Add token validate endpoint

valendesigns · valendesigns · commit b7ea5a023080 · 2019-05-10T05:33:32.000-07:00
diff --git a/readme.md b/readme.md
@@ -116,9 +116,27 @@ That request would be like this:
 ```bash
 curl -X POST https://example.org/wp-json/wp/v2/token \
 	-F refresh_token=YOUR_REFRESH_TOKEN
+```
+
+You can also check if the token is still valid and when it expires:
+
+```bash
+curl -X GET https://sample.org/wp-json/wp/v2/token/validate \
+	-H 'Authorization: Bearer YOUR_ACCESS_TOKEN'
+```
+
+```javascript
+{
+    "code": "rest_authentication_valid_access_token",
+    "message": "Valid access token.",
+    "data": {
+        "status": 200,
+        "exp": 604800
+    }
+}
 ```
 
-## Generate Application Passwords ##
+## Generate Key-pairs ##
 
 In order to generate a token you first need to create an application password, or what we also refer to as a key-pair.
 To create a key-pair you have to first log into the WordPress administrative panel and go to your profile page. There
diff --git a/readme.txt b/readme.txt
@@ -115,7 +115,25 @@ curl -X POST https://example.org/wp-json/wp/v2/token \
 	-F refresh_token=YOUR_REFRESH_TOKEN
 ```
 
-== Generate Application Passwords ==
+You can also check if the token is still valid and when it expires:
+
+```bash
+curl -X GET https://sample.org/wp-json/wp/v2/token/validate \
+	-H 'Authorization: Bearer YOUR_ACCESS_TOKEN'
+```
+
+```javascript
+{
+    "code": "rest_authentication_valid_access_token",
+    "message": "Valid access token.",
+    "data": {
+        "status": 200,
+        "exp": 604800
+    }
+}
+```
+
+== Generate Key-pairs ==
 
 In order to generate a token you first need to create an application password, or what we also refer to as a key-pair.
 To create a key-pair you have to first log into the WordPress administrative panel and go to your profile page. There
diff --git a/tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php b/tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php
@@ -583,6 +583,204 @@ public function test_decode_token() {
 		$this->assertEquals( $validate_token->get_error_code(), 'rest_authentication_token_error' );
 	}
 
+	/**
+	 * Test validate().
+	 *
+	 * @covers ::validate()
+	 * @since 0.1
+	 */
+	public function test_validate() {
+		$user_data = array(
+			'role'       => 'administrator',
+			'user_login' => 'testuser',
+			'user_pass'  => 'testpassword',
+			'user_email' => 'testuser@sample.org',
+		);
+
+		$user_id = $this->factory->user->create( $user_data );
+
+		$jwt = json_decode(
+			wp_json_encode(
+				array(
+					'iss'  => get_bloginfo( 'url' ),
+					'exp'  => time() + WEEK_IN_SECONDS,
+					'data' => array(
+						'user' => array(
+							'id'         => $user_id,
+							'type'       => 'wp_user',
+							'user_login' => 'testuser',
+							'user_email' => 'testuser@sample.org',
+						),
+					),
+				)
+			)
+		);
+
+		// Invalid HTTP Authorization Header.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'get_auth_header',
+				)
+			)
+			->getMock();
+		$mock->method( 'get_auth_header' )->willReturn( new WP_Error() );
+
+		$validate = $mock->validate();
+		$this->assertEquals( 'rest_authentication_invalid_bearer_token', $validate['code'] );
+		$this->assertEquals( 403, $validate['data']['status'] );
+
+		// Invalid Bearer token.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'get_auth_header',
+					'get_token',
+				)
+			)
+			->getMock();
+		$mock->method( 'get_auth_header' )->willReturn( true );
+		$mock->method( 'get_token' )->willReturn( new WP_Error() );
+
+		$validate = $mock->validate();
+		$this->assertEquals( 'rest_authentication_invalid_bearer_token', $validate['code'] );
+		$this->assertEquals( 403, $validate['data']['status'] );
+
+		// Invalid Bearer token.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'get_auth_header',
+					'get_token',
+					'decode_token',
+				)
+			)
+			->getMock();
+		$mock->method( 'get_auth_header' )->willReturn( true );
+		$mock->method( 'get_token' )->willReturn( true );
+		$mock->method( 'decode_token' )->willReturn( new WP_Error() );
+
+		$validate = $mock->validate();
+		$this->assertEquals( 'rest_authentication_invalid_bearer_token', $validate['code'] );
+		$this->assertEquals( 403, $validate['data']['status'] );
+
+		// Invalid token issuer.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'get_auth_header',
+					'get_token',
+					'decode_token',
+					'validate_issuer',
+				)
+			)
+			->getMock();
+		$mock->method( 'get_auth_header' )->willReturn( true );
+		$mock->method( 'get_token' )->willReturn( true );
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+		$mock->method( 'validate_issuer' )->willReturn( new WP_Error() );
+
+		$validate = $mock->validate();
+		$this->assertEquals( 'rest_authentication_invalid_bearer_token', $validate['code'] );
+		$this->assertEquals( 403, $validate['data']['status'] );
+
+		// Invalid token user.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'get_auth_header',
+					'get_token',
+					'decode_token',
+					'validate_issuer',
+					'validate_user',
+				)
+			)
+			->getMock();
+		$mock->method( 'get_auth_header' )->willReturn( true );
+		$mock->method( 'get_token' )->willReturn( true );
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+		$mock->method( 'validate_issuer' )->willReturn( true );
+		$mock->method( 'validate_user' )->willReturn( new WP_Error() );
+
+		$validate = $mock->validate();
+		$this->assertEquals( 'rest_authentication_invalid_bearer_token', $validate['code'] );
+		$this->assertEquals( 403, $validate['data']['status'] );
+
+		// Token has expired.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'get_auth_header',
+					'get_token',
+					'decode_token',
+					'validate_issuer',
+					'validate_user',
+					'validate_expiration',
+				)
+			)
+			->getMock();
+		$mock->method( 'get_auth_header' )->willReturn( true );
+		$mock->method( 'get_token' )->willReturn( true );
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+		$mock->method( 'validate_issuer' )->willReturn( true );
+		$mock->method( 'validate_user' )->willReturn( true );
+		$mock->method( 'validate_expiration' )->willReturn( new WP_Error() );
+
+		$validate = $mock->validate();
+		$this->assertEquals( 'rest_authentication_expired_bearer_token', $validate['code'] );
+		$this->assertEquals( 403, $validate['data']['status'] );
+
+		// Valid Access Token.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'get_auth_header',
+					'get_token',
+					'decode_token',
+					'validate_issuer',
+					'validate_user',
+					'validate_expiration',
+				)
+			)
+			->getMock();
+		$mock->method( 'get_auth_header' )->willReturn( true );
+		$mock->method( 'get_token' )->willReturn( true );
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+		$mock->method( 'validate_issuer' )->willReturn( true );
+		$mock->method( 'validate_user' )->willReturn( true );
+		$mock->method( 'validate_expiration' )->willReturn( true );
+
+		$validate = $mock->validate();
+		$this->assertEquals( 'rest_authentication_valid_access_token', $validate['code'] );
+		$this->assertEquals( 200, $validate['data']['status'] );
+
+		$jwt->data->user->token_type = 'refresh';
+
+		// Valid Refresh Token.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'get_auth_header',
+					'get_token',
+					'decode_token',
+					'validate_issuer',
+					'validate_user',
+					'validate_expiration',
+				)
+			)
+			->getMock();
+		$mock->method( 'get_auth_header' )->willReturn( true );
+		$mock->method( 'get_token' )->willReturn( true );
+		$mock->method( 'decode_token' )->willReturn( $jwt );
+		$mock->method( 'validate_issuer' )->willReturn( true );
+		$mock->method( 'validate_user' )->willReturn( true );
+		$mock->method( 'validate_expiration' )->willReturn( true );
+
+		$validate = $mock->validate();
+		$this->assertEquals( 'rest_authentication_valid_refresh_token', $validate['code'] );
+		$this->assertEquals( 200, $validate['data']['status'] );
+	}
+
 	/**
 	 * Test validate_token().
 	 *
diff --git a/wp-includes/rest-api/auth/class-wp-rest-token.php b/wp-includes/rest-api/auth/class-wp-rest-token.php
@@ -90,6 +90,12 @@ public static function get_rest_uri() {
 	 * @see register_rest_route()
 	 */
 	public function register_routes() {
+		$args = array(
+			'methods'  => WP_REST_Server::READABLE,
+			'callback' => array( $this, 'validate' ),
+		);
+		register_rest_route( self::_NAMESPACE_, '/' . self::_REST_BASE_ . '/validate', $args );
+
 		$args = array(
 			'methods'  => WP_REST_Server::CREATABLE,
 			'callback' => array( $this, 'generate_token' ),
@@ -169,6 +175,16 @@ public function get_item_schema() {
 						),
 					),
 				),
+				'exp'           => array(
+					'description' => esc_html__( 'The number of seconds until the token expires.', 'jwt-auth' ),
+					'type'        => 'integer',
+					'readonly'    => true,
+				),
+				'refresh_token' => array(
+					'description' => esc_html__( 'Refresh JSON Web Token.', 'jwt-auth' ),
+					'type'        => 'string',
+					'readonly'    => true,
+				),
 			),
 		);
 
@@ -594,6 +610,76 @@ public function decode_token( $token ) {
 		}
 	}
 
+	/**
+	 * Determine if a valid Bearer token has been provided and return when it expires.
+	 *
+	 * @return array Return information about whether the token has expired or not.
+	 */
+	public function validate() {
+
+		$response = array(
+			'code'    => 'rest_authentication_invalid_bearer_token',
+			'message' => __( 'Invalid bearer token.', 'jwt-auth' ),
+			'data'    => array(
+				'status' => 403,
+			),
+		);
+
+		// Get HTTP Authorization Header.
+		$header = $this->get_auth_header();
+		if ( is_wp_error( $header ) ) {
+			return $response;
+		}
+
+		// Get the Bearer token from the header.
+		$token = $this->get_token( $header );
+		if ( is_wp_error( $token ) ) {
+			return $response;
+		}
+
+		// Decode the token.
+		$jwt = $this->decode_token( $token );
+		if ( is_wp_error( $jwt ) ) {
+			return $response;
+		}
+
+		// Determine if the token issuer is valid.
+		$issuer_valid = $this->validate_issuer( $jwt->iss );
+		if ( is_wp_error( $issuer_valid ) ) {
+			return $response;
+		}
+
+		// Determine if the token user is valid.
+		$user_valid = $this->validate_user( $jwt );
+		if ( is_wp_error( $user_valid ) ) {
+			return $response;
+		}
+
+		// Determine if the token has expired.
+		$expiration_valid = $this->validate_expiration( $jwt );
+		if ( is_wp_error( $expiration_valid ) ) {
+			$response['code']    = 'rest_authentication_expired_bearer_token';
+			$response['message'] = __( 'Expired bearer token.', 'jwt-auth' );
+			return $response;
+		}
+
+		$response = array(
+			'code'    => 'rest_authentication_valid_access_token',
+			'message' => __( 'Valid access token.', 'jwt-auth' ),
+			'data'    => array(
+				'status' => 200,
+				'exp'    => $jwt->exp - time(),
+			),
+		);
+
+		if ( isset( $jwt->data->user->token_type ) && 'refresh' === $jwt->data->user->token_type ) {
+			$response['code']    = 'rest_authentication_valid_refresh_token';
+			$response['message'] = __( 'Valid refresh token.', 'jwt-auth' );
+		}
+
+		return $response;
+	}
+
 	/**
 	 * Determine if a valid Bearer token has been provided.
 	 *
