Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 3.6.0 #475

Merged
merged 100 commits into from
Jun 5, 2018
Merged

Release 3.6.0 #475

merged 100 commits into from
Jun 5, 2018

Conversation

joshcanhelp
Copy link
Contributor

NOTES

  • Passwordless was reconfigured completely to use the combined Lock library (currently hard-coded to 11.5). All current settings will be migrated to the new configuration so your login process should not change. Lock initiation has also been refactored to improve maintainability and adhere to WordPress standards.
  • The Setup Wizard has been adjusted to more clearly explain the process and options available. This only affects new installations using the Setup Wizard for configuration.
  • The settings page has been rearranged and improved overall. New settings descriptions have also been added along with links to documentation, where appropriate.
  • State validation was added to both login flows; nonce validation was added to sites using Implicit flow.
  • OIDC compliant Applications should now function as expected (though this setting is not yet activated by default on installation). OpenID Connect login is now possible by turning off the Client Credentials grant for your WordPress Application.
  • Dashboard widgets have been removed. This can easily be added back as a plugin, if needed. Please contact support if you need assistance with this.
  • A number of new hooks have been added, please see our docs page on extension for a complete inventory with examples. This includes the ability to support refresh tokens.
  • Federated logout has been removed.

Closed issues

  • Expose a configurable toggle that allows Users to state if federated logout should be used #471
  • Updating to 3.5.2 - Fatal error: Uncaught Error: Cannot use object of type stdClass as array in /app/wp-content/plugins/auth0/lib/WP_Auth0_DBManager.php on line 225 #464
  • Autoloader performance issue #461
  • Bad request does not raise error #432
  • Widget URL changes don't save when you are using passwordless #430
  • Deprecate oauth/ro endpoint #410
  • Handling errors #403
  • Fallback /api/v2/users/{id} to /userinfo #401
  • CORS errors #400
  • Provide Resend verification email only for DB connections #345
  • SSO disabled, Single Logout enabled causes users to get logged out automatically a few seconds after logging in #336
  • French translation : html characters #309
  • "Invalid authorization code": Access token is requested twice in a row, breaking the login flow #305
  • Make state work after SSO login #302
  • Is there a way to use Refresh Tokens and Wordpress? #296
  • Only decode the payload before user profile fetch in login manager #283
  • redirect callback errors #280
  • Linked Users won't be able to login using implicit flow and pipeline 2 #272
  • Normalize use of shortcode and widget #260
  • Wrong z-index on modal error message in manual setup #252
  • Logout does not work when Wordpress is locked down (private site) #39

Added

Changed

Deprecated

Removed

Fixed

@joshcanhelp
State handling during login process for both types, implicit and redi…
67ae020 
…rect; added WP_Auth0_LoginManager->die_on_login() to handle login errors better
@joshcanhelp
remove stateHandler->issue() from SLO logout footer template to avoid…
2bc6484 
… setting a cookie unecessarily
@joshcanhelp
Review feedback on state handler property
1ed7071
@joshcanhelp
Better state getting in WP_Auth0_LoginManager
4aecd9a 
123456789012345678901234567890123456789012345678901234567890123456789012
Added a get_state method to WP_Auth0_LoginManager to get and parse the
state parameter as an object. Added 'state' to allowed query_vars.
@joshcanhelp
Fix login process error reporting
c8d2180 
WP_Auth0_LoginManager was not processing errors well, was poorly
documented, and might have been improperly exposing error messages.
Incoming URL param errors from Auth0 and configuration issues are caught
earlier in the login process. Error message are not exposed to the
user; instead they are logged for an admin. Thrown errors are
standarized and listed in docblocks.

Fixes #305
@joshcanhelp
Fixes from Lucho's PR review
8d7bcb1
@joshcanhelp
More clear error code and message
00e5ed9
@joshcanhelp
Fix state handling for Implicit flow
b0cc52d 
The implicit login flow redirects to the login page to handle the
response from Auth0. This caused the cookie to be set to a new value
before the state being returned is checked. The state was also not
urldecoded so "=" chars were being received as "%3D" and were not being
base64 decoded properly.
@joshcanhelp
Deprecate oauth/ro endpoint
117968c
@joshcanhelp
Clarify readme docs, update screenshots
6139346 
Documentation for the plugin resides in mulitple places - auth0.com
docs, wp.org readme, GitHub readme - and this commit is part of an on-
going effort to consolidate and clarify. This commit removes the
installation instructions on wp.org, pointing to the docs site instead.
It also updates the screenshots and adds information about support to
the FAQs. This commit also clearly points the GitHub readme to docs
in a few cases and updates the dev instructions.
@joshcanhelp
Move a few FAQ questions to docs troubleshoot
cc55f51
@joshcanhelp
Clean up and streamline repo README
5ae3cfc
@joshcanhelp
minor formatting changes requests on PR review
4e918ba
@joshcanhelp
Admin settings refactor - WP_Auth0_Admin_Generic
afa6e37 
Admins settings have confusing wording, inconsistent behavior, and
broken links and translation. This first PR refactors the description
system to be more straight-forward, adds HTML generation functions for
consistent field outputs (used in future commits), adds settings page
description translation, and fixes a few other minor code issues.

First of a few smaller PRs to replace #396
@joshcanhelp
Fix state handling for shortcode
f53fd0e 
State generation, specifically cookie storage, needs to happen before
any output. The previous arch was ok for login page generation but
failed with a "headers already set" error if used in the shortcode.
This addresses the issue by storing state earlier and getting the
value later.
@joshcanhelp
Fixed improper state handling
b5eb856 
Originally was generating and setting a nonce value in a state object,
then checking that nonce on return from Auth0 instead of checking the
entire state parameter.
@joshcanhelp
Improve WP_Auth0_Options
0e28e18 
Adding get_lock_connections and add_lock_connection for working with
separated options field. reordering option defaults, remove comments,
add docblocks
@joshcanhelp
PR feedback
4820d27
@joshcanhelp
Remove api_audience field
7f4b9ff 
This field was for an audience value used with the Management API. This
value should never change and should not be user-configurable.
@joshcanhelp
Remove dashboard widgets
fd7cedc 
The dashboard widgets clutter the admin, do not display usable data,
and create an unecessary maintenance burden. This functionality can
easily be re-added via a plugin if necessary.

This commit will remove the dashboard widgets output, remove related
settings, and add TODOs for proper deprecation.
@joshcanhelp
Clean up admin notices
8deb0ce 
This commit will remove duplicate error messages when the plugin is not
setup, use proper HTML format for error messages, and sanitize URL
parameters that are output in messages.
@joshcanhelp
Change asset enqueing
9dde4dc 
Non-breaking change to centralize asset URLs and remove duplication
@joshcanhelp
adding bootstrap version and jquery requirement
dced6c6
@joshcanhelp
combining admin page asset enqueing into one place
f933a65
@joshcanhelp
removing unncessary trailing slash
853886d
@joshcanhelp
Setting names, remove dashboard widgets
999e34b 
Setting names were incorrect, confusing in some cases, and used
inconsistent capitalization.

Rewrite setting names and adding proper translations. Add opt names to
the settings array for more simple HTML output (upcoming PR). Add a
filter to add or modify settings array.
@joshcanhelp
Move implicit JS to external file
b517b45 
Move the JS that POSTs auth data back to the WP site to it's own file. Better enqueuing for login JS and CSS.
@joshcanhelp
Fix Implicit state, nonce, and error handling
535b3e0
@joshcanhelp
Add error handling
2a6ee6d
@joshcanhelp
Remove and migrate PWL setting
9a1d33f 
Removes the passwordless method and CDN URL settings. Method is removed to simplify the wp-admin and move passwordless management to the Dashbaord. Passwordless URL is hard-coded to new combined Lock, removing the settings field to change that as well. Going forward, Lock will use the same library for both login form types. Also added a DB version bump and migration script to modify the connections setting so the login form will work as expected after a plugin update. Added a handful of TODOs that will be better suited for a future branch (same release).
joshcanhelp and others added 26 commits May 3, 2018 15:04
@joshcanhelp
Adding back additional signup fields
8b6b3d1
@joshcanhelp
Adding refresh token support; adjusting default scope
8b3b515
@joshcanhelp
New class for state handling; set cookie for implicit nonce
014529c
@joshcanhelp
Change token exchange redirect URL to match what was sent for auth code
01bbb7e
@joshcanhelp
Hide the signup tab if registrations are turned off
69abc2a
@joshcanhelp
fix empty path notice on initial setup
e62f1bc
@joshcanhelp
Fix stdClass as array error during client grant update; skip update p…
1e17153 
…rocess for new installs
@joshcanhelp
remove unused use_lock_10 setting adjustments and default
705ccb3
@joshcanhelp
updated DB update CDN URLs
8f24816
@joshcanhelp
Fixing SLO redirect and SSO setting push to dashboard
e3d7c2a
@joshcanhelp
Changes based on PR review feedback
21e6092
@joshcanhelp
Fixed auto-loader to skip non-WP-Auth0 classes
66af992
@joshcanhelp
Save or if not provided; remove extemporaneous ID token sttributes
6dc9a01
@joshcanhelp
Setup wizard language and UX hazards
26996f4 
- Revise language throughout setup wizard
- Stop forcing auto install
- Do not show configuration nag on wizard page
- Add `required` for various required form inputs
- Add `password` input type where appropriate
- Fix broken auto install button
@joshcanhelp
removing missing JS functions
bbe0dc2
@joshcanhelp
Fixing bugs and clearing up initial setup
1fa71d7
@joshcanhelp
PR review feedback
49e9c52
@joshcanhelp
fixing short array syntax, removing beta plugin hooks
8ac425b
@joshcanhelp
die -> exit
394683d
@joshcanhelp
CSS tweak on the login form
bd91295
@joshcanhelp
parse_url() -> wp_parse_url()
46d2427
@joshcanhelp
fix overwriting callbacks on DB update
bf1af9c
@joshcanhelp
Correcting input field height on settings pages for IE
92431f0
@luisrudge
Merge pull request #472 from auth0/fix-input-css-ie
742d8ca 
Correcting input field height on settings pages for IE
@joshcanhelp
Release 3.6.0 - CHANGELOG, version number, and WP.org readme
a0fe162
@luisrudge
Merge pull request #473 from auth0/release-3.6.0
318ec77 
Release 3.6.0 - CHANGELOG, version number, and WP.org readme
@joshcanhelp joshcanhelp added this to the 3.6.0 milestone Jun 5, 2018
lbalmaceda
lbalmaceda approved these changes Jun 5, 2018
View reviewed changes
Copy link
Contributor

@lbalmaceda lbalmaceda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎊

@joshcanhelp joshcanhelp merged commit 84f8307 into master Jun 5, 2018
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lbalmaceda lbalmaceda lbalmaceda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.6.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@joshcanhelp @lbalmaceda @luisrudge