Begin work on OAuth 2

Author: rmccue

inc/authentication/namespace.php

@@ -0,0 +1,84 @@
+<?php
+
+namespace WP\OAuth2\Authentication;
+
+use WP_Http;
+use WP\OAuth2\Tokens;
+
+/**
+ * Get the authorization header
+ *
+ * On certain systems and configurations, the Authorization header will be
+ * stripped out by the server or PHP. Typically this is then used to
+ * generate `PHP_AUTH_USER`/`PHP_AUTH_PASS` but not passed on. We use
+ * `getallheaders` here to try and grab it out instead.
+ *
+ * @return string|null Authorization header if set, null otherwise
+ */
+function get_authorization_header() {
+	if ( ! empty( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
+		return wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] );
+	}
+
+	if ( function_exists( 'getallheaders' ) ) {
+		$headers = getallheaders();
+
+		// Check for the authoization header case-insensitively
+		foreach ( $headers as $key => $value ) {
+			if ( strtolower( $key ) === 'authorization' ) {
+				return $value;
+			}
+		}
+	}
+
+	return null;
+}
+
+function get_provided_token() {
+	$header = get_authorization_header();
+	if ( empty( $header ) || ! is_string( $header ) ) {
+		return null;
+	}
+
+	// Attempt to parse as a Bearer header.
+	$is_valid = preg_match( '/Bearer ([a-zA-Z0-9=.~\-\+\/]+)/', trim( $header ), $matches );
+	if ( ! $is_valid ) {
+		return null;
+	}
+
+	return $matches[1];
+}
+
+/**
+ * Try to authenticate if possible.
+ *
+ * @param WP_User|null $user Existing authenticated user.
+ */
+function attempt_authentication( $user = null ) {
+	if ( ! empty( $user ) ) {
+		return $user;
+	}
+
+	// Were we given an token?
+	$token_value = get_provided_token();
+	if ( empty( $token_value ) ) {
+		// No data provided, pass.
+		return $user;
+	}
+
+	// Attempt to find the token.
+	$token = Tokens\get_by_id( $token_value );
+	if ( empty( $token ) ) {
+		return new WP_Error(
+			'oauth2.authentication.attempt_authentication.invalid_token',
+			__( 'Supplied token is invalid.', 'oauth2' ),
+			array(
+				'status' => WP_Http::FORBIDDEN,
+				'token' => $token_value,
+			),
+		);
+	}
+
+	// Token found, authenticate as the user.
+	return $token->get_user_id();
+}

inc/class-client.php

@@ -0,0 +1,193 @@
+<?php
+
+namespace WP\OAuth2;
+
+use WP_Error;
+use WP_Post;
+
+class Client {
+	const POST_TYPE            = 'oauth2_client';
+	const CLIENT_ID_KEY        = '_oauth2_client_id';
+	const CLIENT_SECRET_KEY    = '_oauth2_client_secret';
+	const TYPE_KEY             = '_oauth2_client_type';
+	const REDIRECT_URI_KEY     = '_oauth2_redirect_uri';
+	const AUTH_CODE_KEY_PREFIX = '_oauth2_authcode_';
+	const AUTH_CODE_LENGTH     = 12;
+	const CLIENT_ID_LENGTH     = 12;
+	const CLIENT_SECRET_LENGTH = 48;
+	const AUTH_CODE_AGE        = 600; // 10 * MINUTE_IN_SECONDS
+
+	protected $post;
+
+	/**
+	 * Constructor.
+	 */
+	protected function __construct( WP_Post $post ) {
+		$this->post = $post;
+	}
+
+	/**
+	 * Get the client's ID.
+	 *
+	 * @return string Client ID.
+	 */
+	public function get_id() {
+		$result = get_post_meta( $this->get_post_id(), static::CLIENT_ID_KEY, false );
+		if ( empty( $result ) ) {
+			return null;
+		}
+
+		return $result[0];
+	}
+
+	/**
+	 * Get the client's post ID.
+	 *
+	 * For internal (WordPress) use only. For external use, use get_key()
+	 *
+	 * @return int Client ID.
+	 */
+	public function get_post_id() {
+		return $this->post->ID;
+	}
+
+	/**
+	 * Get the client's name.
+	 *
+	 * @return string HTML string.
+	 */
+	public function get_name() {
+		return get_the_title( $this->get_post_id() );
+	}
+
+	/**
+	 * Get the client's type.
+	 *
+	 * @return string|null Type ID if available, null otherwise.
+	 */
+	public function get_type() {
+		$result = get_post_meta( $this->get_post_id(), static::TYPE_KEY, false );
+		if ( empty( $result ) ) {
+			return null;
+		}
+
+		return $result[0];
+	}
+
+	/**
+	 * Get registered URIs for the client.
+	 *
+	 * @return string[] List of valid redirect URIs.
+	 */
+	public function get_redirect_uris() {
+		return get_post_meta( $this->get_post_id(), static::REDIRECT_URI_KEY, false );
+	}
+
+	/**
+	 * Check if a redirect URI is valid for the client.
+	 *
+	 * @param string $url Supplied redirect URI to check.
+	 * @return boolean True if the URI is valid, false otherwise.
+	 */
+	public function check_redirect_uri( $uri ) {
+		return false;
+	}
+
+	public function generate_authorization_code( WP_User $user ) {
+		$code = wp_generate_password( static::AUTH_CODE_LENGTH, false );
+		$meta_key = static::AUTH_CODE_KEY_PREFIX . $code;
+		$data = array(
+			'user'       => $user->ID,
+			'expiration' => static::AUTH_CODE_AGE,
+		);
+		$result = add_post_meta( $this->get_post_id(), wp_slash( $meta_key ), wp_slash( $data ), true );
+		if ( ! $result ) {
+			return new WP_Error();
+		}
+
+		return $code;
+	}
+
+	/**
+	 * Issue token for a user.
+	 *
+	 * @param WP_User $user
+	 */
+	public function issue_token( WP_User $user ) {
+		return Tokens\Access_Token::create( $this, $user );
+	}
+
+	/**
+	 * Get a client by ID.
+	 *
+	 * @param int $id Client/post ID.
+	 * @return static|null Client instance on success, null if invalid/not found.
+	 */
+	public static function get_by_id( $id ) {
+		$post = get_post( $id );
+		if ( ! $post ) {
+			return null;
+		}
+
+		return new static( $post );
+	}
+
+	/**
+	 * Create a new client.
+	 *
+	 * @param array $data {
+	 * }
+	 * @return static|WP_Error Client instance on success, error otherwise.
+	 */
+	public static function create( $data ) {
+		$post_data = array(
+			'post_type'    => static::POST_TYPE,
+			'post_title'   => $data['name'],
+			'post_content' => $data['description'],
+			'post_author'  => $data['author'],
+			'post_status'  => 'draft',
+		);
+
+		$post_id = wp_insert_post( wp_slash( $post_data ), true );
+		if ( is_wp_error( $post_id ) ) {
+			return $post_id;
+		}
+
+		// Generate ID and secret.
+		$meta = array(
+			static::CLIENT_ID_KEY     => wp_generate_password( static::CLIENT_ID_LENGTH, false ),
+			static::CLIENT_SECRET_KEY => wp_generate_password( static::CLIENT_SECRET_LENGTH, false ),
+		);
+
+		foreach ( $meta as $key => $value ) {
+			$result = update_post_meta( $post_id, wp_slash( $key ), wp_slash( $value ) );
+			if ( ! $result ) {
+				// Failed, rollback.
+				return new WP_Error( 'oauth2.client.create.failed_meta', __( 'Could not save meta value.', 'oauth2' ) );
+			}
+		}
+
+		return new static( $post );
+	}
+
+	/**
+	 * Register the underlying post type.
+	 */
+	public static function register_type() {
+		register_post_type( static::POST_TYPE, array(
+			'public'          => false,
+			'hierarchical'    => true,
+			'capability_type' => array(
+				'client',
+				'clients',
+			),
+			'supports'        => array(
+				'title',
+				'editor',
+				'revisions',
+				'author',
+				'thumbnail',
+			),
+		));
+	}
+}

inc/class-scopes.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace WP\OAuth2;
+
+class Scopes {
+	protected $capabilities;
+
+	public function __construct() {
+		$this->capabilities = array();
+	}
+
+	public function register( $id, $capabilities ) {
+		$this->scopes[ $id ] = $capabilities;
+	}
+}

inc/endpoints/class-authorization.php

@@ -0,0 +1,45 @@
+<?php
+
+namespace WP\OAuth2\Endpoints;
+
+use WP\OAuth2\Client;
+use WP\OAuth2\Types;
+
+class Authorization {
+	const LOGIN_ACTION = 'oauth2_authorize';
+
+	/**
+	 * Register required actions and filters
+	 */
+	public function register_hooks() {
+		add_action( 'login_form_' . static::LOGIN_ACTION, array( $this, 'handle_request' ) );
+		add_action( 'oauth2_authorize_form', array( $this, 'render_page_fields' ) );
+	}
+
+	public function handle_request() {
+		// If the form hasn't been submitted, show it.
+		$type = wp_unslash( $_GET['response_type'] );
+
+		switch ( $type ) {
+			case 'code':
+				$handler = new Types\Authorization_Code();
+				break;
+
+			case 'token':
+				$handler = new Types\Implicit();
+				break;
+
+			default:
+				return new WP_Error(
+					'oauth2.endpoints.authorization.handle_request.invalid_type',
+					__( 'Invalid response type specified.', 'oauth2' )
+				);
+		}
+
+		$result = $handler->handle_authorisation();
+		if ( is_wp_error( $result ) ) {
+			// TODO: Handle it.
+			wp_die( $result->get_error_message() );
+		}
+	}
+}