Code Coverage for /Users/jasonbahl/Sites/wordpress/wp-graphql-jwt-authentication/src/ManageTokens.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	50.00% covered (danger)	50.00%	6 / 12	CRAP	84.44% covered (warning)	84.44%	76 / 90
WPGraphQL\JWT_Authentication\ManageTokens	0.00% covered (danger)	0.00%	0 / 1	50.00% covered (danger)	50.00%	6 / 12	59.41	84.44% covered (warning)	84.44%	76 / 90
init				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	15 / 15
add_user_fields				100.00% covered (success)	100.00%	1 / 1	11	100.00% covered (success)	100.00%	3 / 3
anonymousFunction:69#230				0.00% covered (danger)	0.00%	0 / 1	4.13	80.00% covered (warning)	80.00%	4 / 5
anonymousFunction:90#371				0.00% covered (danger)	0.00%	0 / 1	4.13	80.00% covered (warning)	80.00%	4 / 5
anonymousFunction:111#512				0.00% covered (danger)	0.00%	0 / 1	3.07	80.00% covered (warning)	80.00%	4 / 5
anonymousFunction:135#647				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	3 / 3
anonymousFunction:144#741				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	3 / 3
add_user_mutation_input_fields				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	7 / 7
update_jwt_fields_during_mutation				0.00% covered (danger)	0.00%	0 / 1	42	0.00% covered (danger)	0.00%	0 / 9
prevent_token_from_returning_if_revoked				0.00% covered (danger)	0.00%	0 / 1	2.06	75.00% covered (warning)	75.00%	3 / 4
use_custom_user_expiration				0.00% covered (danger)	0.00%	0 / 1	5.07	85.71% covered (warning)	85.71%	6 / 7
add_tokens_to_graphql_response_headers				100.00% covered (success)	100.00%	1 / 1	9	100.00% covered (success)	100.00%	11 / 11

1	<?php
2	namespace WPGraphQL\JWT_Authentication;
3
4	use GraphQL\Error\UserError;
5	use WPGraphQL\Types;
6
7	class ManageTokens {
8
9	/**
10	* Initialize the funcionality for managing tokens
11	*/
12	public static function init() {
13
14	/**
15	* Filter the User type to have a jwtUserSecret and jwtAuthToken field
16	*/
17	add_filter( 'graphql_user_fields', [
18	'\WPGraphQL\JWT_Authentication\ManageTokens',
19	'add_user_fields'
20	] );
21
22	/**
23	* Add fields to the input for user mutations
24	*/
25	add_filter( 'graphql_user_mutation_input_fields', [
26	'\WPGraphQL\JWT_Authentication\ManageTokens',
27	'add_user_mutation_input_fields'
28	] );
29
30	add_action( 'graphql_user_object_mutation_update_additional_data', [
31	'\WPGraphQL\JWT_Authentication\ManageTokens',
32	'update_jwt_fields_during_mutation'
33	], 10, 3 );
34
35	/**
36	* Filter the signed token, preventing it from returning if the user has had their JWT Secret revoked
37	*/
38	add_filter( 'graphql_jwt_auth_signed_token', [
39	'\WPGraphQL\JWT_Authentication\ManageTokens',
40	'prevent_token_from_returning_if_revoked'
41	], 10, 2 );
42
43	/**
44	* Filter the expiration to use the user's expiration if a custom expiration has been set.
45	*/
46	add_filter( 'graphql_jwt_auth_expire', [
47	'\WPGraphQL\JWT_Authentication\ManageTokens',
48	'use_custom_user_expiration'
49	] );
50
51	add_filter( 'graphql_response_headers_to_send', [
52	'\WPGraphQL\JWT_Authentication\ManageTokens',
53	'add_tokens_to_graphql_response_headers'
54	] );
55	}
56
57	/**
58	* Filters the User type in the GraphQL Schema to provide fields for querying for user's jwtAuthToken and jwtUserSecret
59	*
60	* @param array $fields The fields for the User type in the GraphQL Schema
61	*
62	* @return array $fields
63	*/
64	public static function add_user_fields( $fields ) {
65
66	$fields['jwtAuthToken'] = [
67	'type' => Types::string(),
68	'description' => __( 'A JWT token that can be used in future requests for authentication/authorization', 'wp-graphql-jwt-authentication' ),
69	'resolve' => function( \WP_User $user ) {
70
71	/**
72	* Get the token for the user
73	*/
74	$token = Auth::get_token( $user );
75
76	/**
77	* If the token cannot be returned, throw an error
78	*/
79	if ( empty( $token ) \|\| is_wp_error( $token ) ) {
80	throw new UserError( __( 'The JWT token could not be returned', 'wp-graphql-jwt-authentication' ) );
81	}
82
83	return ! empty( $token ) ? $token : null;
84	},
85	];
86
87	$fields['jwtRefreshToken'] = [
88	'type' => Types::string(),
89	'description' => __( 'A JWT token that can be used in future requests to get a refreshed jwtAuthToken. If the refresh token used in a request is revoked or otherwise invalid, a valid Auth token will NOT be issued in the response headers.', 'wp-graphql-jwt-authentication' ),
90	'resolve' => function( \WP_User $user ) {
91
92	/**
93	* Get the token for the user
94	*/
95	$token = Auth::get_refresh_token( $user );
96
97	/**
98	* If the token cannot be returned, throw an error
99	*/
100	if ( empty( $token ) \|\| is_wp_error( $token ) ) {
101	throw new UserError( __( 'The JWT token could not be returned', 'wp-graphql-jwt-authentication' ) );
102	}
103
104	return ! empty( $token ) ? $token : null;
105	},
106	];
107
108	$fields['jwtUserSecret'] = [
109	'type' => Types::string(),
110	'description' => __( 'A unique secret tied to the users JWT token that can be revoked or refreshed. Revoking the secret prevents JWT tokens from being issued to the user. Refreshing the token invalidates previously issued tokens, but allows new tokens to be issued.', 'wp-graphql' ),
111	'resolve' => function( \WP_User $user ) {
112
113	/**
114	* Get the user's JWT Secret
115	*/
116	$secret = Auth::get_user_jwt_secret( $user->ID );
117
118	/**
119	* If the secret cannot be returned, throw an error
120	*/
121	if ( is_wp_error( $secret ) ) {
122	throw new UserError( __( 'The user secret could not be returned', 'wp-graphql-jwt-authentication' ) );
123	}
124
125	/**
126	* Return the secret
127	*/
128	return ! empty( $secret ) ? $secret : null;
129	}
130	];
131
132	$fields['jwtAuthExpiration'] = [
133	'type' => Types::string(),
134	'description' => __( 'The expiration for the JWT Token for the user. If not set custom for the user, it will use the default sitewide expiration setting', 'wp-graphql-jwt-authentication' ),
135	'resolve' => function( \WP_User $user ) {
136	$expiration = Auth::get_token_expiration();
137	return ! empty( $expiration ) ? $expiration : null;
138	}
139	];
140
141	$fields['isJwtAuthSecretRevoked'] = [
142	'type' => Types::non_null( Types::boolean() ),
143	'description' => __( 'Whether the JWT User secret has been revoked. If the secret has been revoked, auth tokens will not be issued until an admin, or user with proper capabilities re-issues a secret for the user.', 'wp-graphql-jwt-authentication' ),
144	'resolve' => function( \WP_User $user ) {
145	$revoked = Auth::is_jwt_secret_revoked( $user->ID );
146	return true == $revoked ? true : false;
147	}
148	];
149
150
151
152	return $fields;
153
154	}
155
156	/**
157	* Given an array of fields, this returns an array with the new fields added
158	* @param array $fields The input fields for user mutations
159	*
160	* @return array
161	*/
162	public static function add_user_mutation_input_fields( array $fields ) {
163
164	$fields['revokeJwtUserSecret'] = [
165	'type' => Types::boolean(),
166	'description' => __( 'If true, this will revoke the users JWT secret. If false, this will unrevoke the JWT secret AND issue a new one. To revoke, the user must have proper capabilities to edit users JWT secrets.', 'wp-graphql-jwt-authentication' ),
167	];
168
169	$fields['refreshJwtUserSecret'] = [
170	'type' => Types::boolean(),
171	'description' => __( 'If true, this will refresh the users JWT secret.' ),
172	];
173
174	return $fields;
175	}
176
177	/**
178	* @param int $user_id The ID of the user being mutated
179	* @param array $input The input args of the GraphQL mutation request
180	* @param string $mutation_name The name of the mutation
181	*/
182	public static function update_jwt_fields_during_mutation( $user_id, array $input, $mutation_name ) {
183
184	/**
185	* If there was input to revokeJwtUserSecret, check the value for true or false, and
186	* revoke or unRevoke the token accordingly
187	*/
188	if ( isset( $input['revokeJwtUserSecret'] ) ) {
189	if ( true === $input['revokeJwtUserSecret'] ) {
190	Auth::revoke_user_secret( $user_id );
191	} elseif ( false === $input['revokeJwtUserSecret'] ) {
192	Auth::unrevoke_user_secret( $user_id );
193	}
194	}
195
196	/**
197	* If refreshJwtUserSecret is true.
198	*/
199	if ( isset( $input['refreshJwtUserSecret'] ) ) {
200	if ( true === $input['refreshJwtUserSecret'] ) {
201	Auth::issue_new_user_secret( $user_id );
202	}
203	}
204
205	}
206
207	/**
208	* This filters the token to prevent it from being issued if it has been revoked.
209	*
210	* @param string $token
211	* @param int $user_id
212	*
213	* @return string $token
214	*/
215	public static function prevent_token_from_returning_if_revoked( $token, $user_id ) {
216
217	/**
218	* Check to see if the user's auth secret has been revoked.
219	*/
220	$revoked = Auth::is_jwt_secret_revoked( $user_id );
221
222	/**
223	* If the token has been revoked, prevent it from being returned
224	*/
225	if ( true === $revoked ) {
226	throw new UserError( __( 'The JWT token cannot be issued for this user', 'wp-graphql-jwt-authentication' ) );
227	}
228
229	return $token;
230
231	}
232
233
234	public static function use_custom_user_expiration( $expiration ) {
235
236	$user = wp_get_current_user();
237
238	/**
239	* If there is no current user set or the current user's secret has been revoked, return null
240	*/
241	if ( 0 === $user->ID \|\| Auth::is_jwt_secret_revoked( $user->ID ) ) {
242	return null;
243	}
244
245	/**
246	* If the user has custom expiration configured, use it
247	*/
248	$user_expiration = get_user_meta( $user->ID, 'graphql_jwt_custom_expiration', true );
249	if ( ! empty( $user_expiration ) && is_string( $user_expiration ) ) {
250	$expiration = $user_expiration;
251	}
252
253	return $expiration;
254
255	}
256
257	public static function add_tokens_to_graphql_response_headers( $headers ) {
258
259	/**
260	* If there's a Refresh-Authorization token in the request headers, validate it
261	*/
262	$validate_refresh_header = Auth::validate_token( Auth::get_refresh_header(), true );
263
264	/**
265	* If the refresh token in the request headers is valid, return a JWT Auth token that can be used for future requests
266	*/
267	if ( ! is_wp_error( $validate_refresh_header ) && ! empty( $validate_refresh_header->data->user->id ) ) {
268
269	/**
270	* Get an auth token and refresh token to return
271	*/
272	$auth_token = Auth::get_token( new \WP_User( $validate_refresh_header->data->user->id ), false );
273
274	/**
275	* If the tokens can be generated (not revoked, etc), return them
276	*/
277	if ( ! empty( $auth_token ) && ! is_wp_error( $auth_token ) ) {
278	$headers['X-JWT-Auth'] = $auth_token;
279	}
280
281	}
282
283	$validate_auth_header = Auth::validate_token( null, false );
284
285	if ( ! is_wp_error( $validate_auth_header ) && ! empty( $validate_auth_header->data->user->id ) ) {
286
287	$refresh_token = Auth::get_refresh_token( new \WP_User( $validate_auth_header->data->user->id ), false );
288
289	if ( ! empty( $refresh_token ) && ! is_wp_error( $refresh_token ) ) {
290	$headers['X-JWT-Refresh'] = $refresh_token;
291	}
292
293	}
294
295	return $headers;
296
297	}
298
299	}