Make WordPress Core


Ignore:
Timestamp:
04/16/2019 05:08:16 AM (6 years ago)
Author:
flixos90
Message:

Bootstrap/Load: Allow more than one recovery link to be valid at a time.

While currently a recovery link is only made available via the admin email address, this will be expanded in the future. In order to accomplish that, the mechanisms to store and validate recovery keys must support multiple keys to be valid at the same time.

This changeset adds that support, adding an additional token parameter which is part of a recovery link in addition to the key. A key itself is always associated with a token, so the two are only valid in combination. These associations are stored in a new recovery_keys option, which is regularly cleared in a new Cron hook, to prevent potential cluttering from unused recovery keys.

This changeset does not have any user-facing implications otherwise.

Props pbearne, timothyblynjacobs.
Fixes #46595. See #46130.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-recovery-mode-link-service.php

    r44973 r45211  
    3838     *
    3939     * @param WP_Recovery_Mode_Cookie_Service $cookie_service Service to handle setting the recovery mode cookie.
     40     * @param WP_Recovery_Mode_Key_Service    $key_service    Service to handle generating recovery mode keys.
    4041     */
    41     public function __construct( WP_Recovery_Mode_Cookie_Service $cookie_service ) {
     42    public function __construct( WP_Recovery_Mode_Cookie_Service $cookie_service, WP_Recovery_Mode_Key_Service $key_service ) {
    4243        $this->cookie_service = $cookie_service;
    43         $this->key_service    = new WP_Recovery_Mode_Key_Service();
     44        $this->key_service    = $key_service;
    4445    }
    4546
     
    5455     */
    5556    public function generate_url() {
    56         $key = $this->key_service->generate_and_store_recovery_mode_key();
     57        $token = $this->key_service->generate_recovery_mode_token();
     58        $key   = $this->key_service->generate_and_store_recovery_mode_key( $token );
    5759
    58         return $this->get_recovery_mode_begin_url( $key );
     60        return $this->get_recovery_mode_begin_url( $token, $key );
    5961    }
    6062
     
    7173        }
    7274
    73         if ( ! isset( $_GET['action'], $_GET['rm_key'] ) || self::LOGIN_ACTION_ENTER !== $_GET['action'] ) {
     75        if ( ! isset( $_GET['action'], $_GET['rm_token'], $_GET['rm_key'] ) || self::LOGIN_ACTION_ENTER !== $_GET['action'] ) {
    7476            return;
    7577        }
     
    7981        }
    8082
    81         $validated = $this->key_service->validate_recovery_mode_key( $_GET['rm_key'], $ttl );
     83        $validated = $this->key_service->validate_recovery_mode_key( $_GET['rm_token'], $_GET['rm_key'], $ttl );
    8284
    8385        if ( is_wp_error( $validated ) ) {
     
    9799     * @since 5.2.0
    98100     *
    99      * @param string $key Recovery Mode key created by {@see generate_and_store_recovery_mode_key()}
     101     * @param string $token Recovery Mode token created by {@see generate_recovery_mode_token()}.
     102     * @param string $key   Recovery Mode key created by {@see generate_and_store_recovery_mode_key()}.
    100103     * @return string Recovery mode begin URL.
    101104     */
    102     private function get_recovery_mode_begin_url( $key ) {
     105    private function get_recovery_mode_begin_url( $token, $key ) {
    103106
    104107        $url = add_query_arg(
    105108            array(
    106                 'action' => self::LOGIN_ACTION_ENTER,
    107                 'rm_key' => $key,
     109                'action'   => self::LOGIN_ACTION_ENTER,
     110                'rm_token' => $token,
     111                'rm_key'   => $key,
    108112            ),
    109113            wp_login_url()
     
    115119         * @since 5.2.0
    116120         *
    117          * @param string $url
    118          * @param string $key
     121         * @param string $url   The generated recovery mode begin URL.
     122         * @param string $token The token used to identify the key.
     123         * @param string $key   The recovery mode key.
    119124         */
    120         return apply_filters( 'recovery_mode_begin_url', $url, $key );
     125        return apply_filters( 'recovery_mode_begin_url', $url, $token, $key );
    121126    }
    122127}
Note: See TracChangeset for help on using the changeset viewer.