Remove migration token JTI check

auth0 · Feb 6, 2020 · 92acd4b · 92acd4b
1 parent 33ad34d
commit 92acd4b
Show file tree

Hide file tree

Showing 8 changed files with 7 additions and 126 deletions.
diff --git a/lib/WP_Auth0_DBManager.php b/lib/WP_Auth0_DBManager.php
@@ -175,6 +175,7 @@ public function install_db( $version_to_install = null ) {
 			$options->remove( 'auth0_implicit_workflow' );
 			$options->remove( 'client_secret_b64_encoded' );
 			$options->remove( 'custom_#_fields' );
+			$options->remove( 'migration_token_id' );
 		}
 
 		$options->update_all();

diff --git a/lib/WP_Auth0_Options.php b/lib/WP_Auth0_Options.php
@@ -367,7 +367,6 @@ protected function defaults() {
 			// System
 			'version'                   => 1,
 			'last_step'                 => 1,
-			'migration_token_id'        => null,
 
 			// Basic
 			'domain'                    => '',

diff --git a/lib/WP_Auth0_Routes.php b/lib/WP_Auth0_Routes.php
@@ -286,7 +286,7 @@ private function check_endpoint_request( $require_password = false ) {
 			throw new Exception( __( 'Unauthorized: missing authorization header', 'wp-auth0' ), 401 );
 		}
 
-		if ( ! $this->valid_token( $authorization ) ) {
+		if ( $authorization !== $this->a0_options->get( 'migration_token' ) ) {
 			throw new Exception( __( 'Invalid token', 'wp-auth0' ), 401 );
 		}
 
@@ -323,31 +323,4 @@ private function error_return_array( $code ) {
 				break;
 		}
 	}
-
-	/**
-	 * Check if a token or token JTI is the same as what is stored.
-	 *
-	 * @param string $authorization - Incoming migration token.
-	 *
-	 * @return bool
-	 */
-	private function valid_token( $authorization ) {
-		$token = $this->a0_options->get( 'migration_token' );
-		if ( $token === $authorization ) {
-			return true;
-		}
-
-		$client_secret = $this->a0_options->get( 'client_secret' );
-		if ( $this->a0_options->get( 'client_secret_base64_encoded' ) ) {
-			$client_secret = wp_auth0_url_base64_decode( $client_secret );
-		}
-
-		try {
-			$signature_verifier = new WP_Auth0_SymmetricVerifier( $client_secret );
-			$decoded            = $signature_verifier->verifyAndDecode( $authorization );
-			return $decoded->getClaim( 'jti' ) === $this->a0_options->get( 'migration_token_id' );
-		} catch ( Exception $e ) {
-			return false;
-		}
-	}
 }
diff --git a/lib/admin/WP_Auth0_Admin_Advanced.php b/lib/admin/WP_Auth0_Admin_Advanced.php
@@ -378,32 +378,13 @@ public function migration_ws_validation( array $input ) {
 		$input['migration_ws']    = $this->sanitize_switch_val( $input['migration_ws'] ?? null );
 		$input['migration_token'] = $this->options->get( 'migration_token' );
 
-		// Migration endpoints or turned off, nothing to do.
-		if ( ! $input['migration_ws'] ) {
-			return $input;
-		}
-
-		$input['migration_token_id'] = null;
-		$this->router->setup_rewrites();
-		flush_rewrite_rules();
-
-		// If we don't have a token yet, generate one.
 		if ( empty( $input['migration_token'] ) ) {
 			$input['migration_token'] = wp_auth0_generate_token();
-			return $input;
 		}
 
-		// If we do have a token, try to decode and store the JTI.
-		$secret = $input['client_secret'];
-
-		try {
-			$signature_verifier          = new WP_Auth0_SymmetricVerifier( $secret );
-			$token_decoded               = $signature_verifier->verifyAndDecode( $input['migration_token'] );
-			$input['migration_token_id'] = $token_decoded->getClaim( 'jti' );
-
-			// phpcs:ignore
-		} catch ( Exception $e ) {
-			// If the JWT cannot be decoded then we use the token as-is without storing the JTI.
+		if ( $input['migration_ws'] ) {
+			$this->router->setup_rewrites();
+			flush_rewrite_rules();
 		}
 
 		return $input;

diff --git a/tests/testOptionMigrationWs.php b/tests/testOptionMigrationWs.php
@@ -132,14 +132,10 @@ public function testThatCorrectFieldDocsShowWhenMigrationIsOn() {
 	 */
 	public function testThatChangingMigrationToOffKeepsTokenData() {
 		self::$opts->set( 'migration_token', 'existing_token' );
-		$input     = [
-			'migration_token_id' => 'existing_token_id',
-		];
-		$validated = self::$admin->input_validator( $input );
+		$validated = self::$admin->input_validator( [] );
 
 		$this->assertArrayHasKey( 'migration_ws', $validated );
 		$this->assertEmpty( $validated['migration_ws'] );
-		$this->assertEquals( $input['migration_token_id'], $validated['migration_token_id'] );
 		$this->assertEquals( 'existing_token', $validated['migration_token'] );
 	}
 
@@ -156,7 +152,6 @@ public function testThatChangingMigrationToOnKeepsToken() {
 		$validated = self::$admin->input_validator( $input );
 
 		$this->assertEquals( 'new_token', $validated['migration_token'] );
-		$this->assertNull( $validated['migration_token_id'] );
 		$this->assertEquals( $input['migration_ws'], $validated['migration_ws'] );
 	}
 
@@ -176,7 +171,6 @@ public function testThatChangingMigrationToOnKeepsWithJwtSetsId() {
 
 		$this->assertEquals( $input['migration_ws'], $validated['migration_ws'] );
 		$this->assertEquals( $migration_token, $validated['migration_token'] );
-		$this->assertEquals( '__test_token_id__', $validated['migration_token_id'] );
 	}
 
 	/**
@@ -188,7 +182,6 @@ public function testThatChangingMigrationToOnGeneratesNewToken() {
 		$validated = self::$admin->input_validator( $input );
 
 		$this->assertGreaterThan( 64, strlen( $validated['migration_token'] ) );
-		$this->assertNull( $validated['migration_token_id'] );
 		$this->assertEquals( $input['migration_ws'], $validated['migration_ws'] );
 	}
 
@@ -211,7 +204,6 @@ public function testThatMigrationTokenInConstantSettingIsValidated() {
 
 		$validated = $admin->migration_ws_validation( $input );
 
-		$this->assertNull( $validated['migration_token_id'] );
 		$this->assertEquals( $input['migration_ws'], $validated['migration_ws'] );
 		$this->assertEquals( AUTH0_ENV_MIGRATION_TOKEN, $validated['migration_token'] );
 	}

diff --git a/tests/testRoutesGetUser.php b/tests/testRoutesGetUser.php
@@ -89,27 +89,6 @@ public function testThatGetUserRouteIsUnauthorizedIfNoToken() {
 		$this->assertEquals( $output->error, $log[0]['message'] );
 	}
 
-	/**
-	 * If the token has the wrong JTI, the route should fail with an error.
-	 */
-	public function testThatGetUserRouteIsUnauthorizedIfWrongJti() {
-		$client_secret = '__test_client_secret__';
-		self::$opts->set( 'migration_ws', true );
-		self::$opts->set( 'client_secret', $client_secret );
-		self::$opts->set( 'migration_token_id', '__test_token_id__' );
-
-		$_POST['access_token'] = self::makeHsToken( [ 'jti' => uniqid() ], $client_secret );
-
-		$output = json_decode( wp_auth0_custom_requests( self::$wp, true ) );
-
-		$this->assertEquals( 401, $output->status );
-		$this->assertEquals( 'Invalid token', $output->error );
-
-		$log = self::$error_log->get();
-		$this->assertCount( 1, $log );
-		$this->assertEquals( $output->error, $log[0]['message'] );
-	}
-
 	/**
 	 * If there is no username POSTed, the route should fail with an error.
 	 */

diff --git a/tests/testRoutesLogin.php b/tests/testRoutesLogin.php
@@ -93,50 +93,6 @@ public function testThatLoginRouteIsUnauthorizedIfNoToken() {
 		$this->assertEquals( $output->error, $log[0]['message'] );
 	}
 
-	/**
-	 * If the token has the wrong JTI, the route should fail with an error.
-	 */
-	public function testThatLoginRouteIsUnauthorizedIfWrongJti() {
-		$client_secret = '__test_client_secret__';
-		self::$opts->set( 'migration_ws', true );
-		self::$opts->set( 'client_secret', $client_secret );
-		self::$opts->set( 'migration_token_id', '__test_token_id__' );
-
-		self::$wp->query_vars['a0_action'] = 'migration-ws-login';
-		$_POST['access_token']             = self::makeHsToken( [ 'jti' => uniqid() ], $client_secret );
-
-		$output = json_decode( wp_auth0_custom_requests( self::$wp, true ) );
-
-		$this->assertEquals( 401, $output->status );
-		$this->assertEquals( 'Invalid token', $output->error );
-
-		$log = self::$error_log->get();
-		$this->assertCount( 1, $log );
-		$this->assertEquals( $output->error, $log[0]['message'] );
-	}
-
-	/**
-	 * If the token has the wrong JTI, the route should fail with an error.
-	 */
-	public function testThatLoginRouteIsUnauthorizedIfMissingJti() {
-		$client_secret = '__test_client_secret__';
-		self::$opts->set( 'migration_ws', true );
-		self::$opts->set( 'client_secret', $client_secret );
-		self::$opts->set( 'migration_token_id', '__test_token_id__' );
-
-		self::$wp->query_vars['a0_action'] = 'migration-ws-login';
-		$_POST['access_token']             = self::makeHsToken( [ 'iss' => uniqid() ], $client_secret );
-
-		$output = json_decode( wp_auth0_custom_requests( self::$wp, true ) );
-
-		$this->assertEquals( 401, $output->status );
-		$this->assertEquals( 'Invalid token', $output->error );
-
-		$log = self::$error_log->get();
-		$this->assertCount( 1, $log );
-		$this->assertEquals( $output->error, $log[0]['message'] );
-	}
-
 	/**
 	 * If there is no username POSTed, the route should fail with an error.
 	 */

diff --git a/tests/testWPAuth0Options.php b/tests/testWPAuth0Options.php
@@ -20,7 +20,7 @@ class TestWPAuth0Options extends WP_Auth0_Test_Case {
 	/**
 	 * Total number of options.
 	 */
-	const DEFAULT_OPTIONS_COUNT = 37;
+	const DEFAULT_OPTIONS_COUNT = 36;
 
 	/**
 	 * Test the basic options functionality.