Merge pull request #303 from oidc-wp/release-3.8.5

Release 3.8.5

CHANGELOG.md

@@ -1,5 +1,10 @@
 # OpenId Connect Generic Changelog
 
+3.8.5
+* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
+* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
+* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
+
 3.8.4
 * Fix: @timnolte - Fixed invalid State object access for redirection handling.
 * Improvement: @timnolte - Fixed local wp-env Docker development environment.

README.md

@@ -3,8 +3,8 @@
 **Donate link:** http://www.daggerhart.com/  
 **Tags:** security, login, oauth2, openidconnect, apps, authentication, autologin, sso  
 **Requires at least:** 4.9  
-**Tested up to:** 5.6  
-**Stable tag:** 3.8.4  
+**Tested up to:** 5.7.1  
+**Stable tag:** 3.8.5  
 **Requires PHP:** 7.1  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
@@ -51,6 +51,12 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene
 
 ## Changelog ##
 
+### 3.8.5
+
+* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
+* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
+* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
+###
 ### 3.8.4 ###
 
 * Fix: @timnolte - Fixed invalid State object access for redirection handling.

includes/openid-connect-generic-client-wrapper.php

@@ -143,16 +143,99 @@ public function alternate_redirect_uri_parse_request( $query ) {
 	}
 
 	/**
-	 * Get the authentication url from the client.
+	 * Get the client login redirect.
 	 *
-	 * @param array<string> $atts The optional attributes array when called via a shortcode.
+	 * @return string
+	 */
+	public function get_redirect_to() {
+		global $wp;
+
+		if ( isset( $GLOBALS['pagenow'] ) && 'wp-login.php' == $GLOBALS['pagenow'] && isset( $_GET['action'] ) && 'logout' === $_GET['action'] ) {
+			return '';
+		}
+
+		// Default redirect to the homepage.
+		$redirect_url = home_url();
+
+		// If using the login form, default redirect to the admin dashboard.
+		if ( isset( $GLOBALS['pagenow'] ) && 'wp-login.php' == $GLOBALS['pagenow'] ) {
+			$redirect_url = admin_url();
+		}
+
+		// Honor Core WordPress & other plugin redirects.
+		if ( isset( $_REQUEST['redirect_to'] ) ) {
+			$redirect_url = esc_url_raw( wp_unslash( $_REQUEST['redirect_to'] ) );
+		}
+
+		// Capture the current URL if set to redirect back to origin page.
+		if ( $this->settings->redirect_user_back ) {
+			if ( ! empty( $wp->request ) ) {
+				if ( ! empty( $wp->did_permalink ) && $wp->did_permalink ) {
+					$redirect_url = home_url( trailingslashit( $wp->request ) );
+				} else {
+					$redirect_url = home_url( add_query_arg( null, null ) );
+				}
+			} else {
+				if ( ! empty( $wp->query_string ) ) {
+					$redirect_url = home_url( '?' . $wp->query_string );
+				}
+			}
+		}
+
+		// This hook is being deprecated with the move away from cookies.
+		$redirect_url = apply_filters_deprecated(
+			'openid-connect-generic-cookie-redirect-url',
+			array( $redirect_url ),
+			'3.8.2',
+			'openid-connect-generic-client-redirect-to'
+		);
+
+		// This is the new hook to use with the transients version of redirection.
+		return apply_filters( 'openid-connect-generic-client-redirect-to', $redirect_url );
+	}
+
+	/**
+	 * Create a single use authentication url
+	 *
+	 * @param array<string> $atts An optional array of override/feature attributes.
 	 *
 	 * @return string
 	 */
 	public function get_authentication_url( $atts = array() ) {
 
-		return $this->client->make_authentication_url( $atts );
+		$atts = shortcode_atts(
+			array(
+				'endpoint_login' => $this->settings->endpoint_login,
+				'scope' => $this->settings->scope,
+				'client_id' => $this->settings->client_id,
+				'redirect_uri' => $this->client->get_redirect_uri(),
+				'redirect_to' => $this->get_redirect_to(),
+			),
+			$atts,
+			'openid_connect_generic_auth_url'
+		);
+
+		// Validate the redirect to value to prevent a redirection attack.
+		if ( ! empty( $atts['redirect_to'] ) ) {
+			$atts['redirect_to'] = wp_validate_redirect( $atts['redirect_to'], home_url() );
+		}
+
+		$separator = '?';
+		if ( stripos( $this->settings->endpoint_login, '?' ) !== false ) {
+			$separator = '&';
+		}
+		$url = sprintf(
+			'%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s',
+			$atts['endpoint_login'],
+			$separator,
+			rawurlencode( $atts['scope'] ),
+			rawurlencode( $atts['client_id'] ),
+			$this->client->new_state( $atts['redirect_to'] ),
+			rawurlencode( $atts['redirect_uri'] )
+		);
 
+		$this->logger->log( apply_filters( 'openid-connect-generic-auth-url', $url ), 'make_authentication_url' );
+		return apply_filters( 'openid-connect-generic-auth-url', $url );
 	}
 
 	/**

includes/openid-connect-generic-client.php

@@ -124,47 +124,21 @@ public function __construct( $client_id, $client_secret, $scope, $endpoint_login
 	}
 
 	/**
-	 * Create a single use authentication url
-	 *
-	 * @param array $atts An optional array of override/feature attributes.
+	 * Provides the configured Redirect URI supplied to the IDP.
 	 *
 	 * @return string
 	 */
-	public function make_authentication_url( $atts = array() ) {
-
-		$atts = shortcode_atts(
-			array(
-				'endpoint_login' => $this->endpoint_login,
-				'scope' => $this->scope,
-				'client_id' => $this->client_id,
-				'redirect_uri' => $this->redirect_uri,
-				'redirect_to' => home_url(), // Default redirect to the homepage.
-			),
-			$atts,
-			'openid_connect_generic_auth_url'
-		);
-
-		// Validate the redirect to value to prevent a redirection attack.
-		if ( ! empty( $atts['redirect_to'] ) ) {
-			$atts['redirect_to'] = wp_validate_redirect( $atts['redirect_to'], home_url() );
-		}
-
-		$separator = '?';
-		if ( stripos( $this->endpoint_login, '?' ) !== false ) {
-			$separator = '&';
-		}
-		$url = sprintf(
-			'%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s',
-			$atts['endpoint_login'],
-			$separator,
-			rawurlencode( $atts['scope'] ),
-			rawurlencode( $atts['client_id'] ),
-			$this->new_state( $atts['redirect_to'] ),
-			rawurlencode( $atts['redirect_uri'] )
-		);
+	public function get_redirect_uri() {
+		return $this->redirect_uri;
+	}
 
-		$this->logger->log( apply_filters( 'openid-connect-generic-auth-url', $url ), 'make_authentication_url' );
-		return apply_filters( 'openid-connect-generic-auth-url', $url );
+	/**
+	 * Provide the configured IDP endpoint login URL.
+	 *
+	 * @return string
+	 */
+	public function get_endpoint_login_url() {
+		return $this->endpoint_login;
 	}
 
 	/**

includes/openid-connect-generic-login-form.php

@@ -78,11 +78,7 @@ public function handle_redirect_login_type_auto() {
 			// phpcs:ignore WordPress.Security.NonceVerification.Missing -- WP Login Form doesn't have a nonce.
 			&& ! isset( $_POST['wp-submit'] ) ) {
 			if ( ! isset( $_GET['login-error'] ) ) {
-				$redirect_to = $this->get_redirect_to();
-				if ( empty( $redirect_to ) ) {
-					return;
-				}
-				wp_redirect( $this->client_wrapper->get_authentication_url( array( 'redirect_to' => $redirect_to ) ) );
+				wp_redirect( $this->client_wrapper->get_authentication_url() );
 				exit;
 			} else {
 				add_action( 'login_footer', array( $this, 'remove_login_form' ), 99 );
@@ -91,48 +87,6 @@ public function handle_redirect_login_type_auto() {
 
 	}
 
-	/**
-	 * Get the client login redirect.
-	 *
-	 * @return string
-	 */
-	public function get_redirect_to() {
-		global $wp;
-
-		if ( isset( $GLOBALS['pagenow'] ) && 'wp-login.php' == $GLOBALS['pagenow'] && isset( $_GET['action'] ) && 'logout' === $_GET['action'] ) {
-			return '';
-		}
-
-		// Default redirect to the homepage.
-		$redirect_url = home_url();
-
-		// If using the login form, default redirect to the admin dashboard.
-		if ( isset( $GLOBALS['pagenow'] ) && 'wp-login.php' == $GLOBALS['pagenow'] ) {
-			$redirect_url = admin_url();
-		}
-
-		// Honor Core WordPress & other plugin redirects.
-		if ( isset( $_REQUEST['redirect_to'] ) ) {
-			$redirect_url = esc_url_raw( wp_unslash( $_REQUEST['redirect_to'] ) );
-		}
-
-		// Record the URL of the redirect_to if set to redirect back to origin page.
-		if ( $this->settings->redirect_user_back ) {
-			$redirect_url = home_url( add_query_arg( $wp->request ) );
-		}
-
-		// This hook is being deprecated with the move away from cookies.
-		$redirect_url = apply_filters_deprecated(
-			'openid-connect-generic-cookie-redirect-url',
-			array( $redirect_url ),
-			'3.8.2',
-			'openid-connect-generic-client-redirect-to'
-		);
-
-		// This is the new hook to use with the transients version of redirection.
-		return apply_filters( 'openid-connect-generic-client-redirect-to', $redirect_url );
-	}
-
 	/**
 	 * Implements filter login_message.
 	 *
@@ -186,7 +140,6 @@ public function make_login_button( $atts = array() ) {
 		$atts = shortcode_atts(
 			array(
 				'button_text' => __( 'Login with OpenID Connect', 'daggerhart-openid-connect-generic' ),
-				'redirect_to' => $this->get_redirect_to(),
 			),
 			$atts,
 			'openid_connect_generic_login_button'