Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
0.00% |
0 / 21 |
|
0.00% |
0 / 3 |
CRAP | |
0.00% |
0 / 1 |
Autologin_URLs | |
0.00% |
0 / 21 |
|
0.00% |
0 / 3 |
132 | |
0.00% |
0 / 1 |
__construct | |
0.00% |
0 / 2 |
|
0.00% |
0 / 1 |
2 | |||
is_querystring_valid | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
get_wp_user_array | |
0.00% |
0 / 18 |
|
0.00% |
0 / 1 |
90 |
1 | <?php |
2 | |
3 | namespace BrianHenryIE\WP_Autologin_URLs\API\Integrations; |
4 | |
5 | use BrianHenryIE\WP_Autologin_URLs\API_Interface; |
6 | use BrianHenryIE\WP_Autologin_URLs\API\User_Finder_Interface; |
7 | use Psr\Log\LoggerAwareInterface; |
8 | use Psr\Log\LoggerAwareTrait; |
9 | use Psr\Log\LoggerInterface; |
10 | use WP_User; |
11 | |
12 | /** |
13 | * The $_GET data is coming from links clicked outside WordPress; it will not have a nonce. |
14 | * |
15 | * phpcs:disable WordPress.Security.NonceVerification.Recommended |
16 | */ |
17 | class Autologin_URLs implements User_Finder_Interface, LoggerAwareInterface { |
18 | use LoggerAwareTrait; |
19 | |
20 | const QUERYSTRING_PARAMETER_NAME = 'autologin'; |
21 | |
22 | protected API_Interface $api; |
23 | |
24 | public function __construct( API_Interface $api, LoggerInterface $logger ) { |
25 | $this->setLogger( $logger ); |
26 | $this->api = $api; |
27 | } |
28 | |
29 | /** |
30 | * Determine is the querystring needed for this integration present. |
31 | */ |
32 | public function is_querystring_valid(): bool { |
33 | return isset( $_GET[ self::QUERYSTRING_PARAMETER_NAME ] ); |
34 | } |
35 | |
36 | /** |
37 | * The actual code for logging the user in. Should run before wp_set_current_user |
38 | * so it is run before other code expects a user to be set, i.e. run it on |
39 | * plugins_loaded and not init. |
40 | * |
41 | * @hooked plugins_loaded |
42 | * |
43 | * @see https://codex.wordpress.org/Plugin_API/Action_Reference |
44 | * @see _wp_get_current_user() |
45 | * |
46 | * @return array{source:string, wp_user:WP_User|null, user_data?:array<string,string>} |
47 | */ |
48 | public function get_wp_user_array(): array { |
49 | |
50 | $result = array(); |
51 | $result['source'] = 'Autologin URL'; |
52 | $result['wp_user'] = null; |
53 | $result['user_data'] = array(); |
54 | |
55 | // This input is not coming from a WordPress page so cannot have a nonce. |
56 | // phpcs:disable WordPress.Security.NonceVerification.Recommended |
57 | |
58 | if ( ! isset( $_GET[ self::QUERYSTRING_PARAMETER_NAME ] ) ) { |
59 | return $result; |
60 | } |
61 | |
62 | $autologin_querystring = sanitize_text_field( wp_unslash( $_GET[ self::QUERYSTRING_PARAMETER_NAME ] ) ); |
63 | |
64 | list( $user_id, $password ) = explode( '~', $autologin_querystring, 2 ); |
65 | |
66 | if ( empty( $user_id ) || empty( $password ) || ! is_numeric( $user_id ) || ! ctype_alnum( $password ) ) { |
67 | |
68 | return $result; |
69 | } |
70 | |
71 | $user_id = intval( $user_id ); |
72 | |
73 | if ( $this->api->verify_autologin_password( $user_id, $password ) ) { |
74 | |
75 | $wp_user = get_user_by( 'id', $user_id ); |
76 | if ( $wp_user instanceof WP_User ) { |
77 | // e.g. The user account may have been deleted since the link was created. |
78 | $result['wp_user'] = $wp_user; |
79 | } |
80 | } |
81 | |
82 | if ( isset( $_GET['magic'] ) ) { |
83 | $result['source'] = 'Magic Email'; |
84 | } |
85 | |
86 | return $result; |
87 | } |
88 | } |