public function checkLoginToken(MWP_Event_PublicRequest $event)
{
$request = $event->getRequest();
if (empty($request->query['auto_login']) || empty($request->query['signature']) || empty($request->query['message_id']) || !array_key_exists('mwp_goto', $request->query)) {
return;
}
if (!$this->configuration->getPublicKey()) {
// Site is not connected to a master instance.
return;
}
$username = empty($request->query['username']) ? null : $request->query['username'];
if ($username === null) {
$users = $this->context->getUsers(array('role' => 'administrator', 'number' => 1, 'orderby' => 'ID'));
if (empty($users[0]->user_login)) {
throw new MWP_Worker_Exception(MWP_Worker_Exception::AUTO_LOGIN_USERNAME_REQUIRED, "We could not find an administrator user to use. Please contact support.");
}
$username = $users[0]->user_login;
}
$where = isset($request->query['mwp_goto']) ? $request->query['mwp_goto'] : '';
$signature = base64_decode($request->query['signature']);
$messageId = $request->query['message_id'];
try {
$this->nonceManager->useNonce($messageId);
} catch (MWP_Security_Exception_NonceFormatInvalid $e) {
$this->context->wpDie(__("The automatic login token is invalid. Please try again, or, if this keeps happening, contact support.", 'worker'), '', 200);
} catch (MWP_Security_Exception_NonceExpired $e) {
$this->context->wpDie(__("The automatic login token has expired. Please try again, or, if this keeps happening, contact support.", 'worker'), '', 200);
} catch (MWP_Security_Exception_NonceAlreadyUsed $e) {
$this->context->wpDie(__("The automatic login token was already used. Please try again, or, if this keeps happening, contact support.", 'worker'), '', 200);
}
if ($secureKey = $this->configuration->getSecureKey()) {
// Legacy support, to be removed.
$verify = md5($where . $messageId . $secureKey) === $signature;
} else {
$verify = $this->signer->verify($where . $messageId, $signature, $this->configuration->getPublicKey());
}
if (!$verify) {
$this->context->wpDie(__("The automatic login token is invalid. Please check if this website is properly connected with your dashboard, or, if this keeps happening, contact support.", 'worker'), '', 200);
}
$user = $this->context->getUserByUsername($username);
if ($user === null) {
$this->context->wpDie(sprintf(__("User <strong>%s</strong> could not be found.", 'worker'), htmlspecialchars($username)), '', 200);
}
$this->context->setCurrentUser($user);
$this->attachSessionTokenListener();
$this->context->setAuthCookie($user);
$adminUri = rtrim($this->context->getAdminUrl(''), '/') . '/' . $where;
$redirectUri = $this->modifyUriParameters($adminUri, $request->query, array('signature', 'username', 'auto_login', 'message_id', 'mwp_goto', 'mwpredirect'));
$this->context->setCookie($this->getCookieName(), '1');
$event->setResponse(new MWP_Http_RedirectResponse($redirectUri, 302, array('P3P' => 'CP="CAO PSA OUR"')));
}
public function checkLoginToken(MWP_Event_PublicRequest $event)
{
$request = $event->getRequest();
if ($request->getMethod() !== 'GET') {
return;
}
if (!$this->configuration->getPublicKey()) {
// Site is not connected to a master instance.
return;
}
if (empty($request->query['auto_login']) || empty($request->query['signature']) || empty($request->query['message_id']) || !array_key_exists('mwp_goto', $request->query)) {
return;
}
// Some sites will redirect from HTTP to HTTPS or from non-www to www URL too late; so handle that case here.
$siteUrl = $this->context->getSiteUrl();
$isWww = substr($request->server['HTTP_HOST'], 0, 4) === 'www.';
$isHttps = $this->context->isSsl();
$shouldWww = preg_match('{^https?://www\\.}', $siteUrl);
$shouldHttps = $this->context->isSslAdmin();
$alreadyRedirected = !empty($request->query['auto_login_fixed']);
if ((!$isHttps !== $shouldHttps || !$isWww !== $shouldWww) && !$alreadyRedirected) {
$prefix = sprintf('%s://%s', $shouldHttps ? 'https' : 'http', $shouldWww ? 'www.' : '');
// Replace the scheme and the www. prefix and remove the request URI.
$redirectUri = $prefix . preg_replace('{^https?://(?:www\\.)?([^/]+).*$}', '$1', $siteUrl);
// Attach the current request URI to a fixed site URL.
$redirectUri = $redirectUri . $request->server['REQUEST_URI'];
// Prevent infinite loop with the added parameter.
$redirectUri = $this->modifyUriParameters($redirectUri, array('auto_login_fixed' => 'yes'));
$event->setResponse(new MWP_Http_RedirectResponse($redirectUri, 302, array('P3P' => 'CP="CAO PSA OUR"')));
return;
}
$username = empty($request->query['username']) ? null : $request->query['username'];
if ($username === null) {
$users = $this->context->getUsers(array('role' => 'administrator', 'number' => 1, 'orderby' => 'ID'));
if (empty($users[0]->user_login)) {
throw new MWP_Worker_Exception(MWP_Worker_Exception::AUTO_LOGIN_USERNAME_REQUIRED, "We could not find an administrator user to use. Please contact support.");
}
$username = $users[0]->user_login;
}
$where = isset($request->query['mwp_goto']) ? $request->query['mwp_goto'] : '';
$signature = base64_decode($request->query['signature']);
$messageId = $request->query['message_id'];
try {
$this->nonceManager->useNonce($messageId);
} catch (MWP_Security_Exception_NonceFormatInvalid $e) {
$this->context->wpDie(__("The automatic login token is invalid. Please try again, or, if this keeps happening, contact support.", 'worker'), '', 200);
} catch (MWP_Security_Exception_NonceExpired $e) {
$this->context->wpDie(__("The automatic login token has expired. Please try again, or, if this keeps happening, contact support.", 'worker'), '', 200);
} catch (MWP_Security_Exception_NonceAlreadyUsed $e) {
$this->context->wpDie(__("The automatic login token was already used. Please try again, or, if this keeps happening, contact support.", 'worker'), '', 200);
}
if ($secureKey = $this->configuration->getSecureKey()) {
// Legacy support, to be removed.
$verify = md5($where . $messageId . $secureKey) === $signature;
} else {
$verify = $this->signer->verify($where . $messageId, $signature, $this->configuration->getPublicKey());
}
if (!$verify) {
$this->context->wpDie(__("The automatic login token is invalid. Please check if this website is properly connected with your dashboard, or, if this keeps happening, contact support.", 'worker'), '', 200);
}
$user = $this->context->getUserByUsername($username);
if ($user === null) {
$this->context->wpDie(sprintf(__("User <strong>%s</strong> could not be found.", 'worker'), htmlspecialchars($username)), '', 200);
}
$this->context->setCurrentUser($user);
$this->attachSessionTokenListener();
$this->context->setAuthCookie($user);
$adminUri = rtrim($this->context->getAdminUrl(''), '/') . '/' . $where;
$redirectUri = $this->modifyUriParameters($adminUri, $request->query, array('signature', 'username', 'auto_login', 'message_id', 'mwp_goto', 'mwpredirect', 'auto_login_fixed'));
$this->context->setCookie($this->getCookieName(), '1');
$event->setResponse(new MWP_Http_RedirectResponse($redirectUri, 302, array('P3P' => 'CP="CAO PSA OUR"')));
}
