Code Coverage for /home/runner/work/bh-wp-autologin-urls/bh-wp-autologin-urls/src/wp-includes/class-login.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	0.00% covered (danger)	0.00%	0 / 78	0.00% covered (danger)	0.00%	0 / 3	CRAP	0.00% covered (danger)	0.00%	0 / 1
Login	0.00% covered (danger)	0.00%	0 / 78	0.00% covered (danger)	0.00%	0 / 3	380	0.00% covered (danger)	0.00%	0 / 1
__construct	0.00% covered (danger)	0.00%	0 / 4	0.00% covered (danger)	0.00%	0 / 1	2
process	0.00% covered (danger)	0.00%	0 / 60	0.00% covered (danger)	0.00%	0 / 1	156
maybe_redirect	0.00% covered (danger)	0.00%	0 / 14	0.00% covered (danger)	0.00%	0 / 1	42

1	<?php
2	/**
3	* The actual logging in functionality of the plugin.
4	*
5	* Distinct from login UI.
6	*
7	* @link https://BrianHenry.ie
8	* @since 1.0.0
9	*
10	* @package brianhenryie/bh-wp-autologin-urls
11	*/
12
13	namespace BrianHenryIE\WP_Autologin_URLs\WP_Includes;
14
15	use BrianHenryIE\WP_Autologin_URLs\API_Interface;
16	use BrianHenryIE\WP_Autologin_URLs\API\Integrations\User_Finder_Factory;
17	use BrianHenryIE\WP_Autologin_URLs\Settings_Interface;
18	use BrianHenryIE\WP_Autologin_URLs\WooCommerce\Checkout;
19	use Psr\Log\LoggerAwareTrait;
20	use Psr\Log\LoggerInterface;
21	use WP_User;
22
23	/**
24	* The actual logging-in functionality of the plugin.
25	*/
26	class Login {
27
28	use LoggerAwareTrait;
29
30	const MAX_BAD_LOGIN_ATTEMPTS = 5;
31	const MAX_BAD_LOGIN_PERIOD_SECONDS = 60 * 60 * 24; // Aka DAY_IN_SECONDS.
32
33	/**
34	* Not in use?
35	*
36	* @var Settings_Interface
37	*/
38	protected Settings_Interface $settings;
39
40	/**
41	* Core API methods for verifying autologin querystring.
42	*
43	* @var API_Interface
44	*/
45	protected API_Interface $api;
46
47	/**
48	* This plugin can parse URLs for MailPoet, The Newsletter Plugin, and Klaviyo, and AutologinUrls own
49	* querystring parameter. The factory returns valid User_Finders for each.
50	*
51	* @var User_Finder_Factory
52	*/
53	protected User_Finder_Factory $user_finder_factory;
54
55	/**
56	* Initialize the class and set its properties.
57	*
58	* @param API_Interface $api The core plugin functions.
59	* @param Settings_Interface $settings The plugin's settings.
60	* @param LoggerInterface $logger The logger instance.
61	* @param ?User_Finder_Factory $user_finder_factory Factory to return a class that can determine the user from the URL.
62	*
63	* @since 1.0.0
64	*/
65	public function __construct( API_Interface $api, Settings_Interface $settings, LoggerInterface $logger, ?User_Finder_Factory $user_finder_factory = null ) {
66	$this->setLogger( $logger );
67
68	$this->settings = $settings;
69	$this->api = $api;
70
71	$this->user_finder_factory = $user_finder_factory ?? new User_Finder_Factory( $this->api, $this->settings, $this->logger );
72	}
73
74	/**
75	* The primary handler of the plugin, that reads the request querystring and checks it for autologin parameters.
76	*
77	* @hooked determine_current_user
78	*
79	* @param int\|bool $user_id The already determined user ID, or false if none.
80	* @return int\|bool
81	*/
82	public function process( $user_id ) {
83
84	remove_action( 'determine_current_user', array( $this, 'process' ), 30 );
85
86	// If we're logged in already, or there's no querystring to parse, just return.
87	// phpcs:ignore WordPress.Security.NonceVerification.Recommended
88	if ( $user_id \|\| empty( $_GET ) ) {
89	return $user_id;
90	}
91
92	// Check for bots.
93	// Use the null coalescing operator to ensure $user_agent is always a string.
94	// This prevents passing null to strpos, which is deprecated in newer PHP versions.
95	$user_agent = filter_input( INPUT_SERVER, 'HTTP_USER_AGENT' ) ?? '';
96	$bot = false !== strpos( $user_agent, 'bot' );
97	if ( $bot ) {
98	return $user_id;
99	}
100
101	// Maybe use a cookie to only use an autologin URL once every x minutes.
102
103	// Checks does the querystring contain an autologin parameter.
104	$user_finder = $this->user_finder_factory->get_user_finder();
105
106	if ( is_null( $user_finder ) ) {
107	// No querystring was present, this was not an attempt to log in.
108	return $user_id;
109	}
110
111	$user_array = $user_finder->get_wp_user_array();
112
113	if ( isset( $user_array['wp_user'] ) && $user_array['wp_user'] instanceof WP_User ) {
114	$this->logger->debug( "Found `wp_user:{$user_array['wp_user']->ID}`." );
115	$wp_user = $user_array['wp_user'];
116	$user_id = $wp_user->ID;
117	} elseif ( ! empty( $user_array['user_data'] ) ) {
118	// If no WP_User account was found, but other user data was found that could be used for WooCommerce, prepopulate the checkout fields.
119	$this->logger->debug( 'No wp_user found, preloading WooCommerce fields.', $user_array );
120	$prefill_checkout_fields = function () use ( $user_array ) {
121	$woocommerce_checkout = new Checkout( $this->logger );
122	$woocommerce_checkout->prefill_checkout_fields( $user_array['user_data'] );
123	};
124	if ( did_action( 'woocommerce_init' ) ) {
125	$prefill_checkout_fields();
126	} else {
127	add_action( 'woocommerce_init', $prefill_checkout_fields );
128	}
129	return $user_id;
130	} else {
131	$this->logger->debug( 'Could not find wp_user or user data using request URL.' );
132	return $user_id;
133	}
134
135	$ip_address = $this->api->get_ip_address();
136
137	if ( empty( $ip_address ) ) {
138	// This would be empty during cron jobs and WP CLI.
139	return $user_id;
140	}
141
142	// Log each attempt to log in, prevent too many attempts by any one IP.
143	if ( ! $this->api->should_allow_login_attempt( "ip:{$ip_address}" ) ) {
144	return $user_id;
145	}
146
147	// Rate limit too many failed attempts at logging in the one user.
148	if ( ! $this->api->should_allow_login_attempt( "wp_user:{$wp_user->ID}" ) ) {
149	return $user_id;
150	}
151
152	/**
153	* Although cookies will be set in a moment, they won't be available in the `$_COOKIE` array,
154	* and they need to be to log into wp-admin via the autologin URL.
155	*
156	* @see wp-admin/admin.php
157	* @see auth_redirect()
158	* @see wp_parse_auth_cookie()
159	*/
160	add_action(
161	'set_auth_cookie',
162	function ( $auth_cookie ) {
163	global $_COOKIE;
164	$_COOKIE[ AUTH_COOKIE ] = $auth_cookie;
165	$_COOKIE[ SECURE_AUTH_COOKIE ] = $auth_cookie;
166	}
167	);
168
169	add_action(
170	'set_logged_in_cookie',
171	function ( $logged_in_cookie ) {
172	global $_COOKIE;
173	$_COOKIE[ LOGGED_IN_COOKIE ] = $logged_in_cookie;
174	}
175	);
176
177	// @see https://developer.wordpress.org/reference/functions/wp_set_current_user/
178	wp_set_current_user( $wp_user->ID, $wp_user->user_login );
179	wp_set_auth_cookie( $wp_user->ID );
180	add_action(
181	'init',
182	function () use ( $wp_user ) {
183	do_action( 'wp_login', $wp_user->user_login, $wp_user );
184	}
185	);
186
187	$this->logger->info( "User wp_user:{$wp_user->ID} logged in via {$user_array['source']}." );
188
189	$this->maybe_redirect();
190
191	return $user_id;
192	}
193
194	/**
195	* If the request is for wp-login.php, we should redirect to home or to the specified redirect_to url.
196	*/
197	protected function maybe_redirect(): void {
198
199	if ( ! isset( $_SERVER['REQUEST_URI'] ) ) {
200	// Cron, WP CLI.
201	return;
202	}
203
204	$request_uri = esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
205
206	// Check is the requested URL wp-login.php. Otherwise we don't want to redirect.
207	$wp_login_endpoint = str_replace( get_site_url(), '', wp_login_url() );
208	if ( ! stristr( $request_uri, $wp_login_endpoint ) ) {
209	return;
210	}
211
212	// Check we're on wp-login.php?redirect_to=...
213	// We won't have a nonce here if the link is from an email.
214	// phpcs:disable WordPress.Security.NonceVerification.Recommended
215	if ( isset( $_GET['redirect_to'] ) ) {
216
217	$url = filter_var( wp_unslash( $_GET['redirect_to'] ), FILTER_SANITIZE_STRING );
218	if ( false === $url ) {
219	return;
220	}
221	$redirect_to = urldecode( $url );
222
223	} else {
224	// TODO: There's a filter determining what the destination URL should be when logging in a user.
225	$redirect_to = get_site_url();
226	}
227
228	if ( wp_safe_redirect( $redirect_to ) ) {
229	exit();
230	}
231	}
232	}