Align the client ID and redirect URI used in the setup wizard

auth0 · May 20, 2020 · e02cf5b · e02cf5b
1 parent 7ff88bc
commit e02cf5b
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 19 deletions.
diff --git a/lib/WP_Auth0_Routes.php b/lib/WP_Auth0_Routes.php
@@ -262,7 +262,7 @@ protected function oauth2_config() {
 
  return [
  'client_name' => get_bloginfo( 'name' ),
- 'redirect_uris' => [ admin_url( 'admin.php?page=wpa0-setup&callback=1' ) ],
+ 'redirect_uris' => [ WP_Auth0_InitialSetup::get_setup_redirect_uri() ],
  ];
  }
 

diff --git a/lib/initial-setup/WP_Auth0_InitialSetup.php b/lib/initial-setup/WP_Auth0_InitialSetup.php
@@ -135,4 +135,12 @@ public function access_denied_message() {
  </div>
  <?php
  }
+
+ public static function get_setup_client_id() {
+ return site_url();
+ }
+
+ public static function get_setup_redirect_uri() {
+ return admin_url( 'admin.php?page=wpa0-setup&callback=1' );
+ }
 }
diff --git a/lib/initial-setup/WP_Auth0_InitialSetup_ConnectionProfile.php b/lib/initial-setup/WP_Auth0_InitialSetup_ConnectionProfile.php
@@ -47,14 +47,12 @@ public function callback() {
  }
 
  public function build_consent_url() {
- $callback_url = urlencode( admin_url( 'admin.php?page=wpa0-setup&callback=1' ) );
-
- $client_id = urlencode( get_bloginfo( 'url' ) );
-
- $scope = urlencode( implode( ' ', WP_Auth0_Api_Client::ConsentRequiredScopes() ) );
-
- $url = "https://{$this->domain}/authorize?client_id={$client_id}&response_type=code&redirect_uri={$callback_url}&scope={$scope}&expiration=9999999999";
-
- return $url;
+ return sprintf(
+ 'https://%s/authorize?client_id=%s&response_type=code&redirect_uri=%s&scope=%s&expiration=9999999999',
+ $this->domain,
+ urlencode( WP_Auth0_InitialSetup::get_setup_client_id() ),
+ urlencode( WP_Auth0_InitialSetup::get_setup_redirect_uri() ),
+ urlencode( implode( ' ', WP_Auth0_Api_Client::ConsentRequiredScopes() ) )
+ );
  }
 }
diff --git a/lib/initial-setup/WP_Auth0_InitialSetup_Consent.php b/lib/initial-setup/WP_Auth0_InitialSetup_Consent.php
@@ -63,14 +63,15 @@ public function exchange_code() {
  return null;
  }
 
- $client_id = site_url();
- $redirect_uri = home_url();
-
  $exchange_api = new WP_Auth0_Api_Exchange_Code( $this->a0_options, $this->domain );
 
- // Validated above and only sent to the change signup API endpoint.
- // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
- $exchange_resp_body = $exchange_api->call( wp_unslash( $_REQUEST['code'] ), $client_id, $redirect_uri );
+ $exchange_resp_body = $exchange_api->call(
+ // Validated above and only sent to the change signup API endpoint.
+ // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+ wp_unslash( $_REQUEST['code'] ),
+ WP_Auth0_InitialSetup::get_setup_client_id(),
+ WP_Auth0_InitialSetup::get_setup_redirect_uri()
+ );
 
  if ( ! $exchange_resp_body ) {
  return null;

diff --git a/templates/initial-setup/end.php b/templates/initial-setup/end.php
@@ -7,7 +7,7 @@
  <p class="a0-step-text"><?php _e( 'Adjust the plugin settings from the WordPress dashboard, and visit the Auth0 dashboard to change how users log in, add connections, enable multi-factor authentication, and more.', 'wp-auth0' ); ?></p>
 
  <div class="a0-buttons extra-space">
- <a href="<?php echo admin_url( 'admin.php?page=wpa0' ); ?>" class="button button-primary"><?php _e( 'GO TO PLUGIN SETTINGS', 'wp-auth0' ); ?></a>
+ <a href="<?php echo admin_url( 'admin.php?page=wpa0' ); ?>" class="button button-primary"><?php _e( 'Go To Plugin Settings', 'wp-auth0' ); ?></a>
  </div>
  </div>
 </div>
diff --git a/tests/testInitialSetup.php b/tests/testInitialSetup.php
@@ -105,4 +105,15 @@ public function testThatUnknownErrorHasCorrectNotice() {
  $this->assertContains( '<div class="notice notice-error">', $notice_html );
  $this->assertContains( '__test_unknown_error__', $notice_html );
  }
+
+ public function testThatSetupClientIdIsCorrect() {
+ $this->assertEquals( 'http:https://example.org', WP_Auth0_InitialSetup::get_setup_client_id() );
+ }
+
+ public function testThatSetupRedirectUriIsCorrect() {
+ $this->assertEquals(
+ 'http:https://example.org/wp-admin/admin.php?page=wpa0-setup&callback=1',
+ WP_Auth0_InitialSetup::get_setup_redirect_uri()
+ );
+ }
 }
diff --git a/tests/testInitialSetupConsentExchangeCode.php b/tests/testInitialSetupConsentExchangeCode.php
@@ -41,9 +41,12 @@ public function testThatExchangeTokenCallIsCorrect() {
 
  $this->assertNotEmpty( $http_data );
  $this->assertEquals( 'https://auth0.auth0.com/oauth/token', $http_data['url'] );
- $this->assertEquals( home_url(), $http_data['body']['redirect_uri'] );
+ $this->assertEquals(
+ 'http:https://example.org/wp-admin/admin.php?page=wpa0-setup&callback=1',
+ $http_data['body']['redirect_uri']
+ );
  $this->assertEquals( $_REQUEST['code'], $http_data['body']['code'] );
- $this->assertEquals( site_url(), $http_data['body']['client_id'] );
+ $this->assertEquals( 'http:https://example.org', $http_data['body']['client_id'] );
  $this->assertEmpty( $http_data['body']['client_secret'] );
  $this->assertEquals( 'authorization_code', $http_data['body']['grant_type'] );
  }