
-	<?php if ( ! empty( $tokens ) ): ?>
+	<?php if ( ! empty( $tokens ) ) : ?>
 		<table class="widefat">
 			<thead>
 			<tr>
@@ -44,7 +44,7 @@ function render_profile_section( WP_User $user ) {
 			?>
 			</tbody>
 		</table>
-	<?php else: ?>
+	<?php else : ?>
 		<p class="description"><?php esc_html_e( 'No applications authorized.', 'oauth2' ) ?></p>
 	<?php endif ?>
 	<?php
@@ -85,7 +85,7 @@ function render_token_row( WP_User $user, Access_Token $token ) {
 		sprintf(
 			'<button class="button" name="oauth2_revoke" title="%s" value="%s">%s</button>',
 			$button_title,
-			esc_attr( $token->get_key() ),
+			wp_create_nonce( 'oauth2_revoke:' . $token->get_key() ) . ':' . esc_attr( $token->get_key() ),
 			esc_html__( 'Revoke', 'oauth2' )
 		),
 	];
@@ -138,7 +138,18 @@ function handle_revocation( $user_id ) {
 		return;
 	}
 
-	$key = wp_unslash( $_POST['oauth2_revoke'] );
+	$data = wp_unslash( $_POST['oauth2_revoke'] ); // WPCS: CSRF OK
+	if ( strpos( $data, ':' ) === null ) {
+		return;
+	}
+
+	// Split out nonce and check it.
+	list( $nonce, $key ) = explode( ':', $data, 2 );
+	if ( ! wp_verify_nonce( $nonce, 'oauth2_revoke:' . $key ) ) {
+		wp_nonce_ays( 'oauth2_revoke' );
+		die();
+	}
+
 	$token = Access_Token::get_by_id( $key );
 	if ( empty( $token ) ) {
 		var_dump( $key, $token );

inc/namespace.php

@@ -0,0 +1,133 @@
+<?php
+
+namespace WP\OAuth2;
+
+use WP\OAuth2\Types\Type;
+use WP_REST_Response;
+
+function bootstrap() {
+	// Core authentication hooks.
+	add_action( 'init', __NAMESPACE__ . '\\Client::register_type' );
+	add_filter( 'determine_current_user', __NAMESPACE__ . '\\Authentication\\attempt_authentication', 11 );
+
+	// REST API integration.
+	add_filter( 'rest_authentication_errors', __NAMESPACE__ . '\\Authentication\\maybe_report_errors' );
+	add_filter( 'rest_index', __NAMESPACE__ . '\\register_in_index' );
+	add_action( 'rest_api_init', __NAMESPACE__ . '\\Endpoints\\register' );
+
+	// Internal default hooks.
+	add_filter( 'oauth2.grant_types', __NAMESPACE__ . '\\register_grant_types', 0 );
+
+	// Admin-related.
+	add_action( 'init', __NAMESPACE__ . '\\rest_oauth2_load_authorize_page' );
+	add_action( 'admin_menu', __NAMESPACE__ . '\\Admin\\register' );
+	Admin\Profile\bootstrap();
+}
+
+/**
+ * Register the authorization page
+ *
+ * Alas, login_init is too late to register pages, as the action is already
+ * sanitized before this.
+ */
+function rest_oauth2_load_authorize_page() {
+	$authorizer = new Endpoints\Authorization();
+	$authorizer->register_hooks();
+}
+
+/**
+ * Get valid grant types.
+ *
+ * @return Type[] Map of grant type to handler object.
+ */
+function get_grant_types() {
+	/**
+	 * Filter valid grant types.
+	 *
+	 * Default supported grant types are added in register_grant_types().
+	 * Note that additional grant types must follow the extension policy in the
+	 * OAuth 2 specification.
+	 *
+	 * @param Type[] $grant_types Map of grant type to handler object.
+	 */
+	$grant_types = apply_filters( 'oauth2.grant_types', [] );
+	foreach ( $grant_types as $type => $handler ) {
+		if ( ! $handler instanceof Type ) {
+			/* translators: 1: Grant type name, 2: Grant type interface */
+			$message = __( 'Skipping invalid grant type "%1$s". Required interface "%1$s" not implemented.', 'oauth2' );
+			_doing_it_wrong( __FUNCTION__, sprintf( $message, $type, 'WP\\OAuth2\\Types\\Type' ), '0.1.0' );
+			unset( $grant_types[ $type ] );
+		}
+	}
+
+	return $grant_types;
+}
+
+/**
+ * Register default grant types.
+ *
+ * Callback for the oauth2.grant_types hook.
+ *
+ * @param array $types Existing grant types.
+ * @return array Grant types with additional types registered.
+ */
+function register_grant_types( $types ) {
+	$types['authorization_code'] = new Types\Authorization_Code();
+	$types['implicit'] = new Types\Implicit();
+
+	return $types;
+}
+
+/**
+ * Register the OAuth 2 authentication scheme in the API index.
+ *
+ * @param WP_REST_Response $response Index response object.
+ * @return WP_REST_Response Update index repsonse object.
+ */
+function register_in_index( WP_REST_Response $response ) {
+	$data = $response->get_data();
+
+	$data['authentication']['oauth2'] = [
+		'endpoints' => [
+			'authorization' => get_authorization_url(),
+			'token' => get_token_url(),
+		],
+		'grant_types' => array_keys( get_grant_types() ),
+	];
+
+	$response->set_data( $data );
+	return $response;
+}
+
+/**
+ * Get the authorization endpoint URL.
+ *
+ * @return string URL for the OAuth 2 authorization endpoint.
+ */
+function get_authorization_url() {
+	$url = wp_login_url();
+	$url = add_query_arg( 'action', 'oauth2_authorize', $url );
+
+	/**
+	 * Filter the authorization URL.
+	 *
+	 * @param string $url URL for the OAuth 2 authorization endpoint.
+	 */
+	return apply_filters( 'oauth2.get_authorization_url', $url );
+}
+
+/**
+ * Get the token endpoint URL.
+ *
+ * @return string URL for the OAuth 2 token endpoint.
+ */
+function get_token_url() {
+	$url = rest_url( 'oauth2/access_token' );
+
+	/**
+	 * Filter the token URL.
+	 *
+	 * @param string $url URL for the OAuth 2 token endpoint.
+	 */
+	return apply_filters( 'oauth2.get_token_url', $url );
+}

inc/types/class-authorization-code.php

@@ -5,7 +5,7 @@
 use WP_Error;
 use WP\OAuth2\Client;
 
-class AuthorizationCode extends Base {
+class Authorization_Code extends Base {
 	/**
 	 * Get response_type code for authorisation page.
 	 *

inc/types/class-base.php

@@ -69,8 +69,8 @@ public function handle_authorisation() {
 		}
 
 		// Check nonce.
-		$nonce = wp_unslash( $_POST['_wpnonce'] );
-		if ( ! wp_verify_nonce( $nonce, $this->get_nonce_action( $client ) ) ) {
+		$nonce_action = $this->get_nonce_action( $client );
+		if ( ! wp_verify_nonce( wp_unslash( $_POST['_wpnonce'] ), $none_action ) ) {
 			return new WP_Error(
 				'oauth2.types.authorization_code.handle_authorisation.invalid_nonce',
 				__( 'Invalid nonce.', 'oauth2' )

phpunit.xml.dist

@@ -0,0 +1,23 @@
+<phpunit
+	bootstrap="tests/bootstrap.php"
+	backupGlobals="false"
+	colors="true"
+	convertErrorsToExceptions="true"
+	convertNoticesToExceptions="true"
+	convertWarningsToExceptions="true"
+	>
+	<testsuites>
+		<testsuite>
+			<directory prefix="class-" suffix=".php">tests</directory>
+		</testsuite>
+	</testsuites>
+	<filter>
+		<blacklist>
+			<directory suffix=".php">.</directory>
+		</blacklist>
+		<whitelist>
+			<directory suffix=".php">./inc</directory>
+			<file>./plugin.php</file>
+		</whitelist>
+	</filter>
+</phpunit>