Changeset 12223 for sites/trunk/common/includes/wporg-sso/wp-plugin.php

Timestamp:

11/08/2022 03:52:54 AM (3 years ago)

Author:

dd32

Message:

Login: SSO: When performing a remote-login (ie. wordpress.org => buddypress.org) use the redirect_to as the SSO login destination instead of relying upon /wp-login.php being accessible at the root.

This opens up support for Multisite Subdirectory installs, such as WordCamp.org.

File:

• sites/trunk/common/includes/wporg-sso/wp-plugin.php (modified) (6 diffs)

sites/trunk/common/includes/wporg-sso/wp-plugin.php

@@ -258 +258 @@
             add_filter( 'register_url', array( $this, 'register_url' ), 20 );
 
+            // Maybe do a Remote SSO login
+            $this->_maybe_perform_remote_login();
+
             if ( preg_match( '!/wp-signup\.php$!', $_SERVER['REQUEST_URI'] ) ) {
                 // Note: wp-signup.php is not a physical file, and so it's matched on it's request uri.
@@ -273 +276 @@
                     // Allow logout on non-dotorg hosts.
                     if ( isset( $_GET['action'] ) && empty( $_POST ) && 'logout' == $_GET['action'] ) {
-                        if ( ! preg_match( '!wordpress\.org$!', $_SERVER['HTTP_HOST'] ) ) {
+                        if ( ! preg_match( '!wordpress\.org$!', $this->host ) ) {
                             return;
                         }
-                    }
-
-                    // Remote SSO login?
-                    if ( isset( $_GET['action'] ) && 'remote-login' === $_GET['action'] && ! empty( $_GET['sso_token'] ) ) {
-                        $this->_maybe_perform_remote_login();
                     }
 
@@ -479 +477 @@
                 $redirect = wp_get_referer();
                 if (
-                    str_starts_with( $redirect, wp_login_url() ) &&
-                    ! str_contains( $redirect, '/wp-admin/' )
+                    str_starts_with( $redirect, wp_login_url() ) ||
+                    str_contains( $redirect, '/wp-admin/' )
                 ) {
                     $redirect = home_url('/');
@@ -524 +522 @@
          */
         protected function _maybe_perform_remote_login() {
+            if ( empty( $_GET['sso_token'] ) ) {
+                return;
+            }
+
             $remote_token = wp_unslash( $_GET['sso_token'] );
             if ( ! is_string( $remote_token ) || 3 !== substr_count( $remote_token, '|' ) ) {
@@ -552 +554 @@
                 if ( isset( $_GET['redirect_to'] ) ) {
                     $this->_safe_redirect( wp_unslash( $_GET['redirect_to'] ) );
+
+                } elseif ( ! str_contains( $this->script, '/wp-login.php' ) ) {
+                    // SSO login, no redirect_url, and on a not-a-login page. Remove sso arg and redirect to self.
+                    $this->_safe_redirect( remove_query_arg( 'sso_token' ) );
+
                 } else {
                     $this->_safe_redirect( home_url( '/' ) );
+
                 }
+                exit;
+            } else {
+                // Invalid auth, remove the query var.
+                $this->_safe_redirect( remove_query_arg( 'sso_token' ) );
                 exit;
             }
@@ -589 +601 @@
                 $sso_token   = $user->ID . '|' . $hash . '|' . $valid_until . '|' . $remember_me;
 
-                $redirect = add_query_arg(
-                    array(
-                        'action'      => 'remote-login',
-                        'sso_token'   => urlencode( $sso_token ),
-                        'redirect_to' => urlencode( $redirect ),
-                    ),
-                    'https://' . $redirect_host . '/wp-login.php' // Assume that wp-login exists and is accessible
-                );
+                $redirect = add_query_arg( 'sso_token', urlencode( $sso_token ), $redirect );
             }