From 91a6d0d72dae711347326471368db2d0404e82ec Mon Sep 17 00:00:00 2001 From: Renato Alves <19148962+renatonascalves@users.noreply.github.com> Date: Thu, 11 Jan 2024 14:06:31 -0300 Subject: [PATCH] Adding CR suggestions --- .../alleyvate/features/class-login-nonce.php | 2 +- .../alleyvate/features/test-login-nonce.php | 39 ++++--------------- 2 files changed, 9 insertions(+), 32 deletions(-) diff --git a/src/alley/wp/alleyvate/features/class-login-nonce.php b/src/alley/wp/alleyvate/features/class-login-nonce.php index d1f32db6..33c83d0e 100644 --- a/src/alley/wp/alleyvate/features/class-login-nonce.php +++ b/src/alley/wp/alleyvate/features/class-login-nonce.php @@ -49,7 +49,6 @@ final class Login_Nonce implements Feature { */ public function boot(): void { add_action( 'login_form_login', [ self::class, 'action__add_nonce_life_filter' ] ); - add_action( 'login_form', [ self::class, 'action__add_nonce_to_form' ] ); add_action( 'login_head', [ self::class, 'action__add_meta_refresh' ] ); add_action( 'after_setup_theme', [ self::class, 'action__pre_validate_login_nonce' ], 9999 ); } @@ -82,6 +81,7 @@ public static function action__add_nonce_to_form(): void { */ public static function action__add_nonce_life_filter(): void { add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ] ); + add_action( 'login_form', [ __CLASS__, 'action__add_nonce_to_form' ] ); } /** diff --git a/tests/alley/wp/alleyvate/features/test-login-nonce.php b/tests/alley/wp/alleyvate/features/test-login-nonce.php index e949a175..9b550dc1 100644 --- a/tests/alley/wp/alleyvate/features/test-login-nonce.php +++ b/tests/alley/wp/alleyvate/features/test-login-nonce.php @@ -75,9 +75,7 @@ protected function tearDown(): void { public function test_logins_require_nonce(): void { global $pagenow; - $_POST = [ - 'pwd' => 'password', - ]; + $_POST = [ 'pwd' => 'password' ]; $pagenow = 'wp-login.php'; @@ -123,42 +121,21 @@ public function test_logins_work_with_nonce(): void { } /** - * Test logout bypasses login nonce validation. + * Test the login nonce doesn't affect other wp-login.php actions. */ - public function test_logout_bypass_nonce_validation(): void { - global $pagenow; - - $_POST = [ - 'action' => 'logout', - '_wpnonce' => wp_create_nonce( '-1' ), - ]; + public function test_login_nonce_validates(): void { + $token = wp_create_nonce( Login_Nonce::NONCE_ACTION ); - $pagenow = 'wp-login.php'; - - try { - Login_Nonce::action__pre_validate_login_nonce(); - } catch ( WP_Die_Exception $e ) { - // Do nothing. - } - - $this->assertSame( 200, http_response_code() ); + $this->assertTrue( wp_validate_boolean( wp_verify_nonce( $token, Login_Nonce::NONCE_ACTION ) ) ); } /** - * Test hooking into `nonce_life`, changes the nonce value of other nonces. + * Test the login nonce doesn't affect other wp-login.php actions. */ - public function test_nonce_life_change_affects_other_nonces(): void { - $nonce_life_filter = fn() => Login_Nonce::NONCE_TIMEOUT; - - add_filter( 'nonce_life', $nonce_life_filter ); - + public function test_logout_nonce_validates(): void { $token = wp_create_nonce( 'log-out' ); - remove_filter( 'nonce_life', $nonce_life_filter ); - - $this->assertFalse( wp_validate_boolean( wp_verify_nonce( $token, 'log-out' ) ) ); - - $token = wp_create_nonce( 'log-out' ); + do_action( 'login_init' ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound $this->assertTrue( wp_validate_boolean( wp_verify_nonce( $token, 'log-out' ) ) ); }