Merge pull request #255 from clef/state-param

Add option for initializing state on every page

assets/dist/js/clef_heartbeat.min.js

@@ -1,4 +1,4 @@
-/*! Clef for WordPress - v2.5.5
+/*! Clef for WordPress - v2.6.0
  * http://getclef.com
  * Licensed GPLv2+ */
 jQuery(document).ready(function(){return wp.heartbeat?(wp.heartbeat.interval("fast"),wp.heartbeat.enqueue("clef","cleflogout",!0),jQuery(document).on("heartbeat-tick",function(e,t){return wp.heartbeat.enqueue("clef","cleflogout",!0)})):void 0});

clef-require.php

@@ -20,7 +20,7 @@ private function __construct() {
     }
 
     private function define_constants() {
-        define('CLEF_VERSION', '2.5.5');
+        define('CLEF_VERSION', '2.6.0');
 
         if (!defined('CLEF_IS_BASE_PLUGIN')) define('CLEF_IS_BASE_PLUGIN', false);
 

includes/class.clef-admin.php

@@ -312,6 +312,9 @@ public function settings_form() {
 
         $invite_users_settings = $form->addSection('invite_users', __('Invite Users', "wpclef"));
 
+        $shortcode_settings = $form->addSection('shortcode_settings', __('Shortcode settings', 'wpclef'), '');
+        $shortcode_settings->addField('shortcode', __('Enable shortcode support', 'wpclef'), Settings_API_Util_Field::TYPE_CHECKBOX);
+
         $pro = ClefPro::start();
         $pro->add_settings($form);
 

includes/class.clef-core.php

@@ -86,6 +86,10 @@ public function plugin_updated($version, $previous_version) {
         $settings_changes = false;
 
         if ($previous_version) {
+            if (version_compare($previous_version, '2.6.0', '<')) {
+                $this->settings->set('shortcode_settings_shortcode', true);
+            }
+
             if (version_compare($previous_version, '2.5.0', '<')) {
                 if (isset($_COOKIE['clef_wp_session'])) {
                     ClefSession::migrate('clef_wp_session');

includes/class.clef-internal-settings.php

@@ -246,6 +246,31 @@ public function send_override_link($user) {
         );
     }
 
+    /***
+     * Check whether we should set the OAuth state parameter cookie via initialize_state() if
+     * (a) site admin has NOT opted to turn on Clef 2FA's shortcode feature, which requires sending the state parameter to all clients including anonymous front-end users;
+     * and (b) client is browsing the login or registration URL.
+     */
+    public function should_initialize_state_on_request() {
+
+        // if the shortcode is set, we should always initialize state
+        if ($this->get('shortcode_settings_shortcode')) return true;
+
+        // first check if the `pagenow` variable is the login or register page
+        $pages = array('wp-login.php', 'wp-register.php');
+        if (in_array( $GLOBALS['pagenow'], $pages )) return true;
+
+        // if it's not, compare the login and register paths to the
+        // current path
+        $parsed_login_url = parse_url(wp_login_url());
+        if (isset($parsed_login_url['path'])) $pages[] = $parsed_login_url['path'];
+        $parsed_registration_url = parse_url(wp_registration_url());
+        if (isset($parsed_registration_url['path'])) $pages[] = $parsed_login_url['path'];
+
+        $parsed_current_url = parse_url($_SERVER['REQUEST_URI']);
+        return isset($parsed_current_url['path']) && in_array( $parsed_current_url['path'], $pages );
+    }
+
     public static function start() {
         if (!isset(self::$instance) || self::$instance === null || defined('CLEF_TESTING')) {
             self::$instance = new self;

includes/class.clef-login.php

@@ -435,7 +435,9 @@ public function get_callback_url() {
 
 
     public function initialize_state() {
-        ClefUtils::initialize_state();
+        if ($this->settings->should_initialize_state_on_request()) {
+            ClefUtils::initialize_state();
+        }
     }
 
     public static function start($settings) {

includes/class.clef-utils.php

@@ -295,18 +295,18 @@ public static function send_email($email, $subject, $template, $vars) {
 
         return $sent;
     }
-    
+
     public static function get_logout_hook_url() {
         $logout_hook_url = wp_login_url();
-        
+
         // Accommodate WP Engine's firewall rules, which require a wpe-login param on POST requests to the login script URL
         if ( function_exists( 'wpe_site' ) ) {
             $logout_hook_url = add_query_arg('wpe-login', 'clef', $logout_hook_url);
         }
 
         return $logout_hook_url;
     }
-    
+
     public static function is_tls() {
         return is_ssl() || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https');
     }

languages/wpclef.pot

@@ -6,7 +6,7 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: WPClef 2.5.5\n"
+"Project-Id-Version: WPClef 2.6.0\n"
 "Report-Msgid-Bugs-To: support@getclef.com\n"
 "POT-Creation-Date: 2016-06-16 14:13-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"

package.json

@@ -2,7 +2,7 @@
   "name": "wpclef",
   "title": "Clef for WordPress",
   "description": "Clef replaces insecure username/password authentication with strongly encrypted, multi-factor authentication using your smartphone. Simply click the \"Log in with your phone\" button, scan the Clef Wave with your [Clef app](https://getclef.com/apps), and you are instantly and securely logged in to all of your Clef-enabled websites. Clef provides the best single sign-on solution for WordPress. Once you sign in to one WordPress site using Clef, you can sign into all of your Clef-enabled sites with a single click. And once you sign out of the app on your phone, you are automatically signed out of all your WordPress sites. Say goodbye to passwords and hello to admistrative bliss--try Clef today!",
-  "version": "2.5.5",
+  "version": "2.6.0",
   "homepage": "http://getclef.com",
   "repository": "http://github.com/clef/wordpress",
   "author": {

readme.txt

@@ -4,7 +4,7 @@ Donate link: http://www.giffordcatshelter.org
 Tags: two-factor, two factor, 2 step authentication, 2 factor, 2FA, admin, android, authentication, encryption, harden, iphone, log in, login, mfa, mobile, multifactor, multi factor, oauth, password, passwords, phone, secure, security, smartphone, single sign on, ssl, sso, strong authentication, tfa, two factor authentication, two step, wp-admin, wp-login, xmlrpc, xml-rpc
 Requires at least: 3.6
 Tested up to: 4.5
-Stable tag: 2.5.5
+Stable tag: 2.6.0
 License: MIT
 License URI: http://opensource.org/licenses/MIT
 
@@ -150,6 +150,12 @@ Clef employs a distributed security architecture, which means Clef stores no use
 
 == Changelog ==
 
+= 2.6.0 =
+Released 11 July 2016
+
+* Feature: add support for Varnish full-page caching on front end via new shortcode setting ([255](https://github.com/clef/clef-wordpress/pull/255))
+* Enhancement: add httponly and secure flags to session and state cookies ([254](https://github.com/clef/clef-wordpress/pull/254))
+
 = 2.5.5 =
 Released 20 June 2016
 

templates/admin/form.tpl.php

@@ -108,6 +108,27 @@
         </div>
         <div id="invite-users-settings" class="settings-section"></div>
         <?php include CLEF_TEMPLATE_PATH . 'pro/form.tpl.php'; ?>
+        <div id="registration-settings" class="settings-section">
+           <div class="inputs-container">
+                <h3><?php _e("Register with your phone", "wpclef"); ?></h3>
+                <p><?php _e("Register new users with the Clef mobile app. The <strong>Membership: anyone can register</strong> setting also must be enabled in WordPress's <a href='".admin_url('options-general.php')."'><strong>General Settings</strong></a>.", "wpclef"); ?></p>
+                <div class="input-container">
+                    <label for=""><?php _e("Allow visitors to your site to register with Clef", "wpclef"); ?></label>
+                    <?php $form->getSection('clef_settings')->getField('register')->render(); ?>
+                </div>
+            </div>
+        </div>
+        <div id="shortcode-settings" class="settings-section">
+           <div class="inputs-container">
+                <h3><?php _e("Shortcode support", "wpclef"); ?> <a class="setting-info" href="http://support.getclef.com/article/56-how-do-i-use-the-clef-login-shortcode" target="clef">Learn more about this setting</a></h3>
+                <p><?php _e("Use the <code>[clef_render_login_button]</code> or <br /><code>[clef_render_login_button embed=true]</code> shortcodes on a custom login page.", "wpclef"); ?></p>
+                <p><?php _e("Enabling shortcode support means that the OAuth2 state parameter cookie (i.e., <code>wordpress_clef_state</code>) is set on every request for all users including anonymous users browsing the front end. Thus server-side caches such as Varnish may lose the ability to provide full-page caching to anonymous users.", "wpclef"); ?></p>
+                <div class="input-container">
+                    <label for=""><?php _e("Enable the Clef login shortcode", "wpclef"); ?></label>
+                    <?php $form->getSection('shortcode_settings')->getField('shortcode')->render(); ?>
+                </div>
+            </div>
+        </div>
         <div class="clef-settings settings-section">
             <div class="inputs-container">
                 <h3><?php _e("Clef API Settings", "wpclef"); ?></h3>
@@ -120,10 +141,6 @@
                     <label for=""><?php _e("Application Secret", "wpclef"); ?></label>
                     <?php $form->getSection('clef_settings')->getField('app_secret')->render(); ?>
                 </div>
-                <div class="input-container">
-                    <label for=""><?php _e("Allow visitors to your site to register with Clef", "wpclef"); ?></label>
-                    <?php $form->getSection('clef_settings')->getField('register')->render(); ?>
-                </div>
             </div>
         </div>
         <div class="clef-settings clef-settings__buttons">

update_translations.sh

@@ -11,7 +11,7 @@ echo "Creating POT"
 rm -f $POT
 xgettext --copyright-holder="Clef, Inc." \
     --package-name="WPClef" \
-    --package-version="2.5.5" \
+    --package-version="2.6.0" \
     --msgid-bugs-address="support@getclef.com" \
     --language=PHP \
     --sort-output \

wpclef.php

@@ -3,7 +3,7 @@
 Plugin Name: Clef
 Plugin URI: http://wordpress.org/extend/plugins/wpclef
 Description: Clef lets you log in and register on your WordPress site using only your phone — forget your usernames and passwords.
-Version: 2.5.5
+Version: 2.6.0
 Author: Clef
 Author URI: https://getclef.com
 License: MIT