Merge pull request #11 from WP-API/refresh-token

Refresh Tokens

Author: valendesigns

jwt-auth.php

@@ -11,13 +11,13 @@
  * Plugin URI:        https://github.com/WP-API/jwt-auth
  * Description:       Feature plugin to bring JSON Web Token REST API authentication to Core
  * Version:           0.1
- * Author:            XWP, and contributors
+ * Author:            WP-API
  * Author URI:        https://github.com/WP-API/jwt-auth/graphs/contributors
  * Text Domain:       jwt-auth
  * License:           GPL-2.0+
  * License URI:       http://www.gnu.org/licenses/gpl-2.0.txt
  * GitHub Plugin URI: https://github.com/WP-API/jwt-auth
- * Requires PHP:      5.3.0
+ * Requires PHP:      5.6.20
  * Requires WP:       4.4.0
  */
 

tests/wp-includes/rest-api/auth/class-test-wp-rest-key-pair.php

@@ -299,7 +299,7 @@ public function test_payload() {
 		$time     = time();
 		$reserved = array(
 			'iat'  => $time, // Token issued at.
-			'exp'  => $time + ( DAY_IN_SECONDS * 7 ), // Token expiry.
+			'exp'  => $time + WEEK_IN_SECONDS, // Token expiry.
 			'data' => array(
 				'user' => array(
 					'type' => 'wp_user',
@@ -318,7 +318,6 @@ public function test_payload() {
 		);
 
 		$payload = $this->key_pair->payload( $reserved, $user );
-		$this->assertEquals( $reserved['iat'] + ( DAY_IN_SECONDS * 365 ), $payload['exp'] );
 		$this->assertEquals( $payload['data']['user']['api_key'], 12345 );
 	}
 

tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php

@@ -198,6 +198,145 @@ public function test_authenticate() {
 		remove_filter( 'rest_authentication_is_rest_request', '__return_true' );
 	}
 
+	/**
+	 * Test authenticate_refresh_token().
+	 *
+	 * @covers ::authenticate_refresh_token()
+	 * @since 0.1
+	 */
+	public function test_authenticate_refresh_token() {
+		$user_data = array(
+			'role'       => 'administrator',
+			'user_login' => 'testuser',
+			'user_pass'  => 'testpassword',
+			'user_email' => '[email protected]',
+		);
+
+		$request = new WP_REST_Request( 'POST', 'wp/v2/key-pair' );
+		$user_id = $this->factory->user->create( $user_data );
+
+		$jwt = json_decode(
+			wp_json_encode(
+				array(
+					'data' => array(
+						'user' => array(
+							'type'       => 'wp_user',
+							'user_login' => 'testuser',
+							'user_email' => '[email protected]',
+						),
+					),
+				)
+			)
+		);
+
+		// Another authentication method was used.
+		$this->assertEquals( 'alt_auth', $this->token->authenticate_refresh_token( 'alt_auth', $request ) );
+
+		// Missing `refresh_token` param.
+		$this->assertFalse( $this->token->authenticate_refresh_token( false, $request ) );
+
+		$request->set_param( 'refresh_token', '54321' );
+
+		// Decode token error.
+		$this->assertTrue( is_wp_error( $this->token->authenticate_refresh_token( false, $request ) ) );
+
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'decode_token',
+				)
+			)
+			->getMock();
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+
+		$response = $mock->authenticate_refresh_token( false, $request );
+		$this->assertTrue( is_wp_error( $response ) );
+		$this->assertEquals( $response->get_error_code(), 'rest_authentication_missing_refresh_token_api_key' );
+
+		$jwt->data->user->api_key = '12345';
+
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'decode_token',
+				)
+			)
+			->getMock();
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+
+		$response = $mock->authenticate_refresh_token( false, $request );
+		$this->assertTrue( is_wp_error( $response ) );
+		$this->assertEquals( $response->get_error_code(), 'rest_authentication_missing_refresh_token_user_id' );
+
+		$jwt->data->user->id = 1234;
+
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'decode_token',
+				)
+			)
+			->getMock();
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+
+		$response = $mock->authenticate_refresh_token( false, $request );
+		$this->assertTrue( is_wp_error( $response ) );
+		$this->assertEquals( $response->get_error_code(), 'rest_authentication_invalid_token_type' );
+
+		$jwt->data->user->token_type = 'refresh';
+
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'decode_token',
+				)
+			)
+			->getMock();
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+
+		$response = $mock->authenticate_refresh_token( false, $request );
+		$this->assertTrue( is_wp_error( $response ) );
+		$this->assertEquals( $response->get_error_code(), 'rest_authentication_invalid_refresh_token' );
+
+		$jwt->data->user->id = $user_id;
+
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'decode_token',
+				)
+			)
+			->getMock();
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+
+		$response = $mock->authenticate_refresh_token( false, $request );
+		$this->assertTrue( is_wp_error( $response ) );
+		$this->assertEquals( $response->get_error_code(), 'rest_authentication_revoked_api_key' );
+
+		$keypairs = array(
+			array(
+				'api_key'    => '12345',
+				'api_secret' => wp_hash( '54321' ),
+			),
+		);
+		foreach ( $keypairs as $keypair ) {
+			add_user_meta( $user_id, $keypair['api_key'], $keypair['api_secret'], true );
+		}
+		update_user_meta( $user_id, WP_REST_Key_Pair::_USERMETA_KEY_, $keypairs );
+
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'decode_token',
+				)
+			)
+			->getMock();
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+
+		$response = $mock->authenticate_refresh_token( false, $request );
+		$this->assertEquals( '12345', $response->data->api_key );
+	}
+
 	/**
 	 * Test require_token().
 	 *
@@ -251,9 +390,10 @@ public function test_require_token() {
 	}
 
 	/**
-	 * Test generate_token() `rest_authentication_user` filter.
+	 * Test generate_payload() `rest_authentication_user` filter.
 	 *
 	 * @covers ::generate_token()
+	 * @covers ::generate_payload()
 	 * @since 0.1
 	 */
 	public function test_generate_token_rest_authentication_user() {
@@ -320,6 +460,7 @@ public function test_generate_token_rest_authentication_user() {
 	 * Test generate_token().
 	 *
 	 * @covers ::generate_token()
+	 * @covers ::generate_payload()
 	 * @since 0.1
 	 */
 	public function test_generate_token() {
@@ -354,12 +495,6 @@ public function test_generate_token() {
 		};
 		add_filter( 'rest_authentication_token_private_claims', $private_claims );
 
-		$token_response = function( $response ) {
-			$response['refresh_token'] = 54321;
-			return $response;
-		};
-		add_filter( 'rest_authentication_token_response', $token_response );
-
 		// Test with correct credentials.
 		$request->set_param( 'password', $user_data['user_pass'] );
 		$token = $this->token->generate_token( $request );
@@ -373,10 +508,73 @@ public function test_generate_token() {
 		$this->assertEquals( $user_data['user_login'], $token['data']['user']['user_login'] );
 		$this->assertEquals( $user_data['user_email'], $token['data']['user']['user_email'] );
 		$this->assertEquals( 12345, $token['data']['user']['api_key'] );
-		$this->assertEquals( 54321, $token['refresh_token'] );
 
 		remove_filter( 'rest_authentication_token_private_claims', $private_claims );
-		remove_filter( 'rest_authentication_token_response', $token_response );
+	}
+
+	/**
+	 * Test append_refresh_token().
+	 *
+	 * @covers ::append_refresh_token()
+	 * @since 0.1
+	 */
+	public function test_append_refresh_token() {
+		$user_data = array(
+			'role'       => 'administrator',
+			'user_login' => 'testuser',
+			'user_pass'  => 'testpassword',
+			'user_email' => '[email protected]',
+		);
+
+		$user_id = $this->factory->user->create( $user_data );
+		$request = new WP_REST_Request( 'POST', 'wp/v2/token' );
+
+		// Missing Bearer token from the header.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'generate_payload',
+				)
+			)
+			->getMock();
+		$mock->method( 'generate_payload' )->willReturn(
+			new WP_Error(
+				'rest_authentication_error',
+				__( 'An error coming from the payload.', 'jwt-auth' ),
+				array(
+					'status' => 403,
+				)
+			)
+		);
+
+		$response = $this->token->append_refresh_token( array(), get_user_by( 'id', $user_id ), $request );
+		$this->assertArrayHasKey( 'refresh_token', $response );
+
+		$append_refresh_token = $mock->append_refresh_token( array(), get_user_by( 'id', $user_id ), $request );
+		$this->assertTrue( is_wp_error( $append_refresh_token ) );
+		$this->assertEquals( $append_refresh_token->get_error_code(), 'rest_authentication_error' );
+	}
+
+	/**
+	 * Test decode_token().
+	 *
+	 * @covers ::decode_token()
+	 * @since 0.1
+	 */
+	public function test_decode_token() {
+		// Unknown JWT Exception.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'jwt',
+				)
+			)
+			->getMock();
+		$mock->method( 'jwt' )->will( $this->throwException( new Exception() ) );
+
+		$validate_token = $mock->decode_token( 'bad-token' );
+		$this->assertTrue( is_wp_error( $validate_token ) );
+		$this->assertEquals( $validate_token->get_error_code(), 'rest_authentication_token_error' );
 	}
 
 	/**
@@ -529,7 +727,7 @@ public function test_validate_token() {
 				)
 			)
 			->getMock();
-		$mock->method( 'jwt' )->willReturn( new Exception() );
+		$mock->method( 'jwt' )->will( $this->throwException( new Exception() ) );
 
 		$validate_token = $mock->validate_token();
 		$this->assertTrue( is_wp_error( $validate_token ) );

wp-admin/js/key-pair.js

@@ -117,7 +117,8 @@
 			$keyPairSection.after( tmplNewTokenKeyPair( {
 				name: name,
 				api_key: apiKey,
-				access_token: response.access_token
+				access_token: response.access_token,
+				refresh_token: response.refresh_token
 			} ) );
 
 			$( document ).on( 'click', '.key-pair-token-download', function( event ) {

wp-includes/rest-api/auth/class-wp-rest-key-pair.php

@@ -396,11 +396,6 @@ public function authenticate( $user, WP_REST_Request $request ) {
 	 */
 	public function payload( $payload, $user ) {
 
-		// Now that token can be revoked, expire the token in 365 days instead of the default 7 days.
-		if ( isset( $payload['iat'] ) ) {
-			$payload['exp'] = $payload['iat'] + ( DAY_IN_SECONDS * 365 );
-		}
-
 		// Set the api_key. which we use later to validate a key-pair has not already been revoked.
 		if ( isset( $user->data->api_key ) && isset( $payload['data']['user'] ) ) {
 			$payload['data']['user']['api_key'] = $user->data->api_key;
@@ -712,7 +707,7 @@ public function template_new_token_key_pair() {
 						<# if ( data.message ) { #>
 						<div class="notice notice-error"><p>{{{ data.message }}}</p></div>
 						<# } #>
-						<# if ( ! data.access_token ) { #>
+						<# if ( ! data.access_token || ! data.refresh_token ) { #>
 						<p>
 							<?php
 							printf(
@@ -738,11 +733,18 @@ public function template_new_token_key_pair() {
 							<?php
 							printf(
 								/* translators: %s: JSON Web Token */
-								esc_html_x( 'Your new JSON Web Token is: %s', 'JSON Web Token', 'jwt-auth' ),
+								esc_html_x( 'Your new access token is: %s', 'Access Token', 'jwt-auth' ),
 								'<kbd>{{ data.access_token }}</kbd>'
 							);
 							?>
-							<p><?php esc_attr_e( 'Be sure to save this JSON Web Token in a safe location, you will not be able to retrieve it ever again. Once you click dismiss it is gone forever.', 'jwt-auth' ); ?></p>
+							<?php
+							printf(
+								/* translators: %s: JSON Web Token */
+								esc_html_x( 'Your new refresh token is: %s', 'Refresh Token', 'jwt-auth' ),
+								'<kbd>{{ data.refresh_token }}</kbd>'
+							);
+							?>
+							<p><?php esc_attr_e( 'Be sure to save these JSON Web Tokens in a safe location, you will not be able to retrieve them ever again. Once you click dismiss they\'re is gone forever.', 'jwt-auth' ); ?></p>
 						</div>
 						<button class="button button-secondary key-pair-token-download"><?php esc_attr_e( 'Download', 'jwt-auth' ); ?></button>
 						<# } #>