Change logic of jwks refresh (#7)

* Change logic of jwks refresh * Update for 1.5.1 * Bump tested up to version * Whitespace
andrewheberle · Nov 9, 2023 · 39eb3bf · 39eb3bf
1 parent d568e2f
commit 39eb3bf
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 22 deletions.
diff --git a/ah-jwt-auth.php b/ah-jwt-auth.php
@@ -10,7 +10,7 @@
  * @wordpress-plugin
  * Plugin Name: AH JWT Auth
  * Description: This plugin allows sign in to WordPress using a JSON Web Token (JWT) contained in a HTTP Header
- * Version: 1.5.0
+ * Version: 1.5.1
  * Author: Andrew Heberle
  * Text Domain: ah-jwt-auth
  * Author URI: https://github.com/andrewheberle/wordpress-ah-jwt-auth/

diff --git a/includes/class-ahjwtauthsignin.php b/includes/class-ahjwtauthsignin.php
@@ -151,15 +151,22 @@ private function ahjwtauth_refresh_jwks() {
 		}
 
 		// retrieve json from JWKS URL with caching.
-		$keys = get_transient( 'ahjwtauth_jwks' );
+		$json = get_transient( 'ahjwtauth_jwks_json' );
 
 		// Does transient exist?
-		if ( false !== $keys ) {
-			return $keys;
+		if ( false !== $json ) {
+			// try to decode json.
+			$jwks = @json_decode( $json, true );
+			if ( null === $jwks ) {
+				$this->error = __( 'AH JWT Auth cannot decode the JSON retrieved from the JWKS URL', 'ah-jwt-auth' );
+				error_log( 'AH JWT Auth: ERROR: cannot decode the JSON retrieved from the JWKS URL' );
+				return false;
+			}
+
+			return $jwks;
 		}
 
 		// if transient did not exist, attempt to get url.
-		$jwks_url = get_option( 'ahjwtauth-jwks-url' );
 		$response = wp_remote_get( $jwks_url );
 		if ( is_wp_error( $response ) ) {
 			$this->error = __( 'AH JWT Auth: error retrieving the JWKS URL', 'ah-jwt-auth' );
@@ -172,7 +179,7 @@ private function ahjwtauth_refresh_jwks() {
 
 		// check that response was not empty.
 		if ( '' === $json ) {
-				$this->error = __( 'AH JWT Auth could not retrieve the specified JWKS URL', 'ah-jwt-auth' );
+			$this->error = __( 'AH JWT Auth could not retrieve the specified JWKS URL', 'ah-jwt-auth' );
 			error_log( 'AH JWT Auth: ERROR: could not retrieve the specified JWKS URL' );
 			return false;
 		}
@@ -185,21 +192,11 @@ private function ahjwtauth_refresh_jwks() {
 			return false;
 		}
 
-		// parse the JWKS response.
-		try {
-			$keys = JWK::parseKeySet( array( 'keys' => $jwks['keys'] ) );
-		} catch ( Exception $e ) {
-			$this->error = $e->getMessage();
-			error_log( 'AH JWT Auth: ERROR: Problem parsing key-set: ' . $e->getMessage() );
-			error_log( $json );
-			return false;
-		}
-
-		// cache JWKS for future.
-		set_transient( 'ahjwtauth_jwks', $keys, WEEK_IN_SECONDS );
+		// cache JWKS JSON for future.
+		set_transient( 'ahjwtauth_jwks_json', $json, WEEK_IN_SECONDS );
 
 		// return key set.
-		return $keys;
+		return $jwks;
 	}
 
 	/**
@@ -269,7 +266,18 @@ private function verify_token( $jwt ) {
 	private function get_key() {
 		$jwks_url = get_option( 'ahjwtauth-jwks-url' );
 		if ( '' !== $jwks_url ) {
-			return $this->ahjwtauth_refresh_jwks();
+			$jwks = $this->ahjwtauth_refresh_jwks();
+
+			try {
+				$keys = JWK::parseKeySet( array( 'keys' => $jwks['keys'] ) );
+			} catch ( Exception $e ) {
+				$this->error = $e->getMessage();
+				error_log( 'AH JWT Auth: ERROR: Problem parsing key-set: ' . $e->getMessage() );
+				error_log( $json );
+				return false;
+			}
+
+			return $keys;
 		}
 
 		// otherwise use shared secret.

diff --git a/readme.txt b/readme.txt
@@ -3,8 +3,8 @@ Contributors: andrewheberle
 Donate link: https://paypal.me/andrewheberle
 Tags: jwt, sso, login, auth, authentication
 Requires at least: 4.7
-Tested up to: 6.2.2
-Stable tag: 1.4.1
+Tested up to: 6.3.2
+Stable tag: 1.5.1
 Requires PHP: 7.0
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
@@ -57,6 +57,9 @@ Currently only the HS256 and RS256 alorithms are supported.
 
 == Changelog ==
 
+= 1.5.1 =
+* Fixes for JWKS refresh process
+
 = 1.5.0 =
 * Add WP cron job to refresh JWKS daily