Ensure email|login changes invalidate token

Author: valendesigns

tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php

@@ -114,6 +114,7 @@ public function test_authenticate() {
 			'role'       => 'administrator',
 			'user_login' => 'testuser',
 			'user_pass'  => 'testpassword',
+			'user_email' => 'testuser@sample.org',
 		);
 
 		$user_id = $this->factory->user->create( $user_data );
@@ -123,14 +124,18 @@ public function test_authenticate() {
 				array(
 					'data' => array(
 						'user' => array(
-							'id'   => $user_id,
-							'type' => 'wp_user',
+							'id'         => $user_id,
+							'type'       => 'wp_user',
+							'user_login' => 'testuser',
+							'user_email' => 'testuser@sample.org',
 						),
 					),
 				)
 			)
 		);
 
+		add_filter( 'rest_authentication_is_api_request', '__return_true' );
+
 		// Another authentication method was used.
 		$this->assertEquals( 'alt_auth', $this->token->authenticate( 'alt_auth' ) );
 
@@ -186,6 +191,10 @@ public function test_authenticate() {
 		$authenticate = $mock->authenticate( null );
 		$this->assertTrue( $authenticate );
 		$this->assertEquals( $user_id, get_current_user_id() );
+		remove_filter( 'rest_authentication_is_api_request', '__return_true' );
+
+		$authenticate = $mock->authenticate( null );
+		$this->assertNull( $authenticate );
 	}
 
 	/**
@@ -202,6 +211,7 @@ public function test_require_token() {
 			'role'       => 'administrator',
 			'user_login' => 'testuser',
 			'user_pass'  => 'testpassword',
+			'user_email' => 'testuser@sample.org',
 		);
 
 		// @codingStandardsIgnoreStart
@@ -315,8 +325,8 @@ public function test_generate_token() {
 		$user_data = array(
 			'role'       => 'administrator',
 			'user_login' => 'testuser',
-			'user_email' => 'testuser@sample.org',
 			'user_pass'  => 'testpassword',
+			'user_email' => 'testuser@sample.org',
 		);
 
 		$request = new WP_REST_Request( 'POST', 'wp/v2/token' );
@@ -379,6 +389,7 @@ public function test_validate_token() {
 			'role'       => 'administrator',
 			'user_login' => 'testuser',
 			'user_pass'  => 'testpassword',
+			'user_email' => 'testuser@sample.org',
 		);
 
 		$user_id = $this->factory->user->create( $user_data );
@@ -390,8 +401,10 @@ public function test_validate_token() {
 					'exp'  => time() - 1,
 					'data' => array(
 						'user' => array(
-							'id'   => 10,
-							'type' => 'wp_user',
+							'id'         => 10,
+							'type'       => 'wp_user',
+							'user_login' => 'testuser',
+							'user_email' => 'testuser@sample.org',
 						),
 					),
 				)
@@ -521,6 +534,43 @@ public function test_validate_token() {
 		$this->assertTrue( is_wp_error( $validate_token ) );
 		$this->assertEquals( $validate_token->get_error_code(), 'rest_authentication_token_error' );
 
+		// Invalid token, user email has changed.
+		wp_update_user(
+			array(
+				'ID'         => $user_id,
+				'user_email' => 'testuser1@sample.org',
+			)
+		);
+
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'jwt',
+				)
+			)
+			->getMock();
+		$mock->method( 'jwt' )->willReturn( $jwt );
+
+		$validate_token = $mock->validate_token();
+		$this->assertTrue( is_wp_error( $validate_token ) );
+		$this->assertEquals( $validate_token->get_error_code(), 'rest_authentication_invalid_token_user_email' );
+
+		// Invalid token, user login has changed. You cannot change your login, but better safe than sorry.
+		$jwt->data->user->user_login = 'testuser1';
+
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'jwt',
+				)
+			)
+			->getMock();
+		$mock->method( 'jwt' )->willReturn( $jwt );
+
+		$validate_token = $mock->validate_token();
+		$this->assertTrue( is_wp_error( $validate_token ) );
+		$this->assertEquals( $validate_token->get_error_code(), 'rest_authentication_invalid_token_user_login' );
+
 		// @codingStandardsIgnoreStart
 		unset( $_SERVER['HTTP_AUTHORIZATION'] );
 		// @codingStandardsIgnoreEnd
@@ -590,15 +640,18 @@ public function test_validate_user() {
 			'role'       => 'administrator',
 			'user_login' => 'testuser',
 			'user_pass'  => 'testpassword',
+			'user_email' => 'testuser@sample.org',
 		);
 
 		$jwt = json_decode(
 			wp_json_encode(
 				array(
 					'data' => array(
 						'user' => array(
-							'id'   => 10,
-							'type' => 'wp_user',
+							'id'         => 10,
+							'type'       => 'wp_user',
+							'user_login' => 'testuser',
+							'user_email' => 'testuser@sample.org',
 						),
 					),
 				)
@@ -613,8 +666,26 @@ public function test_validate_user() {
 		$this->assertTrue( is_wp_error( $user_valid ) );
 		$this->assertEquals( $user_valid->get_error_code(), 'rest_authentication_invalid_token_wp_user' );
 
-		$jwt->data->user->id = $this->factory->user->create( $user_data );
-		$user_valid          = $this->token->validate_user( $jwt );
+		// Create the user.
+		$jwt->data->user->id         = $this->factory->user->create( $user_data );
+		$jwt->data->user->user_login = 'testuser1';
+
+		$user_valid = $this->token->validate_user( $jwt );
+		$this->assertTrue( is_wp_error( $user_valid ) );
+		$this->assertEquals( $user_valid->get_error_code(), 'rest_authentication_invalid_token_user_login' );
+
+		// Change user values.
+		$jwt->data->user->user_login = 'testuser';
+		$jwt->data->user->user_email = 'testuser1@sample.org';
+
+		$user_valid = $this->token->validate_user( $jwt );
+		$this->assertTrue( is_wp_error( $user_valid ) );
+		$this->assertEquals( $user_valid->get_error_code(), 'rest_authentication_invalid_token_user_email' );
+
+		// Reset user email.
+		$jwt->data->user->user_email = 'testuser@sample.org';
+
+		$user_valid = $this->token->validate_user( $jwt );
 		$this->assertTrue( $user_valid );
 	}
 

wp-includes/rest-api/auth/class-wp-rest-key-pair.php

@@ -306,8 +306,8 @@ public function authenticate( $user, WP_REST_Request $request ) {
 		// Retrieves a user if a valid key & secret is given.
 		$get_user = get_users(
 			array(
-				'meta_key'   => $key, // WPCS: slow query ok.
-				'meta_value' => wp_hash( $secret ), // WPCS: slow query ok.
+				'meta_key'   => $key, // phpcs:ignore
+				'meta_value' => wp_hash( $secret ), // phpcs:ignore
 			)
 		);
 

wp-includes/rest-api/auth/class-wp-rest-token.php

@@ -211,6 +211,14 @@ public function get_item_schema() {
 	 */
 	public function authenticate( $result ) {
 
+		// Check for valid API requests.
+		$api_request = ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) || ( defined( 'REST_REQUEST' ) && REST_REQUEST );
+
+		// This is not the authentication you're looking for.
+		if ( ! apply_filters( 'rest_authentication_is_api_request', $api_request ) ) {
+			return $result;
+		}
+
 		// Another authentication method was used.
 		if ( ! is_null( $result ) ) {
 			return $result;
@@ -245,8 +253,8 @@ public function authenticate( $result ) {
 	 */
 	public function require_token() {
 		$require_token  = true;
-		$request_uri    = isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : false; // WPCS: sanitization okay.
-		$request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? $_SERVER['REQUEST_METHOD'] : false; // WPCS: sanitization okay.
+		$request_uri    = isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : false; // phpcs:ignore
+		$request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? $_SERVER['REQUEST_METHOD'] : false; // phpcs:ignore
 		$rest_uri       = self::get_rest_uri();
 
 		// User is already authenticated.
@@ -507,11 +515,11 @@ public function validate_token() {
 	public function get_auth_header() {
 
 		// Get HTTP Authorization Header.
-		$header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? $_SERVER['HTTP_AUTHORIZATION'] : false; // WPCS: sanitization okay.
+		$header = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? $_SERVER['HTTP_AUTHORIZATION'] : false; // phpcs:ignore
 
 		// Check for alternative header.
 		if ( ! $header && isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
-			$header = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; // WPCS: sanitization okay.
+			$header = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; // phpcs:ignore
 		}
 
 		// The HTTP Authorization Header is missing, return an error.
@@ -599,14 +607,39 @@ public function validate_user( $token ) {
 			);
 		}
 
-		if ( 'wp_user' === $token->data->user->type && get_userdata( $token->data->user->id ) === false ) {
-			return new WP_Error(
-				'rest_authentication_invalid_token_wp_user',
-				__( 'Token user is invalid.', 'jwt-auth' ),
-				array(
-					'status' => 403,
-				)
-			);
+		if ( 'wp_user' === $token->data->user->type ) {
+
+			$userdata = get_userdata( $token->data->user->id );
+
+			if ( false === $userdata ) {
+				return new WP_Error(
+					'rest_authentication_invalid_token_wp_user',
+					__( 'Token user is invalid.', 'jwt-auth' ),
+					array(
+						'status' => 403,
+					)
+				);
+			}
+
+			if ( $token->data->user->user_login !== $userdata->user_login ) {
+				return new WP_Error(
+					'rest_authentication_invalid_token_user_login',
+					__( 'Token user_login is invalid.', 'jwt-auth' ),
+					array(
+						'status' => 403,
+					)
+				);
+			}
+
+			if ( $token->data->user->user_email !== $userdata->user_email ) {
+				return new WP_Error(
+					'rest_authentication_invalid_token_user_email',
+					__( 'Token user_email is invalid.', 'jwt-auth' ),
+					array(
+						'status' => 403,
+					)
+				);
+			}
 		}
 
 		return true;