diff --git a/Changelog.md b/Changelog.md index 765580a..05a764e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,7 @@ ## Unreleased - CI: Check plugin code syntax with PHP 8.3 and 8.4 +- #129: Add support for configuring request methods on Protect endpoints ## 3.5.8 (14 Feb 2025) - Use wp_safe_redirect for redirects [#115](https://github.com/nicumicle/simple-jwt-login/issues/115) diff --git a/simple-jwt-login/i18n/simple-jwt-login.pot b/simple-jwt-login/i18n/simple-jwt-login.pot index ec983c8..0c3c010 100644 --- a/simple-jwt-login/i18n/simple-jwt-login.pot +++ b/simple-jwt-login/i18n/simple-jwt-login.pot @@ -1,36 +1,41 @@ -# Copyright (C) 2024 Nicu Micle +# Copyright (C) 2025 Nicu Micle # This file is distributed under the same license as the Simple-JWT-Login plugin. msgid "" msgstr "" -"Project-Id-Version: Simple-JWT-Login 3.5.5\n" +"Project-Id-Version: Simple-JWT-Login 3.5.8\n" "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/simple-jwt-login\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"POT-Creation-Date: 2024-05-09T08:34:31+00:00\n" +"POT-Creation-Date: 2025-02-22T20:51:34+00:00\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"X-Generator: WP-CLI 2.8.1\n" +"X-Generator: WP-CLI 2.11.0\n" "X-Domain: simple-jwt-login\n" #. Plugin Name of the plugin +#: simple-jwt-login.php msgid "Simple-JWT-Login" msgstr "" #. Plugin URI of the plugin +#: simple-jwt-login.php msgid "https://simplejwtlogin.com" msgstr "" #. Description of the plugin +#: simple-jwt-login.php msgid "Simple-JWT-Login REST API Plugin. Allows you to login / register to WordPress using JWT." msgstr "" #. Author of the plugin +#: simple-jwt-login.php msgid "Nicu Micle" msgstr "" #. Author URI of the plugin +#: simple-jwt-login.php msgid "https://profiles.wordpress.org/nicu_m/" msgstr "" @@ -173,31 +178,31 @@ msgstr "" msgid "Missing JWT parameter for Delete User." msgstr "" -#: src/Modules/Settings/GeneralSettings.php:148 +#: src/Modules/Settings/GeneralSettings.php:156 msgid "Route namespace could not be empty." msgstr "" -#: src/Modules/Settings/GeneralSettings.php:162 +#: src/Modules/Settings/GeneralSettings.php:170 msgid "Request Keys are required." msgstr "" -#: src/Modules/Settings/GeneralSettings.php:179 +#: src/Modules/Settings/GeneralSettings.php:187 msgid "Public or private key is not defined in code." msgstr "" -#: src/Modules/Settings/GeneralSettings.php:187 +#: src/Modules/Settings/GeneralSettings.php:195 msgid "Private key is not defined in code." msgstr "" -#: src/Modules/Settings/GeneralSettings.php:202 +#: src/Modules/Settings/GeneralSettings.php:210 msgid "JWT Decryption public and private key are required." msgstr "" -#: src/Modules/Settings/GeneralSettings.php:213 +#: src/Modules/Settings/GeneralSettings.php:221 msgid "JWT Decryption key is required." msgstr "" -#: src/Modules/Settings/GeneralSettings.php:228 +#: src/Modules/Settings/GeneralSettings.php:236 msgid "You have to have at least on option enabled in 'Get JWT token From'" msgstr "" @@ -209,7 +214,7 @@ msgstr "" msgid "Invalid custom URL provided." msgstr "" -#: src/Modules/Settings/ProtectEndpointSettings.php:58 +#: src/Modules/Settings/ProtectEndpointSettings.php:79 msgid "You need to add at least one endpoint." msgstr "" @@ -356,7 +361,7 @@ msgid "Authentication is not enabled." msgstr "" #: src/Services/AuthenticateService.php:234 -#: src/Services/LoginService.php:103 +#: src/Services/LoginService.php:107 #: src/Services/RegisterUserService.php:195 #: src/Services/ResetPasswordService.php:27 msgid "Invalid Auth Code ( %s ) provided." @@ -396,7 +401,7 @@ msgstr "" #: src/Services/DeleteUserService.php:86 #: src/Services/DeleteUserService.php:100 -#: src/Services/LoginService.php:52 +#: src/Services/LoginService.php:56 #: src/Services/RevokeTokenService.php:40 #: src/Services/ValidateTokenService.php:45 msgid "User not found." @@ -406,19 +411,19 @@ msgstr "" msgid "User was successfully deleted." msgstr "" -#: src/Services/LoginService.php:86 +#: src/Services/LoginService.php:90 msgid "Auto-login is not enabled on this website." msgstr "" -#: src/Services/LoginService.php:94 +#: src/Services/LoginService.php:98 msgid "Wrong Request." msgstr "" -#: src/Services/LoginService.php:115 +#: src/Services/LoginService.php:119 msgid "This IP[ %s ] is not allowed to auto-login." msgstr "" -#: src/Services/LoginService.php:130 +#: src/Services/LoginService.php:134 msgid "The JWT issuer(iss) is not allowed to auto-login." msgstr "" @@ -746,10 +751,10 @@ msgstr "" #: views/auth-codes-view.php:122 #: views/layout.php:291 -#: views/protect-endpoints-view.php:135 -#: views/protect-endpoints-view.php:184 -#: views/protect-endpoints-view.php:212 -#: views/protect-endpoints-view.php:233 +#: views/protect-endpoints-view.php:160 +#: views/protect-endpoints-view.php:234 +#: views/protect-endpoints-view.php:284 +#: views/protect-endpoints-view.php:328 msgid "delete" msgstr "" @@ -954,8 +959,8 @@ msgstr "" #: views/dashboard-view.php:220 #: views/general-view.php:286 #: views/general-view.php:326 -#: views/general-view.php:370 -#: views/general-view.php:414 +#: views/general-view.php:367 +#: views/general-view.php:408 msgid "On" msgstr "" @@ -968,8 +973,8 @@ msgstr "" #: views/dashboard-view.php:221 #: views/general-view.php:279 #: views/general-view.php:317 -#: views/general-view.php:361 -#: views/general-view.php:405 +#: views/general-view.php:358 +#: views/general-view.php:399 msgid "Off" msgstr "" @@ -1158,22 +1163,34 @@ msgid "Get JWT token from" msgstr "" #: views/general-view.php:268 -#: views/general-view.php:391 +#: views/general-view.php:385 msgid "Parameter name" msgstr "" -#: views/general-view.php:427 +#: views/general-view.php:421 msgid "If the JWT is present in multiple places, the higher number of the option overwrites the smaller number." msgstr "" -#: views/general-view.php:448 +#: views/general-view.php:442 msgid "All WordPress endpoints checks for JWT authentication" msgstr "" -#: views/general-view.php:452 +#: views/general-view.php:446 msgid "If the JWT is provided on other endpoints, the plugin will try to authenticate the user from the JWT in order to perform that API call." msgstr "" +#: views/general-view.php:460 +msgid "Security" +msgstr "" + +#: views/general-view.php:473 +msgid "Enable safe redirects" +msgstr "" + +#: views/general-view.php:477 +msgid "Use wp_safe_redirect for all the redirects" +msgstr "" + #: views/hooks-view.php:20 #: views/layout.php:79 msgid "Hooks" @@ -1426,22 +1443,71 @@ msgid "These endpoints will skip the check for the JWT." msgstr "" #: views/protect-endpoints-view.php:115 -#: views/protect-endpoints-view.php:164 +#: views/protect-endpoints-view.php:189 msgid "Add Endpoint" msgstr "" -#: views/protect-endpoints-view.php:130 -#: views/protect-endpoints-view.php:179 +#: views/protect-endpoints-view.php:131 +#: views/protect-endpoints-view.php:205 +#: views/protect-endpoints-view.php:255 +#: views/protect-endpoints-view.php:299 +msgid "ALL" +msgstr "" + +#: views/protect-endpoints-view.php:133 #: views/protect-endpoints-view.php:207 -#: views/protect-endpoints-view.php:228 +#: views/protect-endpoints-view.php:257 +#: views/protect-endpoints-view.php:301 +msgid "HTTP Methods" +msgstr "" + +#: views/protect-endpoints-view.php:135 +#: views/protect-endpoints-view.php:209 +#: views/protect-endpoints-view.php:259 +#: views/protect-endpoints-view.php:303 +msgid "GET" +msgstr "" + +#: views/protect-endpoints-view.php:138 +#: views/protect-endpoints-view.php:212 +#: views/protect-endpoints-view.php:262 +#: views/protect-endpoints-view.php:306 +msgid "POST" +msgstr "" + +#: views/protect-endpoints-view.php:141 +#: views/protect-endpoints-view.php:215 +#: views/protect-endpoints-view.php:265 +#: views/protect-endpoints-view.php:309 +msgid "PUT" +msgstr "" + +#: views/protect-endpoints-view.php:144 +#: views/protect-endpoints-view.php:218 +#: views/protect-endpoints-view.php:268 +#: views/protect-endpoints-view.php:312 +msgid "PATCH" +msgstr "" + +#: views/protect-endpoints-view.php:147 +#: views/protect-endpoints-view.php:221 +#: views/protect-endpoints-view.php:271 +#: views/protect-endpoints-view.php:315 +msgid "DELETE" +msgstr "" + +#: views/protect-endpoints-view.php:155 +#: views/protect-endpoints-view.php:229 +#: views/protect-endpoints-view.php:279 +#: views/protect-endpoints-view.php:323 msgid "Endpoint path" msgstr "" -#: views/protect-endpoints-view.php:154 +#: views/protect-endpoints-view.php:179 msgid "Protected endpoints" msgstr "" -#: views/protect-endpoints-view.php:157 +#: views/protect-endpoints-view.php:182 msgid "The JWT will be required on the following endpoints." msgstr "" diff --git a/simple-jwt-login/routes/api.php b/simple-jwt-login/routes/api.php index a22f7ec..9159d51 100644 --- a/simple-jwt-login/routes/api.php +++ b/simple-jwt-login/routes/api.php @@ -132,7 +132,7 @@ $documentRoot = esc_html($_SERVER['DOCUMENT_ROOT']); - $hasAccess = $service->hasAccess($currentURL, $documentRoot, $request); + $hasAccess = $service->hasAccess($_SERVER['REQUEST_METHOD'], $currentURL, $documentRoot, $request); if ($hasAccess === false) { @header('Content-Type: application/json; charset=UTF-8'); diff --git a/simple-jwt-login/simple-jwt-login.php b/simple-jwt-login/simple-jwt-login.php index a8c38f8..90331ab 100755 --- a/simple-jwt-login/simple-jwt-login.php +++ b/simple-jwt-login/simple-jwt-login.php @@ -116,7 +116,6 @@ function simple_jwt_login_plugin_show_main_page() $loadScriptsInFooter ); - require_once('views/layout.php'); } diff --git a/simple-jwt-login/src/Modules/Settings/ProtectEndpointSettings.php b/simple-jwt-login/src/Modules/Settings/ProtectEndpointSettings.php index cced684..a892ca5 100644 --- a/simple-jwt-login/src/Modules/Settings/ProtectEndpointSettings.php +++ b/simple-jwt-login/src/Modules/Settings/ProtectEndpointSettings.php @@ -10,6 +10,13 @@ class ProtectEndpointSettings extends BaseSettings implements SettingsInterface const ALL_ENDPOINTS = 1; const SPECIFIC_ENDPOINTS = 2; + const REQUEST_METHOD_ALL = 'ALL'; + const REQUEST_METHOD_GET = 'GET'; + const REQUEST_METHOD_POST = 'POST'; + const REQUEST_METHOD_PUT = 'PUT'; + const REQUEST_METHOD_PATCH = 'PATCH'; + const REQUEST_METHOD_DELETE = 'DELETE'; + public function initSettingsFromPost() { $this->assignSettingsPropertyFromPost( @@ -34,6 +41,13 @@ public function initSettingsFromPost() 'protect', BaseSettings::SETTINGS_TYPE_ARRAY ); + $this->assignSettingsPropertyFromPost( + self::PROPERTY_GROUP, + 'protect_method', + self::PROPERTY_GROUP, + 'protect_method', + BaseSettings::SETTINGS_TYPE_ARRAY + ); $this->assignSettingsPropertyFromPost( self::PROPERTY_GROUP, 'whitelist', @@ -41,6 +55,13 @@ public function initSettingsFromPost() 'whitelist', BaseSettings::SETTINGS_TYPE_ARRAY ); + $this->assignSettingsPropertyFromPost( + self::PROPERTY_GROUP, + 'whitelist_method', + self::PROPERTY_GROUP, + 'whitelist_method', + BaseSettings::SETTINGS_TYPE_ARRAY + ); } public function validateSettings() @@ -50,7 +71,7 @@ public function validateSettings() } $filteredEndpoints = array_filter($this->getProtectedEndpoints(), function ($value) { - return !empty(trim($value)); + return !empty(trim($value['url'], " ")); }); if ($this->getAction() === ProtectEndpointSettings::SPECIFIC_ENDPOINTS && empty($filteredEndpoints)) { @@ -83,26 +104,51 @@ public function getAction() } /** - * @return string[] + * @return array> */ public function getWhitelistedDomains() { - $result = isset($this->settings[ProtectEndpointSettings::PROPERTY_GROUP]['whitelist']) - ? (array) $this->settings[ProtectEndpointSettings::PROPERTY_GROUP]['whitelist'] - : ['']; - - return array_unique($result); + return $this->parseProtectSettings('whitelist_method', 'whitelist'); } /** - * @return string[] + * @return array> */ public function getProtectedEndpoints() { - $result = isset($this->settings[ProtectEndpointSettings::PROPERTY_GROUP]['protect']) - ? (array) $this->settings[ProtectEndpointSettings::PROPERTY_GROUP]['protect'] + return $this->parseProtectSettings('protect_method', 'protect'); + } + + /** + * @param string $methodKey + * @param string $endpointsKey + * @return array> + */ + private function parseProtectSettings($methodKey, $endpointsKey) + { + $endpoints = isset($this->settings[ProtectEndpointSettings::PROPERTY_GROUP][$endpointsKey]) + ? (array) $this->settings[ProtectEndpointSettings::PROPERTY_GROUP][$endpointsKey] : ['']; + $methods = isset($this->settings[ProtectEndpointSettings::PROPERTY_GROUP][$methodKey]) + ? (array) $this->settings[ProtectEndpointSettings::PROPERTY_GROUP][$methodKey] + : ['']; + + $return = []; + foreach ($endpoints as $key => $endpointPath) { + $return[] = [ + 'url' => $endpointPath, + 'method' => !empty($methods[$key]) + ? strtoupper($methods[$key]) + : self::REQUEST_METHOD_ALL, + ]; + } - return array_unique($result); + return array_values(array_filter($return, function ($endpoint) { + if (trim($endpoint['url']) === "") { + return false; + }; + + return true; + })); } } diff --git a/simple-jwt-login/src/Services/ProtectEndpointService.php b/simple-jwt-login/src/Services/ProtectEndpointService.php index 09dca77..178d76f 100644 --- a/simple-jwt-login/src/Services/ProtectEndpointService.php +++ b/simple-jwt-login/src/Services/ProtectEndpointService.php @@ -25,6 +25,7 @@ public function withRouteService($routeService) } /** + * @param string $requestMethod * @param string $currentUrl * @param string $documentRoot * @param array $request @@ -32,7 +33,7 @@ public function withRouteService($routeService) * @throws Exception * @return bool */ - public function hasAccess($currentUrl, $documentRoot, $request) + public function hasAccess($requestMethod, $currentUrl, $documentRoot, $request) { if ($this->jwtSettings->getProtectEndpointsSettings()->isEnabled() === false) { return true; @@ -45,10 +46,10 @@ public function hasAccess($currentUrl, $documentRoot, $request) $isEndpointsProtected = true; if (!empty(trim($path, '/'))) { - $isEndpointsProtected = $this->isEndpointProtected($path); + $isEndpointsProtected = $this->isEndpointProtected($requestMethod, $path); } if (!empty($request['rest_route'])) { - $isEndpointsProtected = $this->isEndpointProtected($request['rest_route']); + $isEndpointsProtected = $this->isEndpointProtected($requestMethod, $request['rest_route']); } if ($isEndpointsProtected === false) { return true; @@ -80,10 +81,11 @@ public function hasAccess($currentUrl, $documentRoot, $request) } /** + * @param string $requestMethod * @param string $endpoint * @return bool */ - private function isEndpointProtected($endpoint) + private function isEndpointProtected($requestMethod, $endpoint) { if (strpos($endpoint, '/') !== 0) { $endpoint = '/' . $endpoint; @@ -109,6 +111,7 @@ private function isEndpointProtected($endpoint) switch ($action) { case ProtectEndpointSettings::ALL_ENDPOINTS: return $this->parseDomainsAndGetResult( + $requestMethod, $endpoint, $protectSettings->getWhitelistedDomains(), true, @@ -116,6 +119,7 @@ private function isEndpointProtected($endpoint) ); case ProtectEndpointSettings::SPECIFIC_ENDPOINTS: return $this->parseDomainsAndGetResult( + $requestMethod, $endpoint, $protectSettings->getProtectedEndpoints(), false, @@ -127,23 +131,34 @@ private function isEndpointProtected($endpoint) } /** + * @param string $requestMethod * @param string $endpoint * @param array $domains * @param bool $defaultValue * @param bool $setValue * @return bool */ - private function parseDomainsAndGetResult($endpoint, $domains, $defaultValue, $setValue) + private function parseDomainsAndGetResult($requestMethod, $endpoint, $domains, $defaultValue, $setValue) { $isEndpointProtected = $defaultValue; foreach ($domains as $protectedEndpoint) { - $protectedEndpoint = $this->removeWpJsonFromEndpoint($protectedEndpoint); + $protectedURL = $this->removeWpJsonFromEndpoint($protectedEndpoint['url']); $endpoint = $this->removeWpJsonFromEndpoint($endpoint); - if (empty(trim($protectedEndpoint, '/'))) { + if (empty(trim($protectedURL, '/'))) { continue; } - if (strpos($endpoint, $protectedEndpoint) === 0) { - $isEndpointProtected = $setValue; + + if (strpos($endpoint, $protectedURL) === 0) { + switch ($protectedEndpoint['method']) { + case ProtectEndpointSettings::REQUEST_METHOD_ALL: + $isEndpointProtected = $setValue; // Same as before. + break; + default: + if ($protectedEndpoint['method'] === $requestMethod) { + $isEndpointProtected = $setValue; + } + break; + } } } diff --git a/simple-jwt-login/views/protect-endpoints-view.php b/simple-jwt-login/views/protect-endpoints-view.php index 189b188..75ade86 100644 --- a/simple-jwt-login/views/protect-endpoints-view.php +++ b/simple-jwt-login/views/protect-endpoints-view.php @@ -8,6 +8,80 @@ /** @phpstan-ignore-next-line */ exit; } // Exit if accessed directly + +/** + * Helper function for drawing protect endpoint line + * @param string $type + * @param ?array $endpoint + * @return void + * @throws Exception + */ +function simple_jwt_login_draw_endpoin_row($type, $endpoint) +{ + ?> +
+
+ + " + class="form-control" + value="" + placeholder="" + /> +
+ + + +
+
+
+
-
@@ -120,34 +193,12 @@ class="btn btn-dark"
getProtectEndpointsSettings()->getWhitelistedDomains() as $endpoint) { - ?> -
-
- -
- - - -
-
-
- + simple_jwt_login_draw_endpoin_row("whitelist", $endpoint); + }?>
- -

@@ -169,26 +220,7 @@ class="btn btn-dark"
getProtectEndpointsSettings()->getProtectedEndpoints() as $endpoint) { - ?> -
-
- -
- - - -
-
-
-
@@ -196,45 +228,13 @@ class="form-control"

- + \ No newline at end of file diff --git a/tests/Unit/Modules/Settings/ProtectEndpointSettingsTest.php b/tests/Unit/Modules/Settings/ProtectEndpointSettingsTest.php index 69b2e99..f412684 100644 --- a/tests/Unit/Modules/Settings/ProtectEndpointSettingsTest.php +++ b/tests/Unit/Modules/Settings/ProtectEndpointSettingsTest.php @@ -63,16 +63,110 @@ public function testAssignCodesFromPost() $this->assertSame( [ - '123', - '' + [ + 'url' => '123', + 'method' => 'ALL', + ], + [ + 'url' => '123', + 'method' => 'ALL', + ], ], $protectSettings->getProtectedEndpoints() ); $this->assertSame( [ - 'abc', - '' + [ + 'url' => 'abc', + 'method' => 'ALL', + ], + [ + 'url' => 'abc', + 'method' => 'ALL', + ], + ], + $protectSettings->getWhitelistedDomains() + ); + } + + public function testAssignCodesFromPostWithHTTPMethods() + { + $protectSettings = (new ProtectEndpointSettings()) + ->withSettings([]) + ->withPost([ + ProtectEndpointSettings::PROPERTY_GROUP => [ + 'enabled' => '1', + 'action' => ProtectEndpointSettings::ALL_ENDPOINTS, + 'protect' => [ + '/protect-first', + '/protect-second', + '/protect-third' + ], + 'protect_method' => [ + 'GET', + 'ALL', + 'PUT', + ], + 'whitelist' => [ + '/whitelist-first', + '/whitelist-second', + '/whitelist-third' + ], + 'whitelist_method' => [ + 'GET', + 'ALL', + 'PUT' + ] + ] + ]) + ->withWordPressData($this->wordPressData); + $protectSettings->initSettingsFromPost(); + + $this->assertSame( + true, + $protectSettings->isEnabled() + ); + + $this->assertSame( + ProtectEndpointSettings::ALL_ENDPOINTS, + $protectSettings->getAction() + ); + + $this->assertSame( + [ + [ + 'url' => '/protect-first', + 'method' => 'GET', + ], + [ + 'url' => '/protect-second', + 'method' => 'ALL', + ], + [ + 'url' => '/protect-third', + 'method' => 'PUT', + ], + + ], + $protectSettings->getProtectedEndpoints() + ); + + $this->assertSame( + [ + [ + 'url' => '/whitelist-first', + 'method' => 'GET', + ], + [ + 'url' => '/whitelist-second', + 'method' => 'ALL', + ], + [ + 'url' => '/whitelist-third', + 'method' => 'PUT', + ], + ], $protectSettings->getWhitelistedDomains() ); @@ -152,15 +246,27 @@ public function testInitProperties() ); $this->assertSame( [ - 'test', - '' + [ + 'url' => 'test', + 'method' => 'ALL', + ], + [ + 'url' => 'test', + 'method' => 'ALL', + ], ], $settings->getProtectedEndpoints() ); $this->assertSame( [ - '123', - '' + [ + 'url' => '123', + 'method' => 'ALL', + ], + [ + 'url' => '123', + 'method' => 'ALL', + ], ], $settings->getWhitelistedDomains() ); @@ -182,15 +288,11 @@ public function testGetDefaultValues() $settings->getAction() ); $this->assertSame( - [ - '' - ], + [], $settings->getWhitelistedDomains() ); $this->assertSame( - [ - '' - ], + [], $settings->getProtectedEndpoints() ); } diff --git a/tests/Unit/Services/ProtectEndpointServiceTest.php b/tests/Unit/Services/ProtectEndpointServiceTest.php index eb935cc..88851eb 100644 --- a/tests/Unit/Services/ProtectEndpointServiceTest.php +++ b/tests/Unit/Services/ProtectEndpointServiceTest.php @@ -35,12 +35,13 @@ public function setUp(): void #[DataProvider('accessProvider')] /** * @param bool $expectedResult + * @param string $requestMethod * @param string $currentUrl * @param string $documentRoot * @param array $request * @param array $settings */ - public function testHasAccess($expectedResult, $currentUrl, $documentRoot, $request, $settings) + public function testHasAccess($expectedResult, $requestMethod, $currentUrl, $documentRoot, $request, $settings) { $this->wordPressData->method('getOptionFromDatabase') ->willReturn(json_encode([ @@ -68,7 +69,7 @@ public function testHasAccess($expectedResult, $currentUrl, $documentRoot, $requ ) ->withSession([]); - $result = $service->hasAccess($currentUrl, $documentRoot, $request); + $result = $service->hasAccess($requestMethod, $currentUrl, $documentRoot, $request); $this->assertSame($expectedResult, $result); } @@ -80,6 +81,7 @@ public static function accessProvider() return [ 'test-not-enabled' => [ 'expectedResult' => true, + 'requestMethod' => 'GET', 'currentUrl' => '/wp-json/v2/posts', 'documentRoot' => '/var/www/html', 'request' => [ @@ -97,6 +99,7 @@ public static function accessProvider() ], 'test-enabled-all-endpoints' => [ 'expectedResult' => true, + 'requestMethod' => 'GET', 'currentUrl' => '/wp-json/v2/posts', 'documentRoot' => '/var/www/html', 'request' => [ @@ -110,8 +113,28 @@ public static function accessProvider() ] ] ], + 'test-enabled-all-endpoints-with-method' => [ + 'expectedResult' => true, + 'requestMethod' => 'GET', + 'currentUrl' => '/wp-json/v2/posts', + 'documentRoot' => '/var/www/html', + 'request' => [ + 'rest_route' => '/v2/posts/' + ], + 'settings' => [ + 'enabled' => true, + 'action' => ProtectEndpointSettings::ALL_ENDPOINTS, + 'whitelist' => [ + '/wp-json/v2/posts' + ], + 'whitelist_method' => [ + 'GET', + ] + ] + ], 'test-enabled-all-endpoints-with-no-whitelist' => [ 'expectedResult' => false, + 'requestMethod' => 'GET', 'currentUrl' => '/wp-json/v2/posts', 'documentRoot' => '/var/www/html', 'request' => [ @@ -126,6 +149,61 @@ public static function accessProvider() ], 'test-enabled-specific-endpoints' => [ 'expectedResult' => false, + 'requestMethod' => 'GET', + 'currentUrl' => '/wp-json/v2/posts', + 'documentRoot' => '/var/www/html', + 'request' => [ + 'rest_route' => '/wp/v2/posts/' + ], + 'settings' => [ + 'enabled' => true, + 'action' => ProtectEndpointSettings::SPECIFIC_ENDPOINTS, + 'protect' => [ + '/wp-json/wp/v2/posts' + ] + ] + ], + 'test-enabled-specific-endpoints-with-method' => [ + 'expectedResult' => false, + 'requestMethod' => 'GET', + 'currentUrl' => '/wp-json/v2/posts', + 'documentRoot' => '/var/www/html', + 'request' => [ + 'rest_route' => '/wp/v2/posts/' + ], + 'settings' => [ + 'enabled' => true, + 'action' => ProtectEndpointSettings::SPECIFIC_ENDPOINTS, + 'protect' => [ + '/wp-json/wp/v2/posts' + ], + 'protect_method' => [ + 'GET', + ] + ] + ], + 'test-enabled-specific-endpoints-with-method-all' => [ + 'expectedResult' => false, + 'requestMethod' => 'GET', + 'currentUrl' => '/wp-json/v2/posts', + 'documentRoot' => '/var/www/html', + 'request' => [ + 'rest_route' => '/wp/v2/posts/' + ], + 'settings' => [ + 'enabled' => true, + 'action' => ProtectEndpointSettings::SPECIFIC_ENDPOINTS, + 'protect' => [ + '/wp-json/wp/v2/posts' + ], + 'protect_method' => [ + 'ALL', + ] + ] + ], + 'test-enabled-specific-endpoints-with-different-method' => [ + 'expectedResult' => true, + 'requestMethod' => 'GET', 'currentUrl' => '/wp-json/v2/posts', 'documentRoot' => '/var/www/html', 'request' => [ @@ -136,11 +214,15 @@ public static function accessProvider() 'action' => ProtectEndpointSettings::SPECIFIC_ENDPOINTS, 'protect' => [ '/wp-json/wp/v2/posts' + ], + 'protect_method' => [ + 'POST', ] ] ], 'test-enabled-specific-endpoints-2' => [ 'expectedResult' => false, + 'requestMethod' => 'GET', 'currentUrl' => '/wp-json/v2/posts', 'documentRoot' => '/var/www/html', 'request' => [ @@ -156,6 +238,7 @@ public static function accessProvider() ], 'test-enabled-all-endpoints_on_wp_admin' => [ 'expectedResult' => true, + 'requestMethod' => 'GET', 'currentUrl' => '/wp-admin/something', 'documentRoot' => '/var/www/html', 'request' => [ @@ -172,6 +255,7 @@ public static function accessProvider() ], 'test_invalid_action' => [ 'expectedResult' => false, + 'requestMethod' => 'GET', 'currentUrl' => '/wp-json/wp/v2/posts', 'documentRoot' => '/var/www/html', 'request' => [ @@ -188,6 +272,7 @@ public static function accessProvider() ], 'test_empty_endpoint' => [ 'expectedResult' => false, + 'requestMethod' => 'GET', 'currentUrl' => 'wp-json', 'documentRoot' => '/var/www/html', 'request' => [ @@ -248,7 +333,7 @@ public function testCallProtectedEndpointWithInvalidJWT() ) ->withSession([]); - $result = $service->hasAccess('/wp-json/v2/posts', '/var/www/html', $request); + $result = $service->hasAccess('GET', '/wp-json/v2/posts', '/var/www/html', $request); $this->assertSame(false, $result); } @@ -294,7 +379,7 @@ public function testSimpleJwtLoginEndpointsAreNotProtected() ) ->withSession([]); - $result = $service->hasAccess('/wp-json/simple-jwt-login/v1/auth', '/var/www/html', $request); + $result = $service->hasAccess('GET', '/wp-json/simple-jwt-login/v1/auth', '/var/www/html', $request); $this->assertTrue($result); } }