WordPress.org
Get WordPress

Making WordPress.org

Changeset 12428


Ignore:
Timestamp:
02/27/2023 05:44:29 AM (3 years ago)
Author:
dd32
Message:

WordPress.org SSO: Pass the WordPress Session token through the remote-login bounce (for non-.wordpress.org domains), so that the session on either side of the request will match.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • sites/trunk/common/includes/wporg-sso/wp-plugin.php

    r12427 r12428  
    9292
    9393                    // Updated TOS interceptor.
    94                     add_filter( 'send_auth_cookies', [ $this, 'maybe_block_auth_cookies' ], 100, 4 );
     94                    add_filter( 'send_auth_cookies', [ $this, 'maybe_block_auth_cookies' ], 100, 5 );
    9595                }
    9696            }
     
    585585            if ( $remote_token && $remote_token['valid'] && $remote_token['user'] ) {
    586586                wp_set_current_user( $remote_token['user']->ID );
    587                 wp_set_auth_cookie( $remote_token['user']->ID, (bool) $remote_token['remember_me'] );
     587                wp_set_auth_cookie( $remote_token['user']->ID, (bool) $remote_token['remember_me'], true, $remote_token['session_token'] );
    588588            }
    589589
     
    704704             * This is only useful for login tokens, but causes no harm for loggout tokens.
    705705             */
    706             $auth_cookie_parts = wp_parse_auth_cookie( '', 'secure_auth' );
     706            $auth_cookie_parts = wp_parse_auth_cookie( '', 'logged_in' );
    707707            $remember_me       = ! empty( $_POST['rememberme'] ) || ( $auth_cookie_parts && $auth_cookie_parts['expiration'] >= ( time() + ( 2 * DAY_IN_SECONDS ) ) );
    708 
    709             $hash        = $this->_generate_remote_token_hash( $user, $valid_until, $remember_me );
    710             $sso_token   = $user->ID . '|' . $hash . '|' . $valid_until . '|' . $remember_me;
     708            $session_token     = wp_get_session_token();
     709
     710            $hash        = $this->_generate_remote_token_hash( $user, $valid_until, $remember_me, $session_token );
     711            $sso_token   = $user->ID . '|' . $hash . '|' . $valid_until . '|' . $remember_me . '|' . $session_token;
    711712
    712713            return $sso_token;
     
    716717         * Generate a hash for remote-login for non-wordpress.org domains
    717718         */
    718         protected function _generate_remote_token_hash( $user, $valid_until, $remember_me = false ) {
     719        protected function _generate_remote_token_hash( $user, $valid_until, $remember_me = false, $session_token = '' ) {
    719720            // re-use the same frag that Auth cookies use to invalidate sessions.
    720721            $pass_frag = substr( $user->user_pass, 8, 4 );
    721             $key       = wp_hash( $user->user_login . '|' . $pass_frag . '|' . $valid_until, 'wporg_sso' );
    722             $hash      = hash_hmac( 'sha256', $user->user_login . '|' . $valid_until . '|' . (int) $remember_me, $key );
     722            $key       = wp_hash( $user->user_login . '|' . $pass_frag . '|' . $valid_until . '|' . $session_token, 'wporg_sso' );
     723            $hash      = hash_hmac( 'sha256', $user->user_login . '|' . $valid_until . '|' . (int) $remember_me . '|' . $session_token, $key );
    723724
    724725            return $hash;
     
    731732         * @return array If the token was valid.
    732733         */
    733         protected function _validate_remote_token( $token ) {
    734             if ( ! is_string( $token ) || 3 !== substr_count( $token, '|' ) ) {
     734        protected function _validate_remote_token( $sso_token ) {
     735            if ( ! is_string( $sso_token ) || 4 !== substr_count( $sso_token, '|' ) ) {
    735736                wp_die( 'Invalid token.' );
    736737            }
    737738
    738             list( $user_id, $sso_hash, $valid_until, $remember_me ) = explode( '|', $token, 4 );
     739            list( $user_id, $sso_hash, $valid_until, $remember_me, $session_token ) = explode( '|', $sso_token, 4 );
    739740
    740741            $expiration_valid = (
     
    753754            }
    754755
     756            // Validate that the remote login token is valid.
    755757            $valid = ( $expiration_valid && $valid_hash );
    756758
     
    758760                'valid',
    759761                'user',
    760                 'remember_me'
     762                'remember_me',
     763                'session_token'
    761764            );
    762765        }
     
    777780         * to the updated policy interstitial if required.
    778781         */
    779         public function maybe_block_auth_cookies( $send_cookies, $expire, $expiration, $user_id ) {
     782        public function maybe_block_auth_cookies( $send_cookies, $expire, $expiration, $user_id, $token = '' ) {
    780783            if (
    781784                $user_id &&
     
    785788
    786789                // Set a cookie so that we can keep the user in a auth'd (but not) state.
    787                 $token_cookie = wp_generate_auth_cookie( $user_id, time() + HOUR_IN_SECONDS, 'tos_token' );
     790                $token_cookie = wp_generate_auth_cookie( $user_id, time() + HOUR_IN_SECONDS, 'tos_token', $token );
    788791                $remember_me  = ( 0 !== $expire );
    789792
Note: See TracChangeset for help on using the changeset viewer.