-
Notifications
You must be signed in to change notification settings - Fork 42
Expand file tree
/
Copy pathnamespace.php
More file actions
352 lines (306 loc) · 10.6 KB
/
namespace.php
File metadata and controls
352 lines (306 loc) · 10.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
<?php
/**
* OAuth2 Settings Page.
*
* @package WordPress
* @subpackage JSON API
*/
namespace WP\OAuth2\Admin\Settings;
use WP\OAuth2\Client;
const PAGE_SLUG = 'oauth2-settings';
/**
* Bootstrap the settings page.
*/
function bootstrap() {
add_action( 'admin_menu', __NAMESPACE__ . '\\register' );
add_action( 'admin_init', __NAMESPACE__ . '\\register_settings' );
add_action( 'admin_post_oauth2_regenerate_credentials', __NAMESPACE__ . '\\handle_regenerate' );
}
/**
* Register the settings page under Settings menu.
*/
function register() {
add_options_page(
__( 'OAuth2 Settings', 'oauth2' ),
__( 'OAuth2', 'oauth2' ),
'manage_options',
PAGE_SLUG,
__NAMESPACE__ . '\\render_page'
);
}
/**
* Register settings, sections, and fields.
*/
function register_settings() {
register_setting( 'oauth2_settings_group', 'oauth2_settings', [
'type' => 'array',
'sanitize_callback' => __NAMESPACE__ . '\\sanitize_settings',
'default' => [
'client_credentials_enabled' => false,
'client_id' => '',
'client_secret' => '',
],
] );
add_settings_section(
'oauth2_client_credentials',
__( 'Client Credentials Grant', 'oauth2' ),
__NAMESPACE__ . '\\render_section_description',
PAGE_SLUG
);
add_settings_field(
'client_credentials_enabled',
__( 'Enable Client Credentials', 'oauth2' ),
__NAMESPACE__ . '\\render_enabled_field',
PAGE_SLUG,
'oauth2_client_credentials'
);
add_settings_field(
'client_credentials_info',
__( 'Client Credentials', 'oauth2' ),
__NAMESPACE__ . '\\render_credentials_field',
PAGE_SLUG,
'oauth2_client_credentials'
);
}
/**
* Sanitize settings input.
*
* Auto-generates client_id and client_secret when enabling for the first time.
*
* @param array $input Raw input.
* @return array Sanitized settings.
*/
function sanitize_settings( $input ) {
$existing = get_option( 'oauth2_settings', [] );
$sanitized = [];
$sanitized['client_credentials_enabled'] = ! empty( $input['client_credentials_enabled'] );
// Preserve existing credentials and storage client post ID.
$sanitized['client_id'] = ! empty( $existing['client_id'] ) ? $existing['client_id'] : '';
$sanitized['client_secret'] = ! empty( $existing['client_secret'] ) ? $existing['client_secret'] : '';
$sanitized['storage_client_post_id'] = ! empty( $existing['storage_client_post_id'] ) ? $existing['storage_client_post_id'] : 0;
if ( $sanitized['client_credentials_enabled'] && empty( $sanitized['client_id'] ) ) {
$client_id = wp_generate_password( Client::CLIENT_ID_LENGTH, false );
$client_secret = wp_generate_password( Client::CLIENT_SECRET_LENGTH, false );
$post_id = create_storage_client( $client_id, $client_secret );
if ( $post_id ) {
$sanitized['client_id'] = $client_id;
$sanitized['client_secret'] = $client_secret;
$sanitized['storage_client_post_id'] = $post_id;
}
}
return $sanitized;
}
/**
* Render the section description.
*/
function render_section_description() {
echo '<p>';
esc_html_e(
'Configure the Client Credentials grant type for machine-to-machine authentication. When enabled, applications can authenticate using a client ID and secret without user interaction.',
'oauth2'
);
echo '</p>';
}
/**
* Render the enable/disable checkbox field.
*/
function render_enabled_field() {
$options = get_option( 'oauth2_settings', [] );
$enabled = ! empty( $options['client_credentials_enabled'] );
?>
<label for="oauth2-cc-enabled">
<input
type="checkbox"
id="oauth2-cc-enabled"
name="oauth2_settings[client_credentials_enabled]"
value="1"
<?php checked( $enabled ); ?>
/>
<?php esc_html_e( 'Enable the Client Credentials grant type', 'oauth2' ); ?>
</label>
<p class="description">
<?php esc_html_e( 'When disabled, client_credentials requests will be rejected. Existing authorization_code flows are not affected.', 'oauth2' ); ?>
</p>
<?php
}
/**
* Render the credentials display field.
*/
function render_credentials_field() {
$options = get_option( 'oauth2_settings', [] );
$client_id = ! empty( $options['client_id'] ) ? $options['client_id'] : '';
$client_secret = ! empty( $options['client_secret'] ) ? $options['client_secret'] : '';
if ( empty( $client_id ) ) {
echo '<p class="description">';
esc_html_e( 'Enable client credentials above and save to auto-generate credentials.', 'oauth2' );
echo '</p>';
return;
}
$regenerate_url = wp_nonce_url(
admin_url( 'admin-post.php?action=oauth2_regenerate_credentials' ),
'oauth2_regenerate_credentials'
);
?>
<table class="widefat fixed" style="max-width: 500px;">
<tbody>
<tr>
<td><strong><?php esc_html_e( 'Client ID', 'oauth2' ); ?></strong></td>
<td><code><?php echo esc_html( $client_id ); ?></code></td>
</tr>
<tr>
<td><strong><?php esc_html_e( 'Client Secret', 'oauth2' ); ?></strong></td>
<td><code><?php echo esc_html( $client_secret ); ?></code></td>
</tr>
</tbody>
</table>
<p>
<a href="<?php echo esc_url( $regenerate_url ); ?>" class="button" onclick="return confirm('<?php echo esc_js( __( 'Are you sure? This will invalidate the current credentials.', 'oauth2' ) ); ?>');">
<?php esc_html_e( 'Regenerate Credentials', 'oauth2' ); ?>
</a>
</p>
<p class="description">
<?php esc_html_e( 'Share these credentials with third-party applications. You can override them with filters in your theme or plugin:', 'oauth2' ); ?>
</p>
<pre style="background: #f0f0f0; padding: 10px; max-width: 500px; overflow-x: auto;">add_filter( 'oauth2.client_credentials.client_id', fn() => getenv( 'OAUTH2_CLIENT_ID' ) );
add_filter( 'oauth2.client_credentials.client_secret', fn() => getenv( 'OAUTH2_CLIENT_SECRET' ) );</pre>
<?php
}
/**
* Handle credential regeneration.
*/
function handle_regenerate() {
if ( ! current_user_can( 'manage_options' ) ) {
wp_die( esc_html__( 'You do not have permission to perform this action.', 'oauth2' ), 403 );
}
check_admin_referer( 'oauth2_regenerate_credentials' );
$options = get_option( 'oauth2_settings', [] );
$client_id = wp_generate_password( Client::CLIENT_ID_LENGTH, false );
$client_secret = wp_generate_password( Client::CLIENT_SECRET_LENGTH, false );
// Delete old storage client post if it exists.
$old_post_id = ! empty( $options['storage_client_post_id'] ) ? (int) $options['storage_client_post_id'] : 0;
if ( $old_post_id ) {
wp_delete_post( $old_post_id, true );
}
// Create new storage client post.
$post_id = create_storage_client( $client_id, $client_secret );
$options['client_id'] = $client_id;
$options['client_secret'] = $client_secret;
$options['storage_client_post_id'] = $post_id ?: 0;
update_option( 'oauth2_settings', $options );
wp_safe_redirect( add_query_arg( 'regenerated', '1', admin_url( 'options-general.php?page=' . PAGE_SLUG ) ) );
exit;
}
/**
* Render the settings page.
*/
function render_page() {
if ( ! current_user_can( 'manage_options' ) ) {
return;
}
?>
<div class="wrap">
<h1><?php esc_html_e( 'OAuth2 Settings', 'oauth2' ); ?></h1>
<?php if ( ! empty( $_GET['regenerated'] ) ) : // phpcs:ignore WordPress.Security.NonceVerification.Recommended ?>
<div id="message" class="updated"><p><?php esc_html_e( 'Credentials regenerated successfully.', 'oauth2' ); ?></p></div>
<?php endif; ?>
<form method="post" action="options.php">
<?php
settings_fields( 'oauth2_settings_group' );
do_settings_sections( PAGE_SLUG );
submit_button();
?>
</form>
</div>
<?php
}
/**
* Check whether the client credentials grant type is enabled.
*
* @return bool
*/
function is_client_credentials_enabled() {
$options = get_option( 'oauth2_settings', [] );
$enabled = ! empty( $options['client_credentials_enabled'] );
/**
* Filter whether the client credentials grant type is enabled.
*
* @param bool $enabled Whether client credentials are enabled.
*/
return (bool) apply_filters( 'oauth2.client_credentials.enabled', $enabled );
}
/**
* Get the client ID for client credentials validation.
*
* Returns the stored value by default. Use the filter to override with env vars.
*
* @return string
*/
function get_client_id() {
$options = get_option( 'oauth2_settings', [] );
$client_id = ! empty( $options['client_id'] ) ? $options['client_id'] : '';
/**
* Filter the client ID used for client credentials validation.
*
* @param string $client_id The client ID.
*/
return (string) apply_filters( 'oauth2.client_credentials.client_id', $client_id );
}
/**
* Get the client secret for client credentials validation.
*
* Returns the stored value by default. Use the filter to override with env vars.
*
* @return string
*/
function get_client_secret() {
$options = get_option( 'oauth2_settings', [] );
$client_secret = ! empty( $options['client_secret'] ) ? $options['client_secret'] : '';
/**
* Filter the client secret used for client credentials validation.
*
* @param string $client_secret The client secret.
*/
return (string) apply_filters( 'oauth2.client_credentials.client_secret', $client_secret );
}
/**
* Create a backing Client post for token storage.
*
* This internal Client post is used to store issued access tokens via post meta,
* ensuring compatibility with the existing token lookup and authentication flow.
*
* @param string $client_id The client ID (used as post slug).
* @param string $client_secret The client secret.
* @return int|false Post ID on success, false on failure.
*/
function create_storage_client( $client_id, $client_secret ) {
$post_id = wp_insert_post( [
'post_type' => Client::POST_TYPE,
'post_title' => __( 'Client Credentials (System)', 'oauth2' ),
'post_content' => __( 'Auto-generated client for client credentials grant. Managed via Settings > OAuth2.', 'oauth2' ),
'post_name' => $client_id,
'post_status' => 'publish',
], true );
if ( is_wp_error( $post_id ) ) {
return false;
}
update_post_meta( $post_id, Client::CLIENT_SECRET_KEY, $client_secret );
update_post_meta( $post_id, Client::TYPE_KEY, 'private' );
update_post_meta( $post_id, '_oauth2_is_system_client', true );
return $post_id;
}
/**
* Get the storage Client instance for token creation.
*
* Used by the token endpoint when credentials are overridden via filters
* and don't match the Client post slug directly.
*
* @return \WP\OAuth2\Client|null Client instance or null if not configured.
*/
function get_storage_client() {
$options = get_option( 'oauth2_settings', [] );
$post_id = ! empty( $options['storage_client_post_id'] ) ? (int) $options['storage_client_post_id'] : 0;
if ( ! $post_id ) {
return null;
}
return Client::get_by_post_id( $post_id );
}