Ensuring logons tokens exist for lookups #2
Conversation
Now, the Access Token and Refresh Token are stored in the database. After login, the tokens are encrypted using the login key of the WordPress system and stored as usermeta in the database as “encrypted_token”. Before logout, the corresponding entry is removed from the metadata. The token can then be used by other plugins, e.g., for calling APIs.
Updated Plugin Original
Summary of ChangesHello @dexit, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the security posture of the application by introducing a robust mechanism for handling sensitive OAuth2 access tokens. It ensures that these tokens are encrypted before storage and are properly managed throughout the user's session, from login to logout, thereby protecting user data and authentication credentials. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces functionality to encrypt and store OAuth2 access tokens in user metadata. A new Save_Secure class is added for encryption, which is a good step towards securing sensitive data. However, I've identified several critical security vulnerabilities and other issues in the implementation of this new class, as well as a potential fatal error in the authentication flow. My review comments provide details and suggestions for addressing these issues to ensure the security and stability of the feature.
This commit implements full Office 365/Microsoft 365 authentication with secure token storage and profile synchronization capabilities, addressing requirements from PR uhm-coe#155, PR #2 feedback, and Issue uhm-coe#124. Features Added: - OAuth2 token storage with secure encryption using WordPress authentication keys - Microsoft 365 profile photo sync with avatar override - Additional MS365 profile fields sync (job title, department, phone, location, etc.) - Settings UI for enabling/disabling token storage and profile sync features Changes: 1. OAuth2 Settings (class-oauth2.php): - Added 'Store access token' checkbox to enable encrypted token storage - Added 'Sync profile photo' checkbox for MS365 avatar sync - Added 'Sync profile fields' checkbox for additional profile data 2. Admin Page (class-admin-page.php): - Registered new OAuth2 settings fields in admin interface 3. Authentication (class-authentication.php): - Modified OAuth2 authentication flow to include token object in returned user data - Token now passed to authorization process for storage and profile sync 4. Authorization (class-authorization.php): - Added handle_oauth2_token_and_profile_sync() method for new and existing users - Added store_oauth2_token() with secure encryption using WordPress keys - Added sync_microsoft_profile_photo() for avatar synchronization - Added sync_microsoft_profile_fields() for additional profile data - Tokens stored encrypted with LOGGED_IN_KEY and LOGGED_IN_SALT 5. Helper (class-helper.php): - Added encrypt_token() and decrypt_token() using WordPress authentication keys - Added fetch_microsoft_graph_profile_photo() for MS Graph API photo retrieval - Added fetch_microsoft_graph_profile_fields() for MS Graph API profile data - Added save_user_profile_photo() to handle photo upload and attachment creation 6. Main Plugin (class-wp-plugin-authorizer.php): - Added pre_get_avatar_data filter to override WordPress avatars with MS365 photos - Avatar automatically displays synced profile photo when available Security Improvements: - Token encryption uses WordPress LOGGED_IN_KEY and LOGGED_IN_SALT (not hardcoded keys) - Implements AES-256-CBC encryption with proper IV generation - Addresses security concerns from PR #2 review feedback - Tokens stored as encrypted user meta and can be removed on logout Profile Data Synced: - Profile photo (replaces WordPress/Gravatar avatar) - Job title, department, office location - Business phones, mobile phone - City, state, country, postal code - Company name, preferred language - User principal name All synced data stored as user meta with 'oauth2_' prefix for easy access by other plugins and themes. Tested with Microsoft Azure OAuth2 provider (Office 365/Microsoft 365).
2 participants
No description provided.