Ensure password change revokes all tokens

valendesigns · valendesigns · commit 16493c1a3b06 · 2019-03-07T21:44:03.000-08:00
diff --git a/tests/wp-admin/includes/class-test-wp-key-pair-list-table.php b/tests/wp-admin/includes/class-test-wp-key-pair-list-table.php
@@ -16,11 +16,18 @@
 class Test_WP_Key_Pair_List_Table extends WP_UnitTestCase {
 
 	/**
+	 * List Table.
+	 *
 	 * @var WP_Key_Pair_List_Table
 	 */
 	protected $table;
 
-	function setUp() {
+	/**
+	 * Setup.
+	 *
+	 * @inheritdoc
+	 */
+	public function setUp() {
 		parent::setUp();
 		$this->table = new WP_Key_Pair_List_Table( array( 'screen' => 'profile' ) );
 	}
diff --git a/tests/wp-includes/rest-api/auth/class-test-wp-rest-key-pair.php b/tests/wp-includes/rest-api/auth/class-test-wp-rest-key-pair.php
@@ -151,6 +151,85 @@ public function test_show_user_profile() {
 		$this->assertTrue( wp_script_is( 'key-pair-js', 'enqueued' ) );
 	}
 
+	/**
+	 * Test after_password_reset().
+	 *
+	 * @covers ::after_password_reset()
+	 * @since 0.1
+	 */
+	public function test_after_password_reset() {
+		$user_data = array(
+			'role'       => 'editor',
+			'user_login' => 'testeditor',
+			'user_pass'  => 'testpassword',
+		);
+
+		$user_id = $this->factory->user->create( $user_data );
+
+		$this->assertEquals( array(), $this->key_pair->get_user_key_pairs( $user_id ) );
+
+		$keypairs = array(
+			array(
+				'api_key'    => 12345,
+				'api_secret' => 54321,
+			),
+		);
+		update_user_meta( $user_id, WP_REST_Key_Pair::_USERMETA_KEY_, $keypairs );
+		$this->assertEquals( $keypairs, $this->key_pair->get_user_key_pairs( $user_id ) );
+
+		$this->key_pair->after_password_reset( get_user_by( 'ID', $user_id ) );
+		$this->assertEquals( $keypairs, $this->key_pair->get_user_key_pairs( $user_id ) );
+
+		reset_password( get_user_by( 'ID', $user_id ), 'testpassword1' );
+		$this->assertEquals( array(), $this->key_pair->get_user_key_pairs( $user_id ) );
+	}
+
+	/**
+	 * Test profile_update().
+	 *
+	 * @covers ::profile_update()
+	 * @since 0.1
+	 */
+	public function test_profile_update() {
+		global $wp_current_filter;
+
+		$tmp = $wp_current_filter;
+
+		$user_data = array(
+			'role'       => 'editor',
+			'user_login' => 'testeditor',
+			'user_pass'  => 'testpassword',
+		);
+
+		$user_id = $this->factory->user->create( $user_data );
+
+		$this->assertEquals( array(), $this->key_pair->get_user_key_pairs( $user_id ) );
+
+		$keypairs = array(
+			array(
+				'api_key'    => 12345,
+				'api_secret' => 54321,
+			),
+		);
+		update_user_meta( $user_id, WP_REST_Key_Pair::_USERMETA_KEY_, $keypairs );
+		$this->assertEquals( $keypairs, $this->key_pair->get_user_key_pairs( $user_id ) );
+
+		$this->key_pair->profile_update( $user_id );
+		$this->assertEquals( $keypairs, $this->key_pair->get_user_key_pairs( $user_id ) );
+
+		$wp_current_filter = array(
+			'profile_update',
+		);
+		$this->key_pair->profile_update( $user_id );
+		$this->assertEquals( $keypairs, $this->key_pair->get_user_key_pairs( $user_id ) );
+
+		$_POST['pass1'] = 'changed';
+		$this->key_pair->profile_update( $user_id );
+		$this->assertEquals( array(), $this->key_pair->get_user_key_pairs( $user_id ) );
+
+		$wp_current_filter = $tmp;
+	}
+
 	/**
 	 * Test require_token().
 	 *
diff --git a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php
@@ -56,6 +56,8 @@ public function init() {
 		add_action( 'rest_api_init', array( $this, 'register_routes' ), 99 );
 		add_action( 'show_user_profile', array( $this, 'show_user_profile' ) );
 		add_action( 'edit_user_profile', array( $this, 'show_user_profile' ) );
+		add_action( 'after_password_reset', array( $this, 'after_password_reset' ) );
+		add_action( 'profile_update', array( $this, 'profile_update' ) );
 
 		add_filter( 'rest_authentication_require_token', array( $this, 'require_token' ), 10, 3 );
 		add_filter( 'rest_authentication_user', array( $this, 'authenticate' ), 10, 2 );
@@ -258,6 +260,40 @@ public function show_user_profile( WP_User $user ) {
 		$this->template_key_pair_row();
 	}
 
+	/**
+	 * Fires after the user's password is reset.
+	 *
+	 * @param WP_User $user The user.
+	 */
+	public function after_password_reset( WP_User $user ) {
+		if ( 'after_password_reset' !== current_filter() ) {
+			return;
+		}
+
+		$keypairs = $this->get_user_key_pairs( $user->ID );
+		if ( ! empty( $keypairs ) ) {
+			$this->set_user_key_pairs( $user->ID, array() );
+		}
+	}
+
+	/**
+	 * Fires after the user's password is reset.
+	 *
+	 * @param int $user_id The user ID.
+	 */
+	public function profile_update( $user_id ) {
+		if ( 'profile_update' !== current_filter() ) {
+			return;
+		}
+
+		if ( isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) { // phpcs:ignore
+			$keypairs = $this->get_user_key_pairs( $user_id );
+			if ( ! empty( $keypairs ) ) {
+				$this->set_user_key_pairs( $user_id, array() );
+			}
+		}
+	}
+
 	/**
 	 * Filters `rest_authentication_require_token` to exclude the key-pair endpoint,
 	 *
