From d568e2f47bd6e976b2d65de946a5a7044faac469 Mon Sep 17 00:00:00 2001 From: Andrew Heberle Date: Thu, 9 Nov 2023 21:55:16 +0800 Subject: [PATCH] Add cron job to refresh jwks (#5) * Update ah-jwt-auth.php * Update readme.txt * Update readme.txt * linting fixes * Update whitespace and errors * More linting * More litning --- ah-jwt-auth.php | 2 +- includes/class-ahjwtauthsignin.php | 59 ++++++++++++++---------------- readme.txt | 3 ++ 3 files changed, 31 insertions(+), 33 deletions(-) diff --git a/ah-jwt-auth.php b/ah-jwt-auth.php index 6e56946..c6384fc 100644 --- a/ah-jwt-auth.php +++ b/ah-jwt-auth.php @@ -10,7 +10,7 @@ * @wordpress-plugin * Plugin Name: AH JWT Auth * Description: This plugin allows sign in to WordPress using a JSON Web Token (JWT) contained in a HTTP Header - * Version: 1.4.1 + * Version: 1.5.0 * Author: Andrew Heberle * Text Domain: ah-jwt-auth * Author URI: https://github.com/andrewheberle/wordpress-ah-jwt-auth/ diff --git a/includes/class-ahjwtauthsignin.php b/includes/class-ahjwtauthsignin.php index 027beb6..a098eda 100644 --- a/includes/class-ahjwtauthsignin.php +++ b/includes/class-ahjwtauthsignin.php @@ -127,21 +127,21 @@ public function ahjwtauth_admin_notice() { } /** - * Schedules the refresh of the JWKS via WP Cron - * - * @return void - */ + * Schedules the refresh of the JWKS via WP Cron + * + * @return void + */ public function ahjwtauth_schedule_refresh_jwks() { - if (!wp_next_scheduled('ahjwtauth_refresh_jwks')) { - wp_schedule_event(time(), 'daily', 'ahjwtauth_refresh_jwks'); + if ( ! wp_next_scheduled( 'ahjwtauth_refresh_jwks' ) ) { + wp_schedule_event( time(), 'daily', 'ahjwtauth_refresh_jwks' ); } } /** * Retrieves the JWKS from the configured URL and saves it as a transient * - * A value of false is returned on error - * + * A value of false is returned on error + * * @return array an associative array containing the key set */ private function ahjwtauth_refresh_jwks() { @@ -149,42 +149,39 @@ private function ahjwtauth_refresh_jwks() { if ( '' === $jwks_url ) { return true; } - + // retrieve json from JWKS URL with caching. $keys = get_transient( 'ahjwtauth_jwks' ); - // transient existed + // Does transient exist? if ( false !== $keys ) { return $keys; } - + // if transient did not exist, attempt to get url. $jwks_url = get_option( 'ahjwtauth-jwks-url' ); $response = wp_remote_get( $jwks_url ); if ( is_wp_error( $response ) ) { - $msg = 'error retrieving the JWKS URL'; - $this->error = __( 'AH JWT Auth: ' . $msg, 'ah-jwt-auth' ); - error_log( 'AH JWT Auth: ERROR: ' . $msg ); + $this->error = __( 'AH JWT Auth: error retrieving the JWKS URL', 'ah-jwt-auth' ); + error_log( 'AH JWT Auth: ERROR: error retrieving the JWKS URL' ); return false; } - // grab response body + // grab response body. $json = wp_remote_retrieve_body( $response ); - // check that response was not empty + // check that response was not empty. if ( '' === $json ) { - $msg = 'could not retrieve the specified JWKS URL'; - $this->error = __( 'AH JWT Auth ' . $msg, 'ah-jwt-auth' ); - error_log( 'AH JWT Auth: ERROR: ' . $msg ); + $this->error = __( 'AH JWT Auth could not retrieve the specified JWKS URL', 'ah-jwt-auth' ); + error_log( 'AH JWT Auth: ERROR: could not retrieve the specified JWKS URL' ); return false; } // try to decode json. $jwks = @json_decode( $json, true ); if ( null === $jwks ) { - $msg = 'cannot decode the JSON retrieved from the JWKS URL'; - $this->error = __( 'AH JWT Auth ' . $msg, 'ah-jwt-auth' ); - error_log( 'AH JWT Auth: ERROR: ' . $msg ); + $this->error = __( 'AH JWT Auth cannot decode the JSON retrieved from the JWKS URL', 'ah-jwt-auth' ); + error_log( 'AH JWT Auth: ERROR: cannot decode the JSON retrieved from the JWKS URL' ); return false; } @@ -197,11 +194,11 @@ private function ahjwtauth_refresh_jwks() { error_log( $json ); return false; } - - // cache JWKS for future + + // cache JWKS for future. set_transient( 'ahjwtauth_jwks', $keys, WEEK_IN_SECONDS ); - // return key set + // return key set. return $keys; } @@ -217,9 +214,8 @@ private function ahjwtauth_refresh_jwks() { private function get_token() { $jwt_header = $this->get_header(); if ( ! isset( $_SERVER[ $jwt_header ] ) ) { - $msg = 'the expected JWT was not found. Please double check your reverse proxy configuration.'; - $this->warning = __( 'AH JWT Auth ' . $msg, 'ah-jwt-auth' ); - error_log( 'AH JWT Auth: WARNING: ' . $msg ); + $this->warning = __( 'AH JWT Auth the expected JWT was not found. Please double check your reverse proxy configuration.', 'ah-jwt-auth' ); + error_log( 'AH JWT Auth: WARNING: the expected JWT was not found. Please double check your reverse proxy configuration.' ); return false; } @@ -250,9 +246,8 @@ private function verify_token( $jwt ) { try { $payload = JWT::decode( $jwt, $key ); } catch ( SignatureInvalidException $e ) { - $msg = 'Cannot verify the JWT. Please double check that your private secret or JWKS URL is configured correctly'; - $this->error = __( 'AH JWT Auth: ' . $msg, 'ah-jwt-auth' ); - error_log( 'AH JWT Auth: ERROR: ' . $msg ); + $this->error = __( 'AH JWT Auth: Cannot verify the JWT. Please double check that your private secret or JWKS URL is configured correctly', 'ah-jwt-auth' ); + error_log( 'AH JWT Auth: ERROR: Cannot verify the JWT. Please double check that your private secret or JWKS URL is configured correctly' ); return false; } catch ( Exception $e ) { return false; @@ -276,7 +271,7 @@ private function get_key() { if ( '' !== $jwks_url ) { return $this->ahjwtauth_refresh_jwks(); } - + // otherwise use shared secret. return new Key( get_option( 'ahjwtauth-private-secret' ), $this->get_alg() ); } diff --git a/readme.txt b/readme.txt index f782ea0..6a293c5 100644 --- a/readme.txt +++ b/readme.txt @@ -57,6 +57,9 @@ Currently only the HS256 and RS256 alorithms are supported. == Changelog == += 1.5.0 = +* Add WP cron job to refresh JWKS daily + = 1.4.1 = * Update dependencies to resolve security issue