Merge pull request #10 from WP-API/review-fixes

Review fixes

Author: valendesigns

.dev-lib

@@ -1,3 +1,3 @@
 DEFAULT_BASE_BRANCH=develop
-PHPCS_IGNORE='vendor/*,wp-includes/rest-api/auth/jwt/*,tests/wp-tests/*'
+PHPCS_IGNORE='vendor/*,wp-includes/php-jwt/*,tests/wp-tests/*'
 CHECK_SCOPE=patches

.phpcs.ruleset.xml

@@ -10,7 +10,7 @@
 	<!-- Ignoring Files and Folders:
 		https://github.com/squizlabs/PHP_CodeSniffer/wiki/Advanced-Usage#ignoring-files-and-folders -->
 	<exclude-pattern>/vendor/*</exclude-pattern>
-	<exclude-pattern>/wp-includes/rest-api/auth/jwt/*</exclude-pattern>
+	<exclude-pattern>/wp-includes/php-jwt/*</exclude-pattern>
 	<exclude-pattern>/tests/wp-tests/*</exclude-pattern>
 
 	<!-- How to scan -->

.travis.yml

@@ -1,13 +1,7 @@
-# Tell Travis CI we're using PHP
 language: php
 
-# Opt to use Travis container-based environment.
 sudo: false
 
-# Newer versions like trusty don't have PHP 5.2 or 5.3
-# https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
-dist: precise
-
 notifications:
   email:
     on_success: never
@@ -19,6 +13,11 @@ cache:
     - vendor
     - $HOME/phpunit-bin
 
+addons:
+  apt:
+    packages:
+    - libxml2-utils
+
 php:
   - 7.2
 

composer.json

@@ -6,7 +6,7 @@
   "license": "GPLv2",
   "prefer-stable" : true,
   "require": {
-    "php": ">=5.3"
+    "php": ">=5.6.20"
   },
   "require-dev": {
     "brainmaestro/composer-git-hooks": "^2.6.0",
@@ -16,7 +16,7 @@
     "php-coveralls/php-coveralls": "^2.1",
     "slowprog/composer-copy-file": "0.2.1",
     "wp-coding-standards/wpcs": "*",
-    "xwp/wp-dev-lib": "^1.0.0"
+    "xwp/wp-dev-lib": "^1.1.1"
   },
   "scripts": {
     "phpcs": [
@@ -48,7 +48,7 @@
   "extra": {
     "copy-file": {
       "tests/autoload.php": "tests/wp-tests/phpunit/wp-tests-config.php",
-      "vendor/firebase/php-jwt/src/": "wp-includes/rest-api/auth/jwt/"
+      "vendor/firebase/php-jwt/src/": "wp-includes/php-jwt/"
     },
     "hooks": {
       "pre-commit": "./vendor/xwp/wp-dev-lib/scripts/pre-commit"

jwt-auth.php

@@ -26,16 +26,15 @@
 define( 'JWT_AUTH_VERSION', '0.1' );
 
 /**
- * Requires running PHP 5.3 or above.
+ * Requires running PHP 5.6.20 or above.
  *
  * @since 0.1
  * @codeCoverageIgnore
  */
 function jwt_auth_version_check() {
-
-	if ( version_compare( PHP_VERSION, '5.3', '<' ) ) {
+	if ( version_compare( PHP_VERSION, '5.6.20', '<' ) ) {
 		deactivate_plugins( plugin_basename( __FILE__ ) );
-		wp_die( esc_html__( 'The JWT Auth plugin requires PHP Version 5.3 or above.', 'jwt-auth' ) );
+		wp_die( esc_html__( 'The JWT Auth plugin requires PHP Version 5.6.20 or above.', 'jwt-auth' ) );
 	}
 }
 add_action( 'admin_init', 'jwt_auth_version_check' );
@@ -47,18 +46,18 @@ function jwt_auth_version_check() {
  */
 function jwt_auth_loader() {
 
-	/** JWT Classes */
-	foreach ( glob( JWT_AUTH_PLUGIN_DIR . '/wp-includes/rest-api/auth/jwt/*.php' ) as $filename ) {
+	// JWT Classes.
+	foreach ( glob( JWT_AUTH_PLUGIN_DIR . '/wp-includes/php-jwt/*.php' ) as $filename ) {
 		require_once $filename;
 	}
 
-	/** WP_REST_Token Class */
+	// WP_REST_Token Class.
 	require_once JWT_AUTH_PLUGIN_DIR . '/wp-includes/rest-api/auth/class-wp-rest-token.php';
 
-	/** WP_REST_Key_Pair Class */
+	// WP_REST_Key_Pair Class.
 	require_once JWT_AUTH_PLUGIN_DIR . '/wp-includes/rest-api/auth/class-wp-rest-key-pair.php';
 
-	/** WP_Key_Pair_List_Table Class */
+	// WP_Key_Pair_List_Table Class.
 	require_once JWT_AUTH_PLUGIN_DIR . '/wp-admin/includes/class-wp-key-pair-list-table.php';
 
 	// Initialize JSON Web Tokens.

phpunit.xml.dist

@@ -6,26 +6,20 @@
 	convertNoticesToExceptions="true"
 	convertWarningsToExceptions="true"
 	>
-	<php>
-		<const name="WP_TEST_VIP_QUICKSTART_ACTIVATED_PLUGINS" value="jetpack/jetpack.php,media-explorer/media-explorer.php,writing-helper/writing-helper.php,mrss/mrss.php,wordpress-importer/wordpress-importer.php,keyring/keyring.php,polldaddy/polldaddy.php" />
-		<const name="WPCOM_VIP_DISABLE_REMOTE_REQUEST_ERROR_REPORTING" value="1" />
-		<const name="WP_TEST_ACTIVATED_PLUGINS" value="" /> <!-- this list is used if not on VIP Quickstart -->
-	</php>
 	<testsuites>
 		<testsuite>
 			<directory prefix="class-test-" suffix=".php">./tests/</directory>
 			<directory prefix="test-" suffix=".php">./tests/</directory>
 		</testsuite>
 	</testsuites>
-
 	<filter>
 		<whitelist processUncoveredFilesFromWhitelist="false">
 			<directory suffix=".php">./</directory>
 			<exclude>
 				<directory suffix=".php">./coverage</directory>
 				<directory suffix=".php">./tests</directory>
 				<directory suffix=".php">./vendor</directory>
-				<directory suffix=".php">./wp-includes/rest-api/auth/jwt</directory>
+				<directory suffix=".php">./wp-includes/php-jwt</directory>
 			</exclude>
 		</whitelist>
 	</filter>

tests/autoload.php

@@ -8,20 +8,19 @@
 $config = getenv( 'WP_TESTS_CONFIG' );
 
 /**
- * Supports loading the wp-tests-config.php from a non VVV custom directory.
+ * Supports loading the `wp-tests-config.php` from a custom directory.
  */
 if ( file_exists( $config ) ) {
 	include_once $config;
 	return;
 }
 
-// VVV Paths.
+// Attempt to find the server Path.
 $_path  = dirname( __FILE__ );
 $config = substr( $_path, 0, strpos( $_path, 'public_html' ) + 11 ) . '/wp-tests-config.php';
 
 /**
- * Supports loading the wp-tests-config.php from the `public_html` root directory of both the
- * `wordpress-default` and `wordpress-develop` sites, and any other custom site in the www directory.
+ * Loads the `wp-tests-config.php` from the `public_html` root directory of a typical Vagrant install.
  */
 if ( file_exists( $config ) ) {
 	include_once $config;

wp-includes/rest-api/auth/jwt/BeforeValidException.php renamed to wp-includes/php-jwt/BeforeValidException.php

@@ -85,78 +85,60 @@ public static function get_rest_uri() {
 	 */
 	public function register_routes() {
 		$args = array(
-			array(
-				'methods'  => WP_REST_Server::CREATABLE,
-				'callback' => array(
-					$this,
-					'generate_key_pair',
+			'methods'  => WP_REST_Server::CREATABLE,
+			'callback' => array( $this, 'generate_key_pair' ),
+			'args'     => array(
+				'name'    => array(
+					'description'       => esc_html__( 'The name of the key-pair.', 'jwt-auth' ),
+					'type'              => 'string',
+					'required'          => true,
+					'sanitize_callback' => 'sanitize_text_field',
+					'validate_callback' => 'rest_validate_request_arg',
 				),
-				'args'     => array(
-					'name'    => array(
-						'description'       => esc_html__( 'The name of the key-pair.', 'jwt-auth' ),
-						'type'              => 'string',
-						'required'          => true,
-						'sanitize_callback' => 'sanitize_text_field',
-						'validate_callback' => 'rest_validate_request_arg',
-					),
-					'user_id' => array(
-						'description'       => esc_html__( 'The ID of the user.', 'jwt-auth' ),
-						'type'              => 'integer',
-						'required'          => true,
-						'sanitize_callback' => 'absint',
-						'validate_callback' => 'rest_validate_request_arg',
-					),
+				'user_id' => array(
+					'description'       => esc_html__( 'The ID of the user.', 'jwt-auth' ),
+					'type'              => 'integer',
+					'required'          => true,
+					'sanitize_callback' => 'absint',
+					'validate_callback' => 'rest_validate_request_arg',
 				),
 			),
-			'schema' => array(
-				$this,
-				'get_item_schema',
-			),
+			'schema'   => array( $this, 'get_item_schema' ),
 		);
 		register_rest_route( self::_NAMESPACE_, '/' . self::_REST_BASE_ . '/(?P<user_id>[\d]+)', $args );
 
 		$args = array(
-			array(
-				'methods'  => WP_REST_Server::DELETABLE,
-				'callback' => array(
-					$this,
-					'delete_all_key_pairs',
-				),
-				'args'     => array(
-					'user_id' => array(
-						'description'       => esc_html__( 'The ID of the user.', 'jwt-auth' ),
-						'type'              => 'integer',
-						'required'          => true,
-						'sanitize_callback' => 'absint',
-						'validate_callback' => 'rest_validate_request_arg',
-					),
+			'methods'  => WP_REST_Server::DELETABLE,
+			'callback' => array( $this, 'delete_all_key_pairs' ),
+			'args'     => array(
+				'user_id' => array(
+					'description'       => esc_html__( 'The ID of the user.', 'jwt-auth' ),
+					'type'              => 'integer',
+					'required'          => true,
+					'sanitize_callback' => 'absint',
+					'validate_callback' => 'rest_validate_request_arg',
 				),
 			),
 		);
 		register_rest_route( self::_NAMESPACE_, '/' . self::_REST_BASE_ . '/(?P<user_id>[\d]+)/revoke-all', $args );
 
 		$args = array(
-			array(
-				'methods'  => WP_REST_Server::DELETABLE,
-				'callback' => array(
-					$this,
-					'delete_key_pair',
+			'methods'  => WP_REST_Server::DELETABLE,
+			'callback' => array( $this, 'delete_key_pair' ),
+			'args'     => array(
+				'user_id' => array(
+					'description'       => esc_html__( 'The ID of the user.', 'jwt-auth' ),
+					'type'              => 'integer',
+					'required'          => true,
+					'sanitize_callback' => 'absint',
+					'validate_callback' => 'rest_validate_request_arg',
 				),
-				'args'     => array(
-					'user_id' => array(
-						'description'       => esc_html__( 'The ID of the user.', 'jwt-auth' ),
-						'type'              => 'integer',
-						'required'          => true,
-						'sanitize_callback' => 'absint',
-						'validate_callback' => 'rest_validate_request_arg',
-					),
-					'api_key' => array(
-						'description'       => esc_html__( 'The API key being revoked.', 'jwt-auth' ),
-						'type'              => 'string',
-						'required'          => true,
-						'sanitize_callback' => 'sanitize_text_field',
-						'validate_callback' => 'rest_validate_request_arg',
-					),
+				'api_key' => array(
+					'description'       => esc_html__( 'The API key being revoked.', 'jwt-auth' ),
+					'type'              => 'string',
+					'required'          => true,
+					'sanitize_callback' => 'sanitize_text_field',
+					'validate_callback' => 'rest_validate_request_arg',
 				),
 			),
 		);
@@ -279,6 +261,10 @@ public function after_password_reset( WP_User $user ) {
 	/**
 	 * Fires after the user's password is reset.
 	 *
+	 * When a user resets their password this method will deleted all of
+	 * the application passwords associated with their account. In turn
+	 * this will renders all JSON Web Tokens invalid for their account
+	 *
 	 * @param int $user_id The user ID.
 	 */
 	public function profile_update( $user_id ) {
@@ -317,7 +303,9 @@ public function require_token( $require_token, $request_uri, $request_method ) {
 	 * Authenticate the key-pair if API key and API secret is provided and return the user.
 	 *
 	 * If not authenticated, send back the original $user value to allow other authentication
-	 * methods to attempt authentication.
+	 * methods to attempt authentication. If the initial value of `$user` is false this method
+	 * will return a `WP_User` object on success or a `WP_Error` object on failure. However,
+	 * if the value is not `false` it will return that value, which could be any type of object.
 	 *
 	 * @filter rest_authentication_user
 	 *
@@ -394,6 +382,11 @@ public function authenticate( $user, WP_REST_Request $request ) {
 	/**
 	 * Filters the JWT Payload.
 	 *
+	 * Due to the fact that `$user` could have been filtered the object type is technically
+	 * unknown. However, likely a `WP_User` object if auth has not been filtered. In any
+	 * case, the object must have the `$user->data->api_key` property in order to connect
+	 * the API key to the JWT payload and allow for token invalidation.
+	 *
 	 * @filter rest_authentication_token_private_claims
 	 *
 	 * @param array          $payload The payload used to generate the token.

wp-includes/rest-api/auth/jwt/ExpiredException.php renamed to wp-includes/php-jwt/ExpiredException.php

@@ -89,43 +89,35 @@ public static function get_rest_uri() {
 	 */
 	public function register_routes() {
 		$args = array(
-			array(
-				'methods'  => WP_REST_Server::CREATABLE,
-				'callback' => array(
-					$this,
-					'generate_token',
+			'methods'  => WP_REST_Server::CREATABLE,
+			'callback' => array( $this, 'generate_token' ),
+			'args'     => array(
+				'username'   => array(
+					'description'       => __( 'The username of the user; requires also setting the password argument.', 'jwt-auth' ),
+					'type'              => 'string',
+					'sanitize_callback' => 'sanitize_user',
+					'validate_callback' => 'rest_validate_request_arg',
 				),
-				'args'     => array(
-					'username'   => array(
-						'description'       => __( 'The username of the user; requires also setting the password argument.', 'jwt-auth' ),
-						'type'              => 'string',
-						'sanitize_callback' => 'sanitize_user',
-						'validate_callback' => 'rest_validate_request_arg',
-					),
-					'password'   => array(
-						'description'       => __( 'The password of the user; requires also setting the username argument.', 'jwt-auth' ),
-						'type'              => 'string',
-						'sanitize_callback' => 'sanitize_text_field',
-						'validate_callback' => 'rest_validate_request_arg',
-					),
-					'api_key'    => array(
-						'description'       => __( 'The API key of the user; requires also setting the api_secret.', 'jwt-auth' ),
-						'type'              => 'string',
-						'sanitize_callback' => 'sanitize_text_field',
-						'validate_callback' => 'rest_validate_request_arg',
-					),
-					'api_secret' => array(
-						'description'       => __( 'The API secret of the user; requires also setting the api_key.', 'jwt-auth' ),
-						'type'              => 'string',
-						'sanitize_callback' => 'sanitize_text_field',
-						'validate_callback' => 'rest_validate_request_arg',
-					),
+				'password'   => array(
+					'description'       => __( 'The password of the user; requires also setting the username argument.', 'jwt-auth' ),
+					'type'              => 'string',
+					'sanitize_callback' => 'sanitize_text_field',
+					'validate_callback' => 'rest_validate_request_arg',
+				),
+				'api_key'    => array(
+					'description'       => __( 'The API key of the user; requires also setting the api_secret.', 'jwt-auth' ),
+					'type'              => 'string',
+					'sanitize_callback' => 'sanitize_text_field',
+					'validate_callback' => 'rest_validate_request_arg',
+				),
+				'api_secret' => array(
+					'description'       => __( 'The API secret of the user; requires also setting the api_key.', 'jwt-auth' ),
+					'type'              => 'string',
+					'sanitize_callback' => 'sanitize_text_field',
+					'validate_callback' => 'rest_validate_request_arg',
 				),
 			),
-			'schema' => array(
-				$this,
-				'get_item_schema',
-			),
+			'schema'   => array( $this, 'get_item_schema' ),
 		);
 		register_rest_route( self::_NAMESPACE_, '/' . self::_REST_BASE_, $args );
 	}