Initial public release.

Author: jamesmorrison

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = tab
+
+[{*.json,*.yml,.babelrc,.bowerrc,.browserslistrc,.postcssrc}]
+indent_style = space
+indent_size = 2
+
+[*.txt,wp-config-sample.php]
+end_of_line = crlf

.gitignore

@@ -0,0 +1 @@
+/vendor

CHANGELOG.md

@@ -0,0 +1,6 @@
+# Changelog
+
+All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/), and will adhere to [Semantic Versioning](http://semver.org/).
+
+## [0.1.0] - 2023-02-27
+- Initial private release! 🎉

CREDITS.md

@@ -0,0 +1,18 @@
+# Credits
+
+The following acknowledges the Maintainers for this repository, those who have Contributed to this repository (via bug reports, code, design, ideas, project management, translation, testing, etc.), and any Libraries utilized.
+
+## Maintainers
+
+The following individuals are responsible for curating the list of issues, responding to pull requests, and ensuring regular releases happen:
+
+[James Morrison (@jamesmorrison)](https://github.com/jamesmorrison)
+
+## Contributors
+
+Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
+
+## Libraries
+
+The following software libraries are utilized in this repository:
+- N/A

LICENSE.md

@@ -0,0 +1,51 @@
+# Cloudflare Access SSO for WordPress
+
+Cloudflare Access SSO (Single Sign On) is a plugin to facilitate auto-login to WordPress. The plugin relies on authorisation by Cloudflare, so it's important that you follow this setup guide carefully to ensure your site remains secure. For further guidance, refer to [Cloudflare Documentation: Add Site to Cloudflare](https://developers.cloudflare.com/fundamentals/get-started/setup/add-site/).
+
+> Note: If you don't currently use Cloudflare and don't plan to, this plugin probably isn't suitable for your site.
+
+### Cloudflare Access Setup
+
+In order to use Cloudflare Access for SSO, you must create an application that covers `wp-login.php` on the site you wish to protect. No other URLs are required to be protected for this to function, but for better security you may wish to include others. Note that (as of 27th February, 2023) it is not possible to define more than one path in a single application; for now multiple applications are required if you additionally wish to protect `/wp-admin`.
+
+Follow this guide to create a [Cloudflare Access Application: Self Hosted Applications](https://developers.cloudflare.com/cloudflare-one/applications/configure-apps/self-hosted-apps/)
+
+### Plugin Configuration
+
+Two constants are required to be set in `wp-config.php` (note: a settings page will be added in a future release):
+
+`CF_ACCESS_TEAM_NAME` The Cloudflare Access Team Name
+To get the Team Name:
+- Open the Zero Trust Dashboard (see above)
+- Navigate to "Settings" in the left sidebar menu, then click "General Settings"
+- Edit the Team domain - the editable component is the Team Name (ignore `.cloudflareaccess.com` that follows)
+	- e.g. if the value once saved is `mysite.cloudflareaccess.com`, the Team Name is `mysite`.
+
+Example for `wp-config.php`: `define( 'CF_ACCESS_TEAM_NAME', 'mysite' );`
+
+`CF_ACCESS_AUD` The Application Audience (AUD) Tag for the Cloudflare Access application
+To get the Application Audience (AUD) Tag
+- Open the Zero Trust Dashboard (see above)
+- Navigate to Access => Applications
+- Select the Application, then click "Configure" in the overlaid modal
+- On the application page, navigate to the "Overview" tab
+- Copy the "Application Audience (AUD) Tag" value
+
+Example for `wp-config.php`: `define( 'CF_ACCESS_AUD', '12345-67890-12345-67890-12345-67890' );`
+
+> Note: If you have multiple Cloudflare Access Applications, ensure the AUD covers `wp-login.php` - if it doesn't, SSO will not function correctly.
+
+Optionally, two additional constants can also be set:
+
+`CF_ACCESS_ATTEMPTS` The number of attempts to login via Cloudflare Access.
+
+Default: (int) `3` if not set.
+
+`CF_ACCESS_LEEWAY` The number of seconds leeway allowed in the authorisation headers.
+
+Default (int) `60` if not set.
+
+> **Note:** Where the application is not configured correctly (authorisation header is not set, or the team name / AUD are incorrect), SSO is silently disabled. You can check the cookies section of inspector tools to confirm whether the cookie has been set.
+
+### Disclaimer
+This plugin is not affiliated with nor developed by Cloudflare. All trademarks, service marks and company names are the property of their respective owners.

README.md

@@ -0,0 +1,12 @@
+# Security Policy
+
+## Supported Versions
+
+- The latest version released (irrespective of the release date)
+- Any release in the past three months
+
+## Reporting a Vulnerability
+
+To report a suspected security vulnerability, please email **[plugins@morrison.uk](mailto:plugins@morrison.uk)** with a description of the issue, the steps taken to reproduce the issue, the affected version(s) and if known, potential migitation options for the issue.
+
+You will receive a response within 48 hours. If the issue is confirmed, a patch will be released as soon as possible depending on complexity but typically within a few days. Your discretion whilst this issue is investigated is appreciated.

SECURITY.md

@@ -0,0 +1,81 @@
+<?php
+/**
+ * Coudflare Access SSO
+ *
+ * @package   CloudflareAccessSSO
+ * @link      https://github.com/jamesmorrison/cloudflare-access-sso
+ * @author    James Morrison
+ * @copyright James Morrison 2023
+ * @license   GPL v2 or later
+ *
+ * Plugin Name:  Cloudflare Access SSO
+ * Description:  Facilitates automatic login to WordPress when domain is protected with Cloudflare Access
+ * Version:      0.1.0
+ * Plugin URI:   https://github.com/jamesmorrison/cloudflare-access-sso
+ * Author:       James Morrison
+ * Author URI:   https://jamesmorrison.uk/
+ * Text Domain:  cloudflare-access-sso
+ * Domain Path:  /languages/
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ **/
+
+// Security check
+defined( 'ABSPATH' ) || exit;
+
+// The Cloudflare Team Name is required.
+if ( ! defined( 'CF_ACCESS_TEAM_NAME' ) ) {
+	error_log( 'Cloudflare Access SSO Error: CF_ACCESS_TEAM_NAME is not defined.' ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+	return;
+}
+
+// The Cloudflare Application ID is required.
+if ( ! defined( 'CF_ACCESS_AUD' ) ) {
+	error_log( 'Cloudflare Access SSO Error: CF_ACCESS_AUD is not defined.' ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+	return;
+}
+
+// Default to not enforcing SSO (which redirects wp-login => wp-admin)
+if ( ! defined( 'CF_ACCESS_ENFORCE_SSO' ) ) {
+	define( 'CF_ACCESS_ENFORCE_SSO', false );
+}
+
+// Default to 3 attempts to complete authentication
+if ( ! defined( 'CF_ACCESS_ATTEMPTS' ) ) {
+	define( 'CF_ACCESS_ATTEMPTS', 3 );
+}
+
+// Default to 60 second leeway
+if ( ! defined( 'CF_ACCESS_LEEWAY' ) ) {
+	define( 'CF_ACCESS_LEEWAY', 60 );
+}
+
+
+// Useful global constants.
+define( 'CLOUDFLARE_ACCESS_SSO_PLUGIN_VERSION', '0.1.0' );
+define( 'CLOUDFLARE_ACCESS_SSO_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
+define( 'CLOUDFLARE_ACCESS_SSO_PLUGIN_PATH', plugin_dir_path( __FILE__ ) );
+define( 'CLOUDFLARE_ACCESS_SSO_PLUGIN_INC', CLOUDFLARE_ACCESS_SSO_PLUGIN_PATH . 'includes/' );
+
+// Require Composer autoloader if it exists.
+if ( file_exists( CLOUDFLARE_ACCESS_SSO_PLUGIN_PATH . 'vendor/autoload.php' ) ) {
+	require_once CLOUDFLARE_ACCESS_SSO_PLUGIN_PATH . 'vendor/autoload.php';
+}
+
+// Include files.
+require_once CLOUDFLARE_ACCESS_SSO_PLUGIN_INC . '/core.php';
+
+// Activation/Deactivation.
+register_activation_hook( __FILE__, '\CloudflareAccessSSO\Core\activate' );
+register_deactivation_hook( __FILE__, '\CloudflareAccessSSO\Core\deactivate' );
+
+// Bootstrap.
+CloudflareAccessSSO\Core\setup();

cloudflare-access-sso.php

@@ -0,0 +1,30 @@
+{
+  "name": "jamesmorrison/cloudflare-access-sso",
+  "description": "Facilitates SSO login to WordPress via Cloudflare Access.",
+  "version": "0.1.0",
+  "type": "wordpress-plugin",
+  "homepage": "https://james.morrison.uk/plugins/cloudflare-access-sso/",
+  "readme": "./readme.md",
+  "license": "GPL-2.0-or-later",
+  "authors": [
+    {
+      "name": "James Morrison",
+      "homepage": "https://james.morrison.uk",
+      "role": "Developer"
+    }
+  ],
+  "support": {
+    "source": "https://github.com/jamesmorrison/cloudflare-access-sso",
+    "issues": "https://github.com/jamesmorrison/cloudflare-access-sso/issues",
+    "docs": "https://github.com/jamesmorrison/cloudflare-access-sso/#readme"
+  },
+  "require": {
+    "php": ">=8.0",
+    "firebase/php-jwt": "^6.4"
+  },
+  "autoload": {
+    "psr-4": {
+      "CloudflareAccessSSO\\": "includes/classes/"
+    }
+  }
+}