From 2d97e69bd082c8bea301b26740b9979f6b0233e3 Mon Sep 17 00:00:00 2001 From: zabalajka Date: Thu, 6 Apr 2023 17:01:32 +0200 Subject: [PATCH 1/4] ignore VS Code's launch configuration --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 64fd9bda..758e2e27 100644 --- a/.gitignore +++ b/.gitignore @@ -31,6 +31,7 @@ nbproject *.sublime-workspace .idea clover.xml +.vscode/launch.json # Dreamweaver added files _notes From 383f3ced8cc37c4140873c65da321a936121c326 Mon Sep 17 00:00:00 2001 From: zabalajka Date: Tue, 11 Apr 2023 16:28:23 +0200 Subject: [PATCH 2/4] Adds option to disable built-in login/password reset/signup Adds an option to completely disable WordPress built-in functionality for login (with username/password), password reset, and signup (registration). All of these functions will be provided by the configured Identity Provider. --- .../openid-connect-generic-login-form.php | 95 +++++++++++++++++++ ...openid-connect-generic-option-settings.php | 48 +++++----- .../openid-connect-generic-settings-page.php | 7 ++ openid-connect-generic.php | 1 + 4 files changed, 128 insertions(+), 23 deletions(-) diff --git a/includes/openid-connect-generic-login-form.php b/includes/openid-connect-generic-login-form.php index 4c76d9ca..69078559 100644 --- a/includes/openid-connect-generic-login-form.php +++ b/includes/openid-connect-generic-login-form.php @@ -62,6 +62,7 @@ public static function register( $settings, $client_wrapper ) { add_shortcode( 'openid_connect_generic_login_button', array( $login_form, 'make_login_button' ) ); $login_form->handle_redirect_login_type_auto(); + $login_form->handle_wp_login_and_signup(); } /** @@ -107,6 +108,28 @@ public function handle_login_page( $message ) { return $message; } + /** + * Disables built-in login functionality. + * + * @return void + */ + public function handle_wp_login_and_signup() { + + if ( $this->settings->disable_wp_login_and_signup ) { + // Login functionality (login, signup, password reset) may be implemented on only page, not only wp-login.php; + // therefore, listen for these hooks globally. + add_filter( 'authenticate', array( $this, 'disable_authenticate' ), 99, 3 ); + add_filter( 'lostpassword_errors', array( $this, 'disable_lostpassword' ), 99, 2 ); + add_filter( 'registration_errors', array( $this, 'disable_registration' ), 99, 3 ); + + // Hide the login form and links to reset password and signup. This is just comsmetic change to prevent user confusion. + if ( 'wp-login.php' == $GLOBALS['pagenow'] ) { + add_action( 'login_footer', array( $this, 'remove_login_form_and_links' ), 99 ); + } + } + + } + /** * Display an error message to the user. * @@ -173,9 +196,81 @@ public function remove_login_form() { var loginForm = document.getElementById("user_login").form; var parent = loginForm.parentNode; parent.removeChild(loginForm); + + + */ private $environment_settings = array( - 'client_id' => 'OIDC_CLIENT_ID', - 'client_secret' => 'OIDC_CLIENT_SECRET', - 'endpoint_end_session' => 'OIDC_ENDPOINT_LOGOUT_URL', - 'endpoint_login' => 'OIDC_ENDPOINT_LOGIN_URL', - 'endpoint_token' => 'OIDC_ENDPOINT_TOKEN_URL', - 'endpoint_userinfo' => 'OIDC_ENDPOINT_USERINFO_URL', - 'login_type' => 'OIDC_LOGIN_TYPE', - 'scope' => 'OIDC_CLIENT_SCOPE', - 'create_if_does_not_exist' => 'OIDC_CREATE_IF_DOES_NOT_EXIST', - 'enforce_privacy' => 'OIDC_ENFORCE_PRIVACY', - 'link_existing_users' => 'OIDC_LINK_EXISTING_USERS', - 'redirect_on_logout' => 'OIDC_REDIRECT_ON_LOGOUT', - 'redirect_user_back' => 'OIDC_REDIRECT_USER_BACK', - 'acr_values' => 'OIDC_ACR_VALUES', + 'client_id' => 'OIDC_CLIENT_ID', + 'client_secret' => 'OIDC_CLIENT_SECRET', + 'endpoint_end_session' => 'OIDC_ENDPOINT_LOGOUT_URL', + 'endpoint_login' => 'OIDC_ENDPOINT_LOGIN_URL', + 'endpoint_token' => 'OIDC_ENDPOINT_TOKEN_URL', + 'endpoint_userinfo' => 'OIDC_ENDPOINT_USERINFO_URL', + 'login_type' => 'OIDC_LOGIN_TYPE', + 'scope' => 'OIDC_CLIENT_SCOPE', + 'create_if_does_not_exist' => 'OIDC_CREATE_IF_DOES_NOT_EXIST', + 'enforce_privacy' => 'OIDC_ENFORCE_PRIVACY', + 'link_existing_users' => 'OIDC_LINK_EXISTING_USERS', + 'disable_wp_login_and_signup' => 'OIDC_DISABLE_WP_LOGIN_AND_SIGNUP', + 'redirect_on_logout' => 'OIDC_REDIRECT_ON_LOGOUT', + 'redirect_user_back' => 'OIDC_REDIRECT_USER_BACK', + 'acr_values' => 'OIDC_ACR_VALUES', ); /** diff --git a/includes/openid-connect-generic-settings-page.php b/includes/openid-connect-generic-settings-page.php index ac53c86c..d700723b 100644 --- a/includes/openid-connect-generic-settings-page.php +++ b/includes/openid-connect-generic-settings-page.php @@ -368,6 +368,13 @@ private function get_settings_fields() { 'disabled' => defined( 'OIDC_CREATE_IF_DOES_NOT_EXIST' ), 'section' => 'user_settings', ), + 'disable_wp_login_and_signup' => array( + 'title' => __( 'Disable WordPress login and signup forms', 'daggerhart-openid-connect-generic' ), + 'description' => __( 'If checked, built-in forms for login and registration (wp-login.php) will be disabled. It will be possible to login only via the configured Identity Provider.', 'daggerhart-openid-connect-generic' ), + 'type' => 'checkbox', + 'disabled' => defined( 'OIDC_DISABLE_WP_LOGIN_AND_SIGNUP' ), + 'section' => 'user_settings', + ), 'redirect_user_back' => array( 'title' => __( 'Redirect Back to Origin Page', 'daggerhart-openid-connect-generic' ), 'description' => __( 'After a successful OpenID Connect authentication, this will redirect the user back to the page on which they clicked the OpenID Connect login button. This will cause the login process to proceed in a traditional WordPress fashion. For example, users logging in through the default wp-login.php page would end up on the WordPress Dashboard and users logging in through the WooCommerce "My Account" page would end up on their account page.', 'daggerhart-openid-connect-generic' ), diff --git a/openid-connect-generic.php b/openid-connect-generic.php index b25a396e..559f3946 100644 --- a/openid-connect-generic.php +++ b/openid-connect-generic.php @@ -363,6 +363,7 @@ public static function bootstrap() { 'token_refresh_enable' => 1, 'link_existing_users' => defined( 'OIDC_LINK_EXISTING_USERS' ) ? intval( OIDC_LINK_EXISTING_USERS ) : 0, 'create_if_does_not_exist' => defined( 'OIDC_CREATE_IF_DOES_NOT_EXIST' ) ? intval( OIDC_CREATE_IF_DOES_NOT_EXIST ) : 1, + 'disable_wp_login_and_signup' => defined( 'OIDC_DISABLE_WP_LOGIN_AND_SIGNUP' ) ? intval( OIDC_DISABLE_WP_LOGIN_AND_SIGNUP ) : 0, 'redirect_user_back' => defined( 'OIDC_REDIRECT_USER_BACK' ) ? intval( OIDC_REDIRECT_USER_BACK ) : 0, 'redirect_on_logout' => defined( 'OIDC_REDIRECT_ON_LOGOUT' ) ? intval( OIDC_REDIRECT_ON_LOGOUT ) : 1, 'enable_logging' => 0, From fb20aab287cfe26920baebc444e03fafae7f1a14 Mon Sep 17 00:00:00 2001 From: zabalajka Date: Tue, 11 Apr 2023 16:50:42 +0200 Subject: [PATCH 3/4] Adds info about new constant to disable built-in login --- HOWTO.md | 1 + 1 file changed, 1 insertion(+) diff --git a/HOWTO.md b/HOWTO.md index be34dfe1..bf762398 100644 --- a/HOWTO.md +++ b/HOWTO.md @@ -87,6 +87,7 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene - Enforce privacy: `OIDC_ENFORCE_PRIVACY` (boolean) - Create user if they do not exist: `OIDC_CREATE_IF_DOES_NOT_EXIST` (boolean) - Link existing user: `OIDC_LINK_EXISTING_USERS` (boolean) +- Disable WordPress login and signup forms: `OIDC_DISABLE_WP_LOGIN_AND_SIGNUP` (boolean) - Redirect user back to origin page: `OIDC_REDIRECT_USER_BACK` (boolean) - Redirect on logout: `OIDC_REDIRECT_ON_LOGOUT` (boolean) From e12e8e45967d70942c16263d613703dc140f9960 Mon Sep 17 00:00:00 2001 From: zabalajka Date: Tue, 11 Apr 2023 21:27:03 +0200 Subject: [PATCH 4/4] Fixes typo --- includes/openid-connect-generic-login-form.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/openid-connect-generic-login-form.php b/includes/openid-connect-generic-login-form.php index 69078559..86178201 100644 --- a/includes/openid-connect-generic-login-form.php +++ b/includes/openid-connect-generic-login-form.php @@ -116,7 +116,7 @@ public function handle_login_page( $message ) { public function handle_wp_login_and_signup() { if ( $this->settings->disable_wp_login_and_signup ) { - // Login functionality (login, signup, password reset) may be implemented on only page, not only wp-login.php; + // Login functionality (login, signup, password reset) may be implemented on any page, not only wp-login.php; // therefore, listen for these hooks globally. add_filter( 'authenticate', array( $this, 'disable_authenticate' ), 99, 3 ); add_filter( 'lostpassword_errors', array( $this, 'disable_lostpassword' ), 99, 2 );