Code Coverage for /Users/jasonbahl/Sites/wordpress/wp-graphql-jwt-authentication/src/Auth.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	57.89% covered (warning)	57.89%	11 / 19	CRAP	76.99% covered (warning)	76.99%	87 / 113
WPGraphQL\JWT_Authentication\Auth	0.00% covered (danger)	0.00%	0 / 1	61.90% covered (warning)	61.90%	13 / 21	140.70	76.99% covered (warning)	76.99%	87 / 113
get_secret_key				100.00% covered (success)	100.00%	1 / 1	3	100.00% covered (success)	100.00%	2 / 2
login_and_get_token				0.00% covered (danger)	0.00%	0 / 1	4.13	80.00% covered (warning)	80.00%	8 / 10
get_token_issued				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	3 / 3
get_token_expiration				100.00% covered (success)	100.00%	1 / 1	3	100.00% covered (success)	100.00%	4 / 4
get_signed_token				0.00% covered (danger)	0.00%	0 / 1	5.01	92.31% covered (success)	92.31%	12 / 13
get_user_jwt_secret				0.00% covered (danger)	0.00%	0 / 1	7.39	80.00% covered (warning)	80.00%	8 / 10
issue_new_user_secret				100.00% covered (success)	100.00%	1 / 1	3	100.00% covered (success)	100.00%	5 / 5
is_jwt_secret_revoked				100.00% covered (success)	100.00%	1 / 1	3	100.00% covered (success)	100.00%	2 / 2
get_token				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	1 / 1
get_refresh_token				100.00% covered (success)	100.00%	1 / 1	3		n/a	0 / 0
anonymousFunction:305#1277				100.00% covered (success)	100.00%	1 / 1	3	100.00% covered (success)	100.00%	6 / 6
is_refresh_token				0.00% covered (danger)	0.00%	0 / 1	6	0.00% covered (danger)	0.00%	0 / 1
authenticate_user				0.00% covered (danger)	0.00%	0 / 1	5.02	60.00% covered (warning)	60.00%	3 / 5
filter_determine_current_user				100.00% covered (success)	100.00%	1 / 1	4	100.00% covered (success)	100.00%	5 / 5
revoke_user_secret				0.00% covered (danger)	0.00%	0 / 1	20	0.00% covered (danger)	0.00%	0 / 7
unrevoke_user_secret				0.00% covered (danger)	0.00%	0 / 1	12	0.00% covered (danger)	0.00%	0 / 6
set_status				100.00% covered (success)	100.00%	1 / 1	1		n/a	0 / 0
anonymousFunction:485#2020				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	2 / 2
validate_token				0.00% covered (danger)	0.00%	0 / 1	12.24	78.26% covered (warning)	78.26%	18 / 23
get_auth_header				100.00% covered (success)	100.00%	1 / 1	5	100.00% covered (success)	100.00%	4 / 4
get_refresh_header				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	2 / 2

1	<?php
2
3	namespace WPGraphQL\JWT_Authentication;
4
5	use Firebase\JWT\JWT;
6	use GraphQL\Error\UserError;
7	use WPGraphQL\Data\DataSource;
8
9	class Auth {
10
11	protected static $issued;
12	protected static $expiration;
13	protected static $is_refresh_token = false;
14
15	/**
16	* This returns the secret key, using the defined constant if defined, and passing it through a filter to
17	* allow for the config to be able to be set via another method other than a defined constant, such as an
18	* admin UI that allows the key to be updated/changed/revoked at any time without touching server files
19	*
20	* @return mixed\|null\|string
21	* @since 0.0.1
22	*/
23	public static function get_secret_key() {
24
25	// Use the defined secret key, if it exists
26	$secret_key = defined( 'GRAPHQL_JWT_AUTH_SECRET_KEY' ) && ! empty( GRAPHQL_JWT_AUTH_SECRET_KEY ) ? GRAPHQL_JWT_AUTH_SECRET_KEY : 'graphql-jwt-auth';
27	return apply_filters( 'graphql_jwt_auth_secret_key', $secret_key );
28
29	}
30
31	/**
32	* Get the user and password in the request body and generate a JWT
33	*
34	* @param string $username
35	* @param string $password
36	*
37	* @return mixed
38	* @throws \Exception
39	* @since 0.0.1
40	*/
41	public static function login_and_get_token( $username, $password ) {
42
43	/**
44	* First thing, check the secret key if not exist return a error
45	*/
46	if ( empty( self::get_secret_key() ) ) {
47	throw new UserError( __( 'JWT Auth is not configured correctly. Please contact a site administrator.', 'wp-graphql-jwt-authentication' ) );
48	}
49
50	/**
51	* Authenticate the user and get the Authenticated user object in response
52	*/
53	$user = self::authenticate_user( $username, $password );
54
55	/**
56	* Set the current user to the authenticated user
57	*/
58	if ( empty( $user->data->ID ) ) {
59	throw new UserError( __( 'The user could not be found', 'wp-graphql-jwt-authentication' ) );
60	}
61
62	/**
63	* Set the current user as the authenticated user
64	*/
65	wp_set_current_user( $user->data->ID );
66
67	/**
68	* The token is signed, now create the object with basic user data to send to the client
69	*/
70	$response = [
71	'authToken' => self::get_signed_token( $user ),
72	'refreshToken' => self::get_refresh_token( $user ),
73	'user' => DataSource::resolve_user( $user->data->ID ),
74	];
75
76	/**
77	* Let the user modify the data before send it back
78	*/
79	return ! empty( $response ) ? $response : [];
80	}
81
82	/**
83	* Get the issued time for the token
84	*
85	* @return int
86	*/
87	public static function get_token_issued() {
88	if ( ! isset( self::$issued ) ) {
89	self::$issued = time();
90	}
91
92	return self::$issued;
93	}
94
95	/**
96	* Returns the expiration for the token
97	*
98	* @return mixed\|string\|null
99	*/
100	public static function get_token_expiration() {
101
102	if ( ! isset( self::$expiration ) ) {
103
104	/**
105	* Set the expiration time, default is 300 seconds.
106	*/
107	$expiration = self::get_token_issued() + 300;
108
109	/**
110	* Determine the expiration value. Default is 7 days, but is filterable to be configured as needed
111	*
112	* @param string $expiration The timestamp for when the token should expire
113	*/
114	self::$expiration = apply_filters( 'graphql_jwt_auth_expire', $expiration );
115
116	}
117
118	return ! empty( self::$expiration ) ? self::$expiration : null;
119
120	}
121
122	/**
123	* @param $user
124	*
125	* @return null\|string
126	*/
127	protected static function get_signed_token( \WP_User $user, $cap_check = true ) {
128
129	/**
130	* Only allow the currently signed in user access to a JWT token
131	*/
132	if ( true === $cap_check && wp_get_current_user()->ID !== $user->ID \|\| 0 === $user->ID ) {
133	return new \WP_Error( 'graphql-jwt-no-permissions', __( 'Only the user requesting a token can get a token issued for them', 'wp-graphql-jwt-authentication' ) );
134	}
135
136	/**
137	* Determine the "not before" value for use in the token
138	*
139	* @param string $issued The timestamp of the authentication, used in the token
140	* @param \WP_User $user The authenticated user
141	*/
142	$not_before = apply_filters( 'graphql_jwt_auth_not_before', self::get_token_issued(), $user );
143
144
145	/**
146	* Configure the token array, which will be encoded
147	*/
148	$token = [
149	'iss' => get_bloginfo( 'url' ),
150	'iat' => self::get_token_issued(),
151	'nbf' => $not_before,
152	'exp' => self::get_token_expiration(),
153	'data' => [
154	'user' => [
155	'id' => $user->data->ID,
156	],
157	],
158	];
159
160	/**
161	* Filter the token, allowing for individual systems to configure the token as needed
162	*
163	* @param array $token The token array that will be encoded
164	* @param \WP_User $token The authenticated user
165	*/
166	$token = apply_filters( 'graphql_jwt_auth_token_before_sign', $token, $user );
167
168	/**
169	* Encode the token
170	*/
171	JWT::$leeway = 60;
172	$token = JWT::encode( $token, self::get_secret_key() );
173
174	/**
175	* Filter the token before returning it, allowing for individual systems to override what's returned.
176	*
177	* For example, if the user should not be granted a token for whatever reason, a filter could have the token return null.
178	*
179	* @param string $token The signed JWT token that will be returned
180	* @param int $user_id The User the JWT is associated with
181	*/
182	$token = apply_filters( 'graphql_jwt_auth_signed_token', $token, $user->ID );
183
184	/**
185	* Return the token
186	*/
187	return ! empty( $token ) ? $token : null;
188
189	}
190
191	/**
192	* Given a User ID, returns the user's JWT secret
193	*
194	* @param int $user_id
195	*
196	* @return mixed\|string
197	*/
198	public static function get_user_jwt_secret( $user_id ) {
199
200	/**
201	* If the secret has been revoked, throw an error
202	*/
203	if ( true === Auth::is_jwt_secret_revoked( $user_id ) ) {
204	return new \WP_Error( 'graphql-jwt-revoked-secret', __( 'The JWT Auth secret cannot be returned', 'wp-graphql-jwt-authentication' ) );
205	}
206
207	/**
208	* Filter the capability that is tied to editing/viewing user JWT Auth info
209	*
210	* @param string 'edit_users'
211	* @param int $user_id
212	*/
213	$capability = apply_filters( 'graphql_jwt_auth_edit_users_capability', 'edit_users', $user_id );
214
215	/**
216	* If the request is not from the current_user and the current_user doesn't have the proper capabilities, don't return the secret
217	*/
218	$is_current_user = ( $user_id === wp_get_current_user()->ID ) ? true : false;
219	if ( ! $is_current_user && ! current_user_can( $capability ) ) {
220	return new \WP_Error( 'graphql-jwt-improper-capabilities', __( 'The JWT Auth secret for this user cannot be returned', 'wp-graphql-jwt-authentication' ) );
221	}
222
223	/**
224	* Get the stored secret
225	*/
226	$secret = get_user_meta( $user_id, 'graphql_jwt_auth_secret', true );
227
228	/**
229	* If there is no stored secret, or it's not a string
230	*/
231	if ( empty( $secret ) \|\| ! is_string( $secret ) ) {
232	Auth::issue_new_user_secret( $user_id );
233	}
234
235	/**
236	* Return the $secret
237	*
238	* @param string $secret The GraphQL JWT Auth Secret associated with the user
239	* @param int $user_id The ID of the user the secret is associated with
240	*/
241	return apply_filters( 'graphql_jwt_auth_user_secret', $secret, $user_id );
242	}
243
244	/**
245	* Given a User ID, issue a new JWT Auth Secret
246	*
247	* @param int $user_id The ID of the user the secret is being issued for
248	*
249	* @return string $secret The JWT User secret for the user.
250	*/
251	public static function issue_new_user_secret( $user_id ) {
252
253	/**
254	* Get the current user secret
255	*/
256	$secret = null;
257
258	/**
259	* If the JWT Secret is not revoked for the user, generate a new one
260	*/
261	if ( ! Auth::is_jwt_secret_revoked( $user_id ) ) {
262
263	/**
264	* Generate a new one and store it
265	*/
266	$secret = uniqid( 'graphql_jwt_' );
267	update_user_meta( $user_id, 'graphql_jwt_auth_secret', $secret );
268
269	}
270
271	return ! is_wp_error( $secret ) ? $secret : null;
272	}
273
274	/**
275	* Given a User, returns whether their JWT secret has been revoked or not.
276	*
277	* @param int $user_id
278	*
279	* @return bool
280	*/
281	public static function is_jwt_secret_revoked( $user_id ) {
282	$revoked = (bool) get_user_meta( $user_id, 'graphql_jwt_auth_secret_revoked', true );
283
284	return isset( $revoked ) && true === $revoked ? true : false;
285	}
286
287	/**
288	* Public method for getting an Auth token for a given user
289	*
290	* @param \WP_USer $user The user to get the token for
291	*
292	* @return null\|string
293	*/
294	public static function get_token( $user, $cap_check = true ) {
295	return self::get_signed_token( $user, $cap_check );
296	}
297
298	public static function get_refresh_token( $user, $cap_check = true ) {
299
300	/**
301	* Filter the token signature for refresh tokens, adding the user_secret to the signature and making the
302	* expiration long lived so that the token can be used for a long time without the client having to store a new
303	* one.
304	*/
305	add_filter( 'graphql_jwt_auth_token_before_sign', function( $token, \WP_User $user ) {
306	$secret = Auth::get_user_jwt_secret( $user->ID );
307	if ( ! empty( $secret ) && ! is_wp_error( $secret ) ) {
308
309	/**
310	* Set the expiration date as a year from now to make the refresh token long lived, allowing the
311	* token to be valid without changing as long as it has not been revoked or otherwise invalidated,
312	* such as a refreshed user secret.
313	*/
314	$token['exp'] = apply_filters( 'graphql_jwt_auth_refresh_token_expiration', ( self::get_token_issued() + ( DAY_IN_SECONDS * 365 ) ) );
315	$token['data']['user']['user_secret'] = $secret;
316	}
317
318	return $token;
319	}, 10, 2 );
320
321	return self::get_signed_token( $user, $cap_check );
322	}
323
324	public static function is_refresh_token() {
325	return true === self::$is_refresh_token ? true : false;
326	}
327
328	/**
329	* Takes a username and password and authenticates the user and returns the authenticated user object
330	*
331	* @param string $username The username for the user to login
332	* @param string $password The password for the user to login
333	*
334	* @return null\|\WP_Error\|\WP_User
335	*/
336	protected static function authenticate_user( $username, $password ) {
337
338	/**
339	* Try to authenticate the user with the passed credentials
340	*/
341	$user = wp_authenticate( sanitize_user( $username ), trim( $password ) );
342
343	/**
344	* If the authentication fails return a error
345	*/
346	if ( is_wp_error( $user ) ) {
347	$error_code = ! empty( $user->get_error_code() ) ? $user->get_error_code() : 'invalid login';
348	throw new UserError( esc_html( $error_code ) );
349	}
350
351	return ! empty( $user ) ? $user : null;
352
353	}
354
355	/**
356	* This is our Middleware to try to authenticate the user according to the
357	* token send.
358	*
359	* @param (int\|bool) $user Logged User ID
360	*
361	* @return mixed\|false\|\WP_User
362	*/
363	public static function filter_determine_current_user( $user ) {
364
365	/**
366	* Validate the token, which will check the Headers to see if Authentication headers were sent
367	*
368	* @since 0.0.1
369	*/
370	$token = Auth::validate_token();
371
372	/**
373	* If no token was generated, return the existing value for the $user
374	*/
375	if ( empty( $token ) ) {
376
377	/**
378	* Return the user that was passed in to the filter
379	*/
380	return $user;
381
382	/**
383	* If there is a token
384	*/
385	} else {
386
387	/**
388	* Get the current user from the token
389	*/
390	$user = ! empty( $token ) && ! empty( $token->data->user->id ) ? $token->data->user->id : $user;
391
392	}
393
394	/**
395	* Everything is ok, return the user ID stored in the token
396	*/
397	return $user;
398	}
399
400	/**
401	* Given a user ID, if the ID is for a valid user and the current user has proper capabilities, this revokes
402	* the JWT Secret from the user.
403	*
404	* @param int $user_id
405	*
406	* @return mixed\|boolean\|\WP_Error
407	*/
408	public static function revoke_user_secret( int $user_id ) {
409
410	/**
411	* Filter the capability that is tied to editing/viewing user JWT Auth info
412	*
413	* @param string 'edit_users'
414	* @param int $user_id
415	*/
416	$capability = apply_filters( 'graphql_jwt_auth_edit_users_capability', 'edit_users', $user_id );
417
418	/**
419	* If the current user can edit users, or the current user is the user being edited
420	*/
421	if (
422	0 !== get_user_by( 'id', $user_id )->ID &&
423	(
424	current_user_can( $capability ) \|\|
425	$user_id === wp_get_current_user()->ID
426	)
427	) {
428
429	/**
430	* Set the user meta as true, marking the secret as revoked
431	*/
432	update_user_meta( $user_id, 'graphql_jwt_auth_secret_revoked', 1 );
433
434	return true;
435
436	} else {
437
438	return new \WP_Error( 'graphql-jwt-auth-cannot-revoke-secret', __( 'The JWT Auth Secret cannot be revoked for this user', 'wp-graphql-jwt-authentication' ) );
439
440	}
441
442	}
443
444	/**
445	* Given a user ID, if the ID is for a valid user and the current user has proper capabilities, this unrevokes
446	* the JWT Secret from the user.
447	*
448	* @param int $user_id
449	*
450	* @return mixed\|boolean\|\WP_Error
451	*/
452	public static function unrevoke_user_secret( int $user_id ) {
453
454	/**
455	* Filter the capability that is tied to editing/viewing user JWT Auth info
456	*
457	* @param string 'edit_users'
458	* @param int $user_id
459	*/
460	$capability = apply_filters( 'graphql_jwt_auth_edit_users_capability', 'edit_users', $user_id );
461
462	/**
463	* If the user_id is a valid user, and the current user can edit_users
464	*/
465	if ( 0 !== get_user_by( 'id', $user_id )->ID && current_user_can( $capability ) ) {
466
467	/**
468	* Issue a new user secret, invalidating any that may have previously been in place, and mark the
469	* revoked meta key as false, showing that the secret has not been revoked
470	*/
471	Auth::issue_new_user_secret( $user_id );
472	update_user_meta( $user_id, 'graphql_jwt_auth_secret_revoked', 0 );
473
474	return true;
475
476	} else {
477
478	return new \WP_Error( 'graphql-jwt-auth-cannot-unrevoke-secret', __( 'The JWT Auth Secret cannot be unrevoked for this user', 'wp-graphql-jwt-authentication' ) );
479
480	}
481
482	}
483
484	protected static function set_status( $status_code ) {
485	add_filter( 'graphql_response_status_code', function() use ( $status_code ) {
486	return $status_code;
487	});
488	}
489
490	/**
491	* Main validation function, this function try to get the Authentication
492	* headers and decoded.
493	*
494	* @param string $token The encoded JWT Token
495	*
496	* @throws \Exception
497	* @return mixed\|boolean\|string
498	*/
499	public static function validate_token( $token = null, $refresh = false ) {
500
501	self::$is_refresh_token = ( true === $refresh ) ? true : false;
502
503	/**
504	* If a token isn't passed to the method, check the Authorization Headers to see if a token was
505	* passed in the headers
506	*
507	* @since 0.0.1
508	*/
509	if ( empty( $token ) ) {
510
511	/**
512	* Get the Auth header
513	*/
514	$auth_header = self::get_auth_header();
515
516	/**
517	* If there's no $auth, return an error
518	*
519	* @since 0.0.1
520	*/
521	if ( empty( $auth_header ) ) {
522	return false;
523	} else {
524	/**
525	* The HTTP_AUTHORIZATION is present verify the format
526	* if the format is wrong return the user.
527	*/
528	list( $token ) = sscanf( $auth_header, 'Bearer %s' );
529	}
530
531	}
532
533	/**
534	* If there's no secret key, throw an error as there needs to be a secret key for Auth to work properly
535	*/
536	if ( ! self::get_secret_key() ) {
537	throw new \Exception( __( 'JWT is not configured properly', 'wp-graphql-jwt-authentication' ) );
538	}
539
540	/**
541	* Try to decode the token
542	*/
543	try {
544
545	/**
546	* Decode the Token
547	*/
548	JWT::$leeway = 60;
549
550	$secret = self::get_secret_key();
551	$token = ! empty( $token ) ? JWT::decode( $token, $secret, [ 'HS256' ] ) : null;
552
553	/**
554	* The Token is decoded now validate the iss
555	*/
556	if ( get_bloginfo( 'url' ) !== $token->iss ) {
557	throw new \Exception( __( 'The iss do not match with this server', 'wp-graphql-jwt-authentication' ) );
558	}
559
560	/**
561	* So far so good, validate the user id in the token
562	*/
563	if ( ! isset( $token->data->user->id ) ) {
564	throw new \Exception( __( 'User ID not found in the token', 'wp-graphql-jwt-authentication' ) );
565	}
566
567	/**
568	* If there is a user_secret in the token (refresh tokens) make sure it matches what
569	*/
570	if ( isset( $token->data->user->user_secret ) ) {
571
572	if ( Auth::is_jwt_secret_revoked( $token->data->user->id ) ) {
573	throw new \Exception( __( 'The User Secret does not match or has been revoked for this user', 'wp-graphql-jwt-authentication' ) );
574	}
575	}
576
577	/**
578	* If any exceptions are caught
579	*/
580	} catch ( \Exception $error ) {
581	self::set_status( 403 );
582	return new \WP_Error( 'invalid_token', __( 'The JWT Token is invalid', 'wp-graphql-jwt-authentication' ) );
583	}
584
585	self::$is_refresh_token = false;
586
587	return $token;
588
589	}
590
591	/**
592	* Get the value of the Authorization header from the $_SERVER super global
593	*
594	* @return mixed\|string
595	*/
596	public static function get_auth_header() {
597
598	/**
599	* Looking for the HTTP_AUTHORIZATION header, if not present just
600	* return the user.
601	*/
602	$auth_header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? $_SERVER['HTTP_AUTHORIZATION'] : false;
603
604	/**
605	* Double check for different auth header string (server dependent)
606	*/
607	$redirect_auth_header = isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : false;
608
609	/**
610	* If the $auth header is set, use it. Otherwise attempt to use the $redirect_auth header
611	*/
612	$auth_header = isset( $auth_header ) ? $auth_header : ( isset( $redirect_auth_header ) ? $redirect_auth_header : null );
613
614	/**
615	* Return the auth header, pass through a filter
616	*
617	* @param string $auth_header The header used to authenticate a user's HTTP request
618	*/
619	return apply_filters( 'graphql_jwt_auth_get_auth_header', $auth_header );
620
621	}
622
623	public static function get_refresh_header() {
624
625	/**
626	* Check to see if the incoming request has a "Refresh-Authorization" header
627	*/
628	$refresh_header = isset( $_SERVER['HTTP_REFRESH_AUTHORIZATION'] ) ? $_SERVER['HTTP_REFRESH_AUTHORIZATION'] : false;
629
630	return apply_filters( 'graphql_jwt_auth_get_refresh_header', $refresh_header );
631
632	}
633
634	}