Merge pull request #47 from WP-API/personal-tokens

Add personal access tokens

Author: rmccue

inc/admin/profile/namespace.php

@@ -5,6 +5,7 @@
 
 namespace WP\OAuth2\Admin\Profile;
 
+use WP\OAuth2\PersonalClient;
 use WP\OAuth2\Tokens\Access_Token;
 use WP_User;
 
@@ -17,6 +18,8 @@ function bootstrap() {
 	add_action( 'all_admin_notices', __NAMESPACE__ . '\\output_profile_messages' );
 	add_action( 'personal_options_update', __NAMESPACE__ . '\\handle_revocation', 10, 1 );
 	add_action( 'edit_user_profile_update', __NAMESPACE__ . '\\handle_revocation', 10, 1 );
+
+	PersonalTokens\bootstrap();
 }
 
 /**
@@ -30,6 +33,12 @@ function render_profile_section( WP_User $user ) {
 		return (bool) $token->get_client();
 	});
 
+	if ( ! IS_PROFILE_PAGE ) {
+		$personal_url = PersonalTokens\get_page_url( [ 'user_id' => $user->ID ] );
+	} else {
+		$personal_url = PersonalTokens\get_page_url();
+	}
+
 	?>
 	<h2><?php _e( 'Authorized Applications', 'oauth2' ) ?></h2>
 	<?php if ( ! empty( $tokens ) ) : ?>
@@ -47,9 +56,19 @@ function render_profile_section( WP_User $user ) {
 			}
 			?>
 			</tbody>
+			<tfoot>
+				<tr>
+					<td colspan="2">
+						<a href="<?php echo esc_url( $personal_url ) ?>">
+							<?php esc_html_e( 'Create personal access token', 'oauth2' ) ?>
+						</a>
+					</td>
+				</tr>
+			</tfoot>
 		</table>
 	<?php else : ?>
 		<p class="description"><?php esc_html_e( 'No applications authorized.', 'oauth2' ) ?></p>
+		<p><a href="<?php echo esc_url( $personal_url ) ?>"><?php esc_html_e( 'Create personal access token', 'oauth2' ) ?></a></p>
 	<?php endif ?>
 	<?php
 }
@@ -58,7 +77,12 @@ function render_profile_section( WP_User $user ) {
  * Render a single row.
  */
 function render_token_row( WP_User $user, Access_Token $token ) {
-	$client = $token->get_client();
+	$client      = $token->get_client();
+	$is_personal = $client instanceof PersonalClient;
+
+	if ( $is_personal ) {
+		$token_name = $token->get_meta( 'name', __( 'Unknown Token', 'oauth2' ) );
+	}
 
 	$creation_time = $token->get_creation_time();
 	$details       = [
@@ -80,15 +104,24 @@ function render_token_row( WP_User $user, Access_Token $token ) {
 	$details = apply_filters( 'oauth2.admin.profile.render_token_row.details', $details, $token, $user );
 
 	// Build actions.
-	$button_title = sprintf(
-		/* translators: %s: app name */
-		__( 'Revoke access for "%s"', 'oauth2' ),
-		$client->get_name()
-	);
+	if ( $is_personal ) {
+		$button_title = sprintf(
+			/* translators: %s: personal token name */
+			__( 'Revoke personal token "%s"', 'oauth2' ),
+			esc_html( $token_name )
+		);
+	} else {
+		$button_title = sprintf(
+			/* translators: %s: app name */
+			__( 'Revoke access for "%s"', 'oauth2' ),
+			$client->get_name()
+		);
+	}
+
 	$actions = [
 		sprintf(
 			'<button class="button" name="oauth2_revoke" title="%s" value="%s">%s</button>',
-			$button_title,
+			esc_attr( $button_title ),
 			wp_create_nonce( 'oauth2_revoke:' . $token->get_key() ) . ':' . esc_attr( $token->get_key() ),
 			esc_html__( 'Revoke', 'oauth2' )
 		),
@@ -102,10 +135,19 @@ function render_token_row( WP_User $user, Access_Token $token ) {
 	 * @param WP_User $user User whose profile is being rendered.
 	 */
 	$actions = apply_filters( 'oauth2.admin.profile.render_token_row.actions', $actions, $token, $user );
+
+	$name = sprintf( '<strong>%s</strong>', $client->get_name() );
+	if ( $is_personal ) {
+		$name = sprintf(
+			'<strong>%s</strong> <em>(%s)</em>',
+			esc_html( $token_name ),
+			$client->get_name()
+		);
+	}
 	?>
 	<tr>
 		<td>
-			<p><strong><?php echo $client->get_name() ?></strong></p>
+			<p><?php echo $name ?></p>
 			<p><?php echo implode( ' | ', $details ) ?></p>
 		</td>
 		<td style="vertical-align: middle">

inc/admin/profile/personaltokens/namespace.php

@@ -0,0 +1,194 @@
+<?php
+
+namespace WP\OAuth2\Admin\Profile\PersonalTokens;
+
+use WP\OAuth2\PersonalClient;
+use WP\OAuth2\Tokens\Access_Token;
+use WP_Error;
+use WP_User;
+
+const ACCESS_TOKENS_PAGE_SLUG = 'oauth2_personal_tokens';
+
+function bootstrap() {
+	// Personal Access Tokens page.
+	add_action( 'admin_action_' . ACCESS_TOKENS_PAGE_SLUG, __NAMESPACE__ . '\\render_page' );
+}
+
+/**
+ * Get the token page URL.
+ *
+ * @return string
+ */
+function get_page_url( $args = [] ) {
+	$url            = admin_url( 'profile.php' );
+	$args['action'] = ACCESS_TOKENS_PAGE_SLUG;
+	$url            = add_query_arg( urlencode_deep( $args ), $url );
+	return $url;
+}
+
+/**
+ * Bootstrap the profile page.
+ *
+ * This sets up the globals for the user page.
+ */
+function bootstrap_profile_page() {
+	global $user_id, $submenu_file, $parent_file;
+	$user_id = null;
+	if ( ! empty( $_REQUEST['user_id'] ) ) { // WPCS: CSRF OK
+		$user_id = (int) $_REQUEST['user_id'];
+	}
+
+	$current_user = wp_get_current_user();
+	if ( ! defined( 'IS_PROFILE_PAGE' ) ) {
+		define( 'IS_PROFILE_PAGE', $user_id === $current_user->ID );
+	}
+
+	if ( ! $user_id && IS_PROFILE_PAGE ) {
+		$user_id = $current_user->ID;
+	}
+
+	$user = get_user_by( 'id', $user_id );
+	if ( empty( $user ) ) {
+		wp_die( __( 'Invalid user ID.' ) );
+	}
+	if ( ! current_user_can( 'edit_user', $user_id ) ) {
+		wp_die( __( 'Sorry, you are not allowed to edit this user.' ) );
+	}
+
+	if ( current_user_can( 'edit_users' ) && ! IS_PROFILE_PAGE ) {
+		$submenu_file = 'users.php';
+	} else {
+		$submenu_file = 'profile.php';
+	}
+
+	if ( current_user_can( 'edit_users' ) ) {
+		$parent_file = 'users.php';
+	} else {
+		$parent_file = 'profile.php';
+	}
+}
+
+/**
+ * Render the access token creation page.
+ */
+function render_page() {
+	bootstrap_profile_page();
+
+	$user = get_user_by( 'id', $GLOBALS['user_id'] );
+
+	if ( isset( $_POST['oauth2_action'] ) ) { // WPCS: CSRF OK
+		$error = handle_page_action( $user );
+
+		if ( is_wp_error( $error ) ) {
+			add_action( 'all_admin_notices', function () use ( $error ) {
+				echo '<div class="error"><p>' . esc_html( $error->get_error_message() ) . '</p></div>';
+			} );
+		}
+	}
+
+	$GLOBALS['title'] = __( 'Personal Access Tokens', 'oauth2' );
+	require ABSPATH . 'wp-admin/admin-header.php';
+
+	$tokens = Access_Token::get_for_user( $user );
+	$tokens = array_filter( $tokens, function ( Access_Token $token ) {
+		$client = $token->get_client();
+		return ! empty( $client ) && $client instanceof PersonalClient;
+	});
+	?>
+	<div class="wrap" id="profile-page">
+		<h1><?php esc_html_e( 'Create a Personal Access Token', 'oauth2' ) ?></h1>
+
+		<p><?php esc_html_e( "The WordPress API allows access to your site by external applications. Personal access tokens allow easy access for personal scripts, command line utilities, or during development. Generally, you shouldn't provide these to applications you don't trust, and you should treat them just like passwords.", 'oauth2' ) ?></p>
+
+		<form action="" method="POST">
+			<table class="form-table">
+				<tr>
+					<th scope="row">
+						<label for="token-name">Token name</label>
+					</th>
+					<td>
+						<input
+							class="regular-text"
+							id="token-name"
+							name="name"
+							required="required"
+							type="text"
+						/>
+
+						<p class="description"><?php esc_html_e( 'Give this token a name so you can easily identify it later.', 'oauth2' ) ?></p>
+					</td>
+				</tr>
+			</table>
+
+			<input type="hidden" name="oauth2_action" value="create" />
+
+			<?php wp_nonce_field( 'oauth2_personal_tokens.create' ) ?>
+
+			<p class="buttons">
+				<button class="button-primary"><?php esc_html_e( 'Generate Token', 'oauth2' ) ?></button>
+			</p>
+		</form>
+	</div>
+	<?php
+	require ABSPATH . 'wp-admin/admin-footer.php';
+	exit;
+}
+
+/**
+ * Handle action from a form.
+ */
+function handle_page_action( WP_User $user ) {
+	$action = $_POST['oauth2_action']; // WPCS: CSRF OK
+
+	switch ( $action ) {
+		case 'create':
+			check_admin_referer( 'oauth2_personal_tokens.create' );
+			if ( empty( $_POST['name'] ) ) {
+				return new WP_Error(
+					'rest_oauth2_missing_name',
+					__( 'Missing name for personal access token.', 'oauth2' )
+				);
+			}
+
+			$name = sanitize_text_field( wp_unslash( $_POST['name'] ) );
+			return handle_create( $user, $name );
+
+		default:
+			return new WP_Error(
+				'rest_oauth2_invalid_action',
+				__( 'Invalid action.', 'oauth2' )
+			);
+	}
+}
+
+/**
+ * Handle token creation
+ */
+function handle_create( WP_User $user, $name ) {
+	$client = PersonalClient::get_instance();
+	$meta   = [
+		'name' => $name,
+	];
+	$token  = $client->issue_token( $user, $meta );
+
+	render_create_success( $user, $token );
+}
+
+function render_create_success( WP_User $user, $token ) {
+	$GLOBALS['title'] = __( 'Personal Access Tokens', 'oauth2' );
+	require ABSPATH . 'wp-admin/admin-header.php';
+	?>
+
+	<div class="wrap" id="profile-page">
+		<h1><?php esc_html_e( 'Token created!', 'oauth2' ) ?></h1>
+		<p><?php esc_html_e( "Your token has been created. Make sure to copy it now, as it won't be displayed again!", 'oauth2' ) ?></p>
+
+		<pre style="font-size: 2em"><?php echo esc_html( $token->get_key() ) ?></pre>
+
+		<p><a href="<?php echo esc_url( get_edit_user_link( $user->ID ) ) ?>"><?php esc_html_e( 'Back to profile', 'oauth2' ) ?></a></p>
+	</div>
+
+	<?php
+	require ABSPATH . 'wp-admin/admin-footer.php';
+	exit;
+}

inc/class-client.php

@@ -9,7 +9,7 @@
 use WP_Query;
 use WP_User;
 
-class Client {
+class Client implements ClientInterface {
 	const POST_TYPE            = 'oauth2_client';
 	const CLIENT_SECRET_KEY    = '_oauth2_client_secret';
 	const TYPE_KEY             = '_oauth2_client_type';
@@ -259,11 +259,12 @@ public function regenerate_secret() {
 	 * Issue token for a user.
 	 *
 	 * @param \WP_User $user
+	 * @param array $meta
 	 *
 	 * @return Access_Token
 	 */
-	public function issue_token( WP_User $user ) {
-		return Tokens\Access_Token::create( $this, $user );
+	public function issue_token( WP_User $user, $meta = [] ) {
+		return Tokens\Access_Token::create( $this, $user, $meta );
 	}
 
 	/**