From 836500a495e0162dd40860959a8446acada62fcb Mon Sep 17 00:00:00 2001 From: Rob Skilling Date: Tue, 2 Jun 2020 16:12:19 +0100 Subject: [PATCH] Increase detail of state token errors Before: a missing state error could be returned for 3 reasons: a token was not provided, the token provided was invalid, or the token provided had expired. There was no way of knowing which of these was the cause of any single missing state error. Now: if no token is provided, a missing state error is returned, and the "openid-connect-generic-no-state-provided" action is called. If the token provided is invalid, an "Invalid state" error is thrown and the "openid-connect-generic-state-not-found" action is called. If the token provided has expired, an "Invalid state" error is returned and the "openid-connect-generic-state-expired" action is called. This should allow for more granular error logging around state token errors. --- includes/openid-connect-generic-client.php | 27 ++++++++++++++++++---- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/includes/openid-connect-generic-client.php b/includes/openid-connect-generic-client.php index 9b547a0..aa635fd 100644 --- a/includes/openid-connect-generic-client.php +++ b/includes/openid-connect-generic-client.php @@ -83,14 +83,19 @@ class OpenID_Connect_Generic_Client { return new WP_Error( 'no-code', 'No authentication code present in the request.', $request ); } - // check the client request state - if ( ! isset( $request['state'] ) || ! $this->check_state( $request['state'] ) ){ + // check the client request state + if( ! isset( $request['state']) ) { + do_action( 'openid-connect-generic-no-state-provided' ); return new WP_Error( 'missing-state', __( 'Missing state.' ), $request ); } + if ( ! $this->check_state( $request['state'] ) ) { + return new WP_Error( 'invalid-state', __( 'Invalid state.' ), $request ); + } + return $request; } - + /** * Get the authorization code from the request * @@ -257,18 +262,30 @@ class OpenID_Connect_Generic_Client { * Check the existence of a given state transient. * * @param $state - * + * * @return bool */ function check_state( $state ) { + + $state_found = true; + + if ( ! get_option( '_transient_openid-connect-generic-state--' . $state ) ) { + do_action( 'openid-connect-generic-state-not-found', $state ); + $state_found = false; + } + $valid = get_transient( 'openid-connect-generic-state--' . $state ); + if ( ! $valid && $state_found ) { + do_action( 'openid-connect-generic-state-expired', $state ); + } + return !!$valid; } /** * Ensure that the token meets basic requirements - * + * * @param $token_response * * @return bool|\WP_Error