-
Notifications
You must be signed in to change notification settings - Fork 14
/
utility.php
376 lines (305 loc) · 11.7 KB
/
utility.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
<?php
/**
* Amazon Login - Login for WordPress
*
* @category Amazon
* @package Amazon_Login
* @copyright Copyright (c) 2015 Amazon.com
* @license http://opensource.org/licenses/Apache-2.0 Apache License, Version 2.0
*/
/**
* Utilities for Login With Amazon.
*/
class LoginWithAmazonUtility {
public static $CSRF_AUTHENTICATOR_KEY = '_amazon_login_csrf_authenticator';
public static $I18N_DOMAIN = 'loginwithamazon';
private static $META_KEY_AMAZON = '_login_with_amazon';
private static $META_KEY_BOTH = '_login_with_amazon_and_native';
private static $login_error_msg = "";
private static $login_error_add = "";
/**
* @return bool
*/
public static function shouldProcessAmazonLogin() {
$get = isset($_GET['amazonLogin']) && $_GET['amazonLogin'] === '1';
$post = isset($_POST['amazonLogin']) && $_POST['amazonLogin'] === '1';
return $get || $post;
}
/**
* @return bool
*/
public static function shouldReregister() {
$get = isset($_GET['loginwithamazon_reregister']) && $_GET['loginwithamazon_reregister'] === '1';
$post = isset($_POST['loginwithamazon_reregister']) && $_POST['loginwithamazon_reregister'] === '1';
return $get || $post;
}
/**
* @return null|WP_Post
*/
public static function getAcessToken() {
$get = (isset($_GET['access_token'])) ? $_GET['access_token'] : null;
$post = (isset($_POST['access_token'])) ? $_POST['access_token'] : null;
return ($get) ?: $post;
}
/**
* @return null|WP_Post
*/
public static function getCsrfToken() {
$get = (isset($_GET['state'])) ? $_GET['state'] : null;
$post = (isset($_POST['state'])) ? $_POST['state'] : null;
return ($get) ?: $post;
}
/**
* Generates an HMAC key for the CSRF tokens
*
* @param string $authenticator The authenticator retrieved from the current session
* @return string
*/
public static function hmac($authenticator) {
return hash_hmac('sha256', $authenticator, wp_salt('NONCE_SALT'));
}
/**
* Checks an existing HMAC token against the authenticator in the current session
*
* @param string $token The token that needs validated
* @return bool
*/
public static function verifyCsrfToken($token) {
if ( isset($_SESSION[LoginWithAmazonUtility::$CSRF_AUTHENTICATOR_KEY]) ) {
$true_token = self::hmac( $_SESSION[LoginWithAmazonUtility::$CSRF_AUTHENTICATOR_KEY] );
return strcmp($token, $true_token) === 0;
}
return false;
}
/**
* Get user email address from Amazon access token.
*
* @param $accessToken string Access Token from Amazon Login widget
* @return string|bool Email Address or False
*/
public static function getEmailFromAccessToken($accessToken) {
$result = self::json_curl_wrapper('https://api.amazon.com/auth/o2/tokeninfo?access_token=' . urlencode($accessToken));
if (!isset($result['aud']) || $result['aud'] != get_option('loginwithamazon_client_id')) {
return false;
}
$result = self::json_curl_wrapper('https://api.amazon.com/user/profile', array('Authorization: bearer ' . $accessToken));
if (isset($result['email'])) {
return $result['email'];
}
return false;
}
/**
* Wrapper for JSON CURL requests.
*
* @param $url string URL to request.
* @param $headerArray array CURL request header contents.
*
* @return array JSON Decoded Results
*/
public static function json_curl_wrapper($url, $headerArray = array()) {
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headerArray);
$result = curl_exec($curl);
curl_close($curl);
return json_decode($result, true);
}
/**
* Determine if user can login with Amazon
*
* @param WP_User $user WordPress user object
* @return boolean
*/
public static function isAmazonUser($user) {
if (!$user) {
return false;
}
$amazon_user_meta = get_user_meta($user->ID, self::$META_KEY_AMAZON, true);
return filter_var($amazon_user_meta, FILTER_VALIDATE_BOOLEAN);
}
/**
* Determine if user can login with either Amazon or natively
*
* @param WP_User $user WordPress user object
* @return boolean
*/
public static function isAmazonAndNativeUser($user) {
if (!$user) {
return false;
}
$amazon_and_native_user_meta = get_user_meta($user->ID, self::$META_KEY_BOTH, true);
return filter_var($amazon_and_native_user_meta, FILTER_VALIDATE_BOOLEAN);
}
/**
* Determine if user can ONLY login with Amazon
*
* @param WP_User $user WordPress user object
* @return boolean
*/
public static function isAmazonOnlyUser($user) {
return self::isAmazonUser($user) && !self::isAmazonAndNativeUser($user);
}
/**
* Login by email address.
*
* @param WP_User $user A WordPress user object
* @return void
*/
public static function createSessionFromUser($user) {
wp_set_auth_cookie( $user->ID, false, true );
wp_set_auth_cookie( $user->ID, false, false );
wp_set_current_user( $user->ID, $user->user_login );
do_action( 'wp_login', $user->user_login, $user );
wp_redirect( admin_url() );
exit;
}
/**
* Find a WordPress user via their email address
*
* @param $email
* @return false|WP_User
*/
public static function findUserByEmail($email) {
return get_user_by( 'email', $email );
}
/**
* Login or create account by email address.
*
* @param string $email Email Address
* @return WP_User|WP_Error
*/
public static function findOrCreateUserByEmail($email) {
$user = self::findUserByEmail($email);
if ($user) {
if (self::isAmazonUser($user)) {
return $user;
} else {
// Add fields to the form and manipulate the UI
add_action( 'login_form', array('LoginWithAmazonUtility', 'addReregisterFieldsToForm') );
wp_enqueue_script('loginwithamazon_reregister', LOGINWITHAMAZON__PLUGIN_URL . 'reregister.js', array('jquery'));
if (self::shouldReregister() ) {
$pwd = ( isset($_POST['pwd']) ) ? $_POST['pwd'] : null;
$auth_user = wp_authenticate($user->user_login, $pwd);
if ( is_wp_error($auth_user) ) {
// Could not authenticate with the given password
self::changeLoginError(null);
$msg = "Sorry, that password is not correct. Please re-enter your password to " .
"enable <em>Login with Amazon</em>";
return new WP_Error( 'login', __( $msg, self::$I18N_DOMAIN ) );
} else {
// Success. Set db reference fields and return the authorized user
add_user_meta($user->ID, self::$META_KEY_AMAZON, true);
add_user_meta($user->ID, self::$META_KEY_BOTH, true);
return $auth_user;
}
} else {
// User is native, tell ask for password to connect their account to Amazon
$msg = "It looks you're already registered directly with this website. Enter your password below " .
"to enable <em>Login with Amazon.</em>";
return new WP_Error( 'login', __( $msg, self::$I18N_DOMAIN ) );
}
}
}
$password = wp_generate_password();
$user_id = wp_create_user($email, $password, $email);
$user = get_user_by( 'id', $user_id );
// Set metadata to mark it as an Amazon account
add_user_meta($user->ID, self::$META_KEY_AMAZON, true);
// Generate a random, invalid password to prevent native logins
self::setInvalidPasswordForUser($user);
return $user;
}
/**
* Change the login form error and call the filter so that it will display
*
* @param string $message
*/
public static function changeLoginError($message) {
self::$login_error_msg = $message;
add_filter( 'login_errors', array('LoginWithAmazonUtility', 'changeErrorOnLoginForm'), 10, 0 );
}
/**
* Used by the `login_errors` filter to change the error
*
* @return string
*/
public static function changeErrorOnLoginForm() {
return self::$login_error_msg;
}
/**
* Set a login form message and call the filter so that it will display
*
* @param string $message
*/
public static function addLoginError($message) {
self::$login_error_add = $message;
add_filter( 'login_message', array('LoginWithAmazonUtility', 'displayErrorOnLoginForm'), 10, 0 );
}
/**
* Used by the `login_message` filter to display a message on the login form
*
* @return string
*/
public static function displayErrorOnLoginForm() {
$msg = self::$login_error_add;
return "<p id=\"login_error\">$msg</p>";
}
/**
* Used by the `registration_errors` filter. Adds an error when a user tries to
* natively register an account that was already created with Amazon.
*
* @param $errors
* @param $sanitized_user_login
* @param $user_email
* @return mixed
*/
public static function registrationErrors($errors, $sanitized_user_login, $user_email) {
$user = self::findUserByEmail($user_email);
if ( self::isAmazonOnlyUser($user) ) {
$url = "https://www.amazon.com/gp/css/account/forgot-password/email.html";
$msg = "<br><h2>Login with Amazon</h2>" .
"<br>It appears you've already registered with your Amazon account. " .
"<a href=\"".wp_lostpassword_url()."\">Reset your WordPress pasword</a> to gain access." .
"<br><br>You may also continue using the <em>Login with Amazon</em> button below to gain access. " .
"If you are having trouble logging in with your Amazon account, you may " .
"<a href=\"$url\" target=\"_blank\">recover your Amazon account here.</a>";
$errors->add( "login", __($msg, self::$I18N_DOMAIN) );
}
return $errors;
}
/**
* Set a custom password after registration.
*
* @param WP_User $user WordPress user object
* @return WP_User
*/
public static function setInvalidPasswordForUser($user) {
if ( self::isAmazonOnlyUser($user) ) {
global $wpdb;
$pass = 'LOGINWITHAMAZON00000000000000000';
$wpdb->update(
'wp_users',
array('user_pass' => $pass),
array('ID' => $user->ID),
array('%s'),
array('%d')
);
clean_user_cache($user);
return self::findUserByEmail($user->user_email);
}
return $user;
}
/**
* Add hidden fields to login form for the re-register process
*
* @return void
*/
public static function addReregisterFieldsToForm() {
?>
<input type="hidden" name="amazonLogin" value="1">
<input type="hidden" name="access_token" value="<?php echo self::getAcessToken(); ?>">
<input type="hidden" name="state" value="<?php echo self::getCsrfToken(); ?>">
<input type="hidden" name="loginwithamazon_reregister" value="1">
<?php
}
}