Press7-395 validate and show invalid usernames during sso

includes/SSO_Helpers.php

@@ -17,19 +17,19 @@ class SSO_Helpers {
 	/**
 	 * Generate an SSO token for a user.
 	 *
-	 * @param int $user_id
+	 * @param int $user_id user id
 	 *
 	 * @return string
 	 */
 	public static function generateToken( $user_id ) {
 		return base64_encode(
 			implode(
 				':',
-				[
+				array(
 					$user_id,
 					time(),
-					wp_generate_password( 64, true, true )
-				]
+					wp_generate_password( 64, true, true ),
+				)
 			)
 		);
 	}
@@ -126,8 +126,10 @@ public static function shouldThrottle() {
 
 	/**
 	 * Trigger an SSO failure.
+	 *
+	 * @param string $error_type type of error
 	 */
-	public static function triggerFailure() {
+	public static function triggerFailure( $error_type = '' ) {
 
 		self::logFailure();
 
@@ -138,9 +140,19 @@ public static function triggerFailure() {
 
 		do_action( 'newfold_sso_fail' );
 
-		wp_safe_redirect( wp_login_url() );
+		if ( empty( $error_type ) ) {
+			wp_safe_redirect( wp_login_url() );
+		} else {
+			wp_safe_redirect(
+				add_query_arg(
+					array(
+						'error' => $error_type,
+					),
+					wp_login_url()
+				)
+			);
+		}
 		exit;
-
 	}
 
 	/**
@@ -168,7 +180,6 @@ public static function triggerSuccess( \WP_User $user ) {
 
 		wp_safe_redirect( $redirect );
 		exit;
-
 	}
 
 	/**
@@ -206,7 +217,6 @@ public static function getSuccessUrl() {
 					$url = add_query_arg( $key, $value, $url );
 				}
 			}
-
 		}
 
 		if ( ! $url ) {
@@ -248,8 +258,13 @@ public static function handleLogin( $token ) {
 			exit;
 		}
 
-		self::triggerSuccess( self::getUserFromToken( $token ) );
-
+		$user = self::getUserFromToken( $token );
+		if ( $user ) {
+			if ( preg_match( "/['\"\\\\]/", $user->user_login ) ) {
+				self::triggerFailure( 'invalid_username' );
+				exit;
+			}
+		}
+		self::triggerSuccess( $user );
 	}
-
 }

includes/SSO_Helpers_Legacy.php

@@ -38,6 +38,13 @@ public static function handleLegacyLogin( $nonce, $salt ) {
 			exit;
 		}
 
+		if ( $user ) {
+			if ( preg_match( "/['\"\\\\<]/", $user->user_login ) ) {
+				self::triggerFailure( 'invalid_username' );
+				exit;
+			}
+		}
+
 		// Validate token
 		$token        = substr( base64_encode( hash( 'sha256', $nonce . $salt, false ) ), 0, 64 );
 		$stored_token = get_transient( 'sso_token' );

sso.php

@@ -15,7 +15,7 @@ function () {
 
 add_action(
 	'cli_init',
-	function() {
+	function () {
 		WP_CLI::add_command(
 			'newfold sso',
 			'NewFoldLabs\WP\Module\SSO\SSO_CLI',
@@ -28,13 +28,33 @@ function() {
 	}
 );
 
-\add_action( 'init',
-	function() {
-		\load_plugin_textdomain(
+add_action(
+	'init',
+	function () {
+		load_plugin_textdomain(
 			'wp-module-sso',
 			false,
 			NFD_SSO_DIR . '/languages'
 		);
-	}, 
-	100 
+	},
+	100
+);
+
+add_action(
+	'login_message',
+	function () {
+		$error = sanitize_key( $_GET['error'] ?? '' );
+		if ( ! empty( $error ) ) {
+			$message = '';
+			switch ( $error ) {
+				case 'invalid_username':
+					$message = __( 'SSO failed: username cannot contain invalid characters.', 'wp-module-sso' );
+					break;
+				default:
+					$message = __( 'An unknown error occurred. Please try again.', 'wp-module-sso' );
+					break;
+			}
+			return "<div class='login-error' style='color: red; font-weight: bold;'>{$message}</div>";
+		}
+	}
 );