CI-6000: Expose Refresh Token in Authenticated REST API requests

jasonbahl · jasonbahl · commit fc107b8aebc9 · 2019-02-19T15:14:22.000-07:00
---

Code review update. . .only expose for SSL requests _or_ for GRAPHQL_DEBUG requests
diff --git a/src/ManageTokens.php b/src/ManageTokens.php
@@ -293,6 +293,20 @@ public static function use_custom_user_expiration( $expiration ) {
 	 */
 	public static function add_tokens_to_graphql_response_headers( $headers ) {
 
+		$should_return_tokens = false;
+
+		/**
+		 * If the request _is_ SSL, or GRAPHQL_DEBUG is defined, return the tokens
+		 * otherwise do not return them.
+		 */
+		if ( is_ssl() || defined( 'GRAPHQL_DEBUG' ) && true !== GRAPHQL_DEBUG ) {
+			$should_return_tokens = true;
+		}
+
+		if ( ! $should_return_tokens ) {
+			return $headers;
+		}
+
 		/**
 		 * If there's a Refresh-Authorization token in the request headers, validate it
 		 */
@@ -344,6 +358,20 @@ public static function add_tokens_to_graphql_response_headers( $headers ) {
 	 */
 	public static function add_auth_headers_to_rest_response( \WP_HTTP_Response $response, $handler, $request ) {
 
+		$should_return_tokens = false;
+
+		/**
+		 * If the request _is_ SSL, or GRAPHQL_DEBUG is defined, return the tokens
+		 * otherwise do not return them.
+		 */
+		if ( is_ssl() || defined( 'GRAPHQL_DEBUG' ) && true !== GRAPHQL_DEBUG ) {
+			$should_return_tokens = true;
+		}
+
+		if ( ! $should_return_tokens ) {
+			return $response;
+		}
+
 		/**
 		 * Note: The Access-Control-Expose-Headers aren't directly filterable
 		 * for REST API responses, so this overrides them altogether.
