justingreerbbi / wordpress-oauth-server Goto Github PK

function wo_ap_et_access_token_for_user() {
global $wpdb;

$current_user = get_current_user_id();
$check        = $wpdb->get_row( "SELECT * FROM {$wpdb->prefix}oauth_access_tokens WHERE user_id ={$current_user}" );

return $check;

}

Needs to be:

function wo_ap_et_access_token_for_user() {
global $wpdb;

$current_user = get_current_user_id();
$query        = "SELECT * FROM {$wpdb->prefix}oauth_access_tokens WHERE user_id = %d";
$query        = $wpdb->prepare( $query, $current_user );
return $wpdb->get_row( $query );

}

NOTE: The prepare() method of $wpdb ensures security of the query.

https://developer.wordpress.org/reference/classes/wpdb/prepare/

Version 3.0.2

When trying to authenticate I've received the following error:

"An unsupported scope was requested"

I manually added "auth" scope to the oauth_scopes and set scope field in oauth_clients table to "auth" and now receiving the following error:

"Not a valid access token"

Is there any way to configure scopes in the WordPress OAuth Server plugin?

It is currently require to pass state parameter to the authorize method.
I have a use case in which no state is require, for simple authentication.

It will be easier to use this plugin if state parameter will be optional.

Is it possible to use the standard wordpress login page to authorizations?

Thanks.

The table of the clients in the WP-Admin does not show the callback and currently there is no way to view that information

Upon installing and creating an account I get the following error when trying to use the default Postman OAuth2 test-scenario:

Server details:

At the start of the login flow on 3.0.5 I'm getting a 500 response this in the logs:

Undefined class constant 'RESPONSE_TYPE_ID_TOKEN_TOKEN' in www/wp-content/plugins/oauth2-provider/library/OAuth2/OpenID/Controller/AuthorizeController.php on line 82" while reading response header from upstream

Relevant line: https://github.com/justingreerbbi/wordpress-oauth-server/blob/master/library/OAuth2/OpenID/Controller/AuthorizeController.php#L82

This may already be supported, but I did not find that in the docs. Without explicit support we would like to know of course before using it on a multi-site.

In my local install, when doing a test ride with your plugin, I get the following error here:

Notice: Undefined index: license in /var/www/dev/public/wp-content/plugins/oauth2-provider/library/content/create-new-client.php on line 131

The problem is that you assume in

if (!_vl($options['license']) && has_a_client())

that from get_option('wo_options'); the $options['license'] key is always set. Looking at the markup (no, I didn't debug this to the end), I can see the HTML form field:

<input type="text" name="wo_options[license]" value="" length="40" style="width:300px;">

In short: If this is not filled, the other fields that depend on this should simply either have a disabled attribute or should not get displayed at all.

hello, wonderfull effort u made there but i was thinking if there is a way to implement wordpress api with a different app that is not build on wordpress....

Nevermind, was my fault. Feel free to delete. Sorry...

Hey,
whenever I'm trying to log get the token by requesting /oauth/token I get a 400.
This makes the plugin unusable for Internet Explorer, every other browser works as expected though.

Any suggestions?

Hello @justingreerbbi,

The github repository is out of sync with the actual plugin state. I have some additions I'd like to share for prelimary multisite support but these are now based of the current code which still is on 3.1.8.

I have a problem where PUT requests to a separate plugin which extends the WP REST API v2. It doesn't recieve any body parameters when using PUT. Please see this issue for for information.

It seems like WP OAuth Server is reading from php://input and doesn't store this in $HTTP_RAW_POST_DATA. Please see this issue for the solution.

Going to settings and resetting the permalinks does not happening and changing them manually to /oauth/{method} or ?oauth={method} still comes up with a 404 and /oauth/authorize not found.

I'm getting a redirect_uri_mismatch, and I can't track down what the source of the problem is. Any idea why this error is popping up?

To state the obvious, oAuth Server has the redirect url set as https://app.example.com/_oauth/wordpress, which is correct. I've tried both with and without the trailing slash at the end, with and without https://, so I've run out of ideas.

Thanks!

I'm making REST api request using the bear authorization but kept on getting forbidden request 403. The wordpress version I'm using is 4.6.1 and WP-Rest-API version 2.0-beta-15. I'm seeing this behavior in WP-OAuth-Server version 3.1.98.

Repro:

1. Go into WP-Admin (that has the plugin of course)
2. Go into Clients tab
3. Add a client
4. Hover with the mouse over the client's row and press the edit link

Expected Result:
Show a dialog which allows to change some of the information about the client

Actual Result:
Nothing shows, the page jump to the top.

Notice - Header 'Authorization Basic' may not work as expected.

wp version 4.6.1
hosting godaddy windows shared hosting
php version 5.6.1

**Server Status
The following information is helpful when debugging or reporting an issue. Please note that the information provided here is a reference only.

Plugin Build: 3.2.001
PHP Version (5.6.26): OK
Apache Version: apache_get_version() not enabled.
Running CGI: Notice - Header 'Authorization Basic' may not work as expected.**

Hello, do you example of config for this code?

class ConnectOauth
{       
    protected function _init(Config $config)
    {
        $config->append(array(
            'service_name'      => 'Wordpress Oauth',
            'api_url'            => 'XXX',
            'request_token_url' => 'XXX' ,
            'authorize_url'     => 'XXX',
            'access_token_url'  => 'XXX' ,
            'authenticate_url'  => 'XXX'        
        ));

        parent::_initialize($config);
    }

     /** Return the current user data*/

     protected function _getUserData()
     {
        $profile = $this->get('XXX/XXX.json');

        $data = array(
            'email'        => $profile->email,
            'name'     => $profile->name,
            'username' => $profile->screen_name,
            'avatar'  => $profile->profile_image_url          
        );

        return $data;
     }
}

I'm trying to use your plugin to authorize users in an AngularJS application. Angular uses a hash on it links: http://www.myapp.com/#oauth
When I use this link as a redirect URI, the browser is redirected to http://www.myapp.com/?state=anything_you_want&code=THECODE#/oauth instead of http://www.myapp.com/#oauth?state=anything_you_want&code=THECODE

The latest tag/release is 2.0.0 (stable). That one can be easily fixed.

Hey Justin, thanks for your help troubleshooting last month. I have a new question for you.

It doesn't look like the plugin currently supports using a saved refresh token to obtain a fresh access token once the original access token has expired.

The credentials being returned by the plugin include the access token, an expiration for the access token (looks to be 1 hour from now by default) and a refresh token.

What I'd like to be able to do is make a call like this:

http://example.com/oauth/request_access?refresh_token=the_refresh_token

And get back a new access token and a new expiration date, along with the typical user metadata/info hash. Is that possible with the current plugin or would this need to be built?

It would be a good idea to add a regenerate secrets on demand from the admin. Currently, an admin would have to delete and re add a client.

I've successfully called /oauth/authorize and /oauth/request_token, but when I call /oauth/request_access with a valid access token, I receive a single string in the response body: "null"

Obviously something is wrong. Any ideas?

It is required to add a trailing slash to the request_access method.
The plugin does return a redirect to the correct URL but in the default nodeJS library I use (passport) the http client does not follow redirect by default.

I'm not sure what is more correct - with or without slash.

We're running 3.1.93 with Wordpress 4.4.1. When setting a custom expiry time in the admin interface the expires_in parameter is returned as a string, not a number. E.g.:

{
  "access_token": "abc123",
  "expires_in": "86400",
  "token_type": "Bearer",
  "scope": "basic",
  "refresh_token": "def456"
}

If you remove the custom value for expiry time then you get expires_in correctly as an int, e.g.

{
  "access_token": "abc123",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "basic",
  "refresh_token": "def456"
}

I'm able to successfully retrieve an access token using this plugin but when I wish to attach it to an API requests (say /oauth/me/) it only appears to work when the access token is a parameter, rather than a header.

If I hit http://54.253.241.207/oauth/me/?access_token=XXXXXXXXXX the requests returns successfully. Yet when I use the 'Authorization: Bearer XXXXXX' header I get a 400 response with the response {error: "invalid_request", error_description: "Missing or invalid parameter(s)"}.

Am I right to think that authentication using the 'Authorization' header should still work in the free version of the plugin?

Full Gist of the cURL response is here and the header definitely seems to be present.

Thanks for any help.

This query should be reworked to:

$query = "DELETE FROM {$wpdb->prefix}oauth_access_tokens WHERE user_id = %d AND ap_generated = %d";
$query = $wpdb->prepare( $query, $user_id, 1 );
$wpdb->query( $query );

It is VERY important to use the prepare() method. I am not going to put further reviews about it. You should check the plugin throughout and refactor.

Change

function wp_ap_generate_access_token() {
$token_length = wo_setting( 'token_length' );

return strtolower( wp_generate_password( $token_length, FALSE, $extra_special_chars = FALSE ) );

}

To:

function wp_ap_generate_access_token() {
$token_length = wo_setting( 'token_length' );

return strtolower( wp_generate_password( $token_length, FALSE, FALSE ) );

}

To reproduce:

• WP 4.8.2
• this plugin version 3.4.1
• update available: 3.4.2

1. go to plugins
2. find the plugin in the list with an update available
3. click the 'show details' link
4. observe that nothing happens
5. and that you have a fatal error:

[14-Nov-2017 13:29:22 UTC] PHP Fatal error:  Uncaught Error: Cannot use object of type stdClass as array in /Users/javorszky/Sites/hb/wp-admin/includes/plugin-install.php:501
Stack trace:
#0 /Users/javorszky/Sites/hb/wp-includes/class-wp-hook.php(298): install_plugin_information('')
#1 /Users/javorszky/Sites/hb/wp-includes/class-wp-hook.php(323): WP_Hook->apply_filters(NULL, Array)
#2 /Users/javorszky/Sites/hb/wp-includes/plugin.php(453): WP_Hook->do_action(Array)
#3 /Users/javorszky/Sites/hb/wp-admin/plugin-install.php(67): do_action('install_plugins...')
#4 /Users/javorszky/.composer/vendor/laravel/valet/server.php(133): require('/Users/javorszk...')
#5 {main}
  thrown in /Users/javorszky/Sites/hb/wp-admin/includes/plugin-install.php on line 501

I am authenticating through Wordpress using Electron and the setup for my test site works, but the production site gives a 400 cannot post at oauth/token. The call to oauth/code works, but oauth/token does not. The only difference I can see from the WP Oauth Server is the Running CGI says, "Header 'Authorization Basic' may not work as expected". I can't seem to find anything in the documentation on what causes this or even referencing the Running CGI or what this description could even mean. Something on Wordpress must trigger it, but it's a mystery as to what does.

Hi Justin,

I installed the plugin in clean wordpress 3.9 installation following the instructions but the URLs (e.g. /oauth/authorize) are not working. One "page not found" is shown.
Is there any additional step I have to do?

Thanks.

Hi there,

I was wondering if your plugin can be integrated with http://wp-api.org/ ?

For example, after performing the authentication, I will have the user data and the access token.

How do i use this access token and perform GET/POST requests ?

So if your plugin can be integrated with http://wp-api.org, how should I go about doing it ?

If not, I was wondering how do i extend your plugin to include JSON apis in a similar fashion as wp-api ?

Thanks a lot, great work!

First at all, congratulations for your works.

I have an app that takes all the procedure and it works perfect. I store the access_token. After closing the application, I can request_access, because I have the access_token from the previous user, and get the result perfectly, but user is not login, so I when I try then to do something else, I always have a 401 response. How can I login if I have the access_token?

Hello,
I followed the demo of the OAuth Server WP plugin
Link: https://www.youtube.com/watch?v=RaEdBOOkeWA

I tried to access the attributes that are accessable only by using the context edit (Example: service email comments), but the error "Sorry, you do not have permission to edit comments."

How I can get around this problem.

Thank you
BBI fondative

when i open
/oauth/authorize?response_type=code&client_id=TestClient&redirect_uri=https:/redirect-uri.com/cb/

it turns into
/oauth/authorize/?response_type=code&client_id=TestClient&redirect_uri=https:/redirect-uri.com/cb/

then the wordpress show me the index page instead of the json i want.

what should I do?

In some places, you have internationalization in place. Like /includes/admin-options.php line 48:

	add_submenu_page( 'wo_manage_clients', 'Clients', __( 'Clients', 'wp-oauth' ), 'manage_options', 'wo_manage_clients', 'wo_admin_manage_clients_page' );

See how you have:

__( 'Clients', 'wp-oauth' )

That needs done throughout the entire project in ALL files. For example /includes/admin/pages/edit-client.php line 145:

                                <h3>Advanced Options</h3>

Should be:

                                <h3><?php echo __('Advanced Options', 'wp-oauth'); ?></h3>

I am currently working on wperm api in my wordpress site. When i try to get all contacts through api it give only 1 last record only . How to get all record using Contacts api.I am following below documentation for wperm api's. https://wperp.docs.apiary.io/

Contacts api is https://private-e6de3e-wperp.apiary-mock.com/wp-json/erp/v1/crm/contacts?type=contact&per_page=20&page=1&search=&include=owner

How can I add custom user information in the response ? For Example a meta value or specifically the user role. Looked in the code for a few minutes but couldn't find anything that's related to this

Hi good day,

firstly, great work and I managed to get your plugin working quickly and easily together with your sample php client.

I was wondering if there is anyway to perform authentication without the use of client secret ?
I got this inspiration by looking at Facebook's JS SDK, where authorization does not require a client secret, but just a client id will do. What i intend to do is to write a simply javascript client that can perform the authentication in a similar fashion as what we see in Facebook.

So can this be done ? ( authenticating without the use of client secret )

Thanks!

There seems to be a lot of CGI support out in the wild. Would it be a good idea to simply just add the .htaccess hack on activation?

Forgive me if this is already in your documentation, but I haven't found it: I think it'd be very helpful to have a few example debugging URLs which would allow me to identify the form of key requests, and, for example, see the form of the JSON for a user object... It might also be useful to show an example of the JSON for an authenticated user object to help with the process of mapping fields for clients.

@justingreerbbi The plugin works great but here's an issue

Once the user logs in - (and if the redirection for the user is set up in Profilepress) - it doesn't redirect to the URI set in the OAuth Client and instead redirects to the URL set up in profilepress.

What would be the way to go about solving this issue?

As the subject suggest, why the two ep /oauth/me and /oauth/destroy are redirected to the themselves?
There is a specific reason?

Thanks

Mostly due to some extra plugin.
The authorization endpoint redirects to /login/
Any clues on what could be the issue ?

I have been unable to get /.well-known/openid-configuration/ to show up. I get a 404 not found when going there.

I believe this is preventing me from using AuthSession.useAutoDiscovery() with Expo. It didn’t work with the free version. So I purchased it and enabled OpenID Connect.

Still not working.

I think the version available via wordpress.org may be outdated. I had the version without 12a12ee when installing from the plugin panel.

When using the refresh token as described here:

https://wp-oauth.com/knowledge-base/using-the-refresh-token/

All parameters except a new refresh token are returned. e.g.

I am trying to utilize the password-grant authorization, but all attempts to send form data get discarded and in my response, I'm being forwarded to a login form (though I can see some of my form data in my request header).

My preference is to handle the login process on the front-end and just encrypt the transmission. How can I avoid the redirect to the login form?

Since the login creates a session on the Wordpress site, I believe, there should be a method logout within the oAuth API that gives as a response a logout url. For example:

Request:
http://yourdomain.com/oauth/logout?access_token=6f6d8a22c3b127034fb8dc137766625268631d0b

Response:
{"logout_url":"http://yourdomain.com/wp-login.php?action=logout&redirect_to=http://oauthclientsite.com&_wpnonce=5a919040d6"}

Not sure about other users, but I needed it on my site so I had to make changes to the plugin to achieve this since building a different plugin that reuses the classes defined on your plugin was going to be harder.

Any plans for creating a Resource API that integrates with the oAuth server?