Merge branch 'develop'

.eslintrc.js

@@ -0,0 +1,3 @@
+module.exports = {
+	extends: ['@10up/eslint-config/wordpress'],
+};

.github/workflows/lint.yml

@@ -19,7 +19,7 @@ jobs:
         with:
           reporter: github-pr-review
           stylelint_input: '**/*.css'
-          stylelint_config: 'stylelint.config.js'
+          stylelint_config: '.stylelintrc.js'
           fail_on_error: true
   eslint:
     name: eslint

.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx lint-staged

.lintstagedrc.json

@@ -0,0 +1,11 @@
+{
+  "*.css": [
+    "10up-toolkit lint-style"
+  ],
+  "*.js": [
+    "10up-toolkit lint-js"
+  ],
+  "*.php": [
+    "./vendor/bin/phpcs --extensions=php --warning-severity=8 -s"
+  ]
+}

.stylelintrc.js

@@ -0,0 +1,8 @@
+module.exports = {
+	extends: [
+		"@10up/stylelint-config",
+	],
+	rules: {
+		"scale-unlimited/declaration-strict-value": null,
+	},
+}

10up-experience.php

@@ -3,7 +3,7 @@
  * Plugin Name:       10up Experience
  * Plugin URI:        https://github.com/10up/10up-experience
  * Description:       The 10up Experience plugin configures WordPress to better protect and inform clients, aligned to 10up’s best practices.
- * Version:           1.10.3
+ * Version:           1.11.0
  * Author:            10up
  * Author URI:        https://10up.com
  * License:           GPLv2 or later
@@ -19,7 +19,7 @@
 
 use YahnisElsts\PluginUpdateChecker\v5\PucFactory;
 
-define( 'TENUP_EXPERIENCE_VERSION', '1.10.3' );
+define( 'TENUP_EXPERIENCE_VERSION', '1.11.0' );
 define( 'TENUP_EXPERIENCE_DIR', __DIR__ );
 define( 'TENUP_EXPERIENCE_FILE', __FILE__ );
 

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/).
 
+## [1.11.0] - 2023-10-27
+
+- Support Fueled SSO
+
 ## [1.10.3] - 2023-08-15
 
 - Make sure redirect_to is a string

composer.json

@@ -35,7 +35,12 @@
     "squizlabs/php_codesniffer": "3.*"
   },
   "scripts": {
-    "lint": "phpcs .",
+    "lint": "phpcs --extensions=php --warning-severity=8 -s .",
     "lint-fix": "phpcbf ."
+  },
+  "config": {
+    "allow-plugins": {
+      "dealerdirect/phpcodesniffer-composer-installer": true
+    }
   }
-}
+}

includes/classes/AdminCustomizations/Customizations.php

@@ -34,7 +34,7 @@ public function setup() {
 	 * Register admin pages with output callbacks
 	 */
 	public function register_admin_pages() {
-		add_submenu_page( null, esc_html__( 'About 10up', 'tenup' ), esc_html__( 'About 10up', 'tenup' ), 'edit_posts', '10up-about', [ $this, 'main_screen' ] );
+		add_submenu_page( 'admin.php', esc_html__( 'About 10up', 'tenup' ), esc_html__( 'About 10up', 'tenup' ), 'edit_posts', '10up-about', [ $this, 'main_screen' ] );
 	}
 
 	/**
@@ -84,7 +84,7 @@ public function main_screen() {
 				?>
 				</div>
 
-			<a class="tenup-badge" href="http://10up.com" target="_blank"><span aria-label="<?php esc_html_e( 'Link to 10up.com', 'tenup' ); ?>">10up.com</span></a>
+			<a class="tenup-badge" href="http://10up.com" target="_blank"><span aria-label="<?php esc_attr_e( 'Link to 10up.com', 'tenup' ); ?>">10up.com</span></a>
 
 			<div class="feature-section one-col">
 				<h2><?php esc_html_e( 'Thanks for working with team 10up!', 'tenup' ); ?></h2>

includes/classes/Authentication/Passwords.php

@@ -106,6 +106,8 @@ public function ms_save_settings() {
 			return;
 		}
 
+		// We're only checking if the nonce exists here, so no need to sanitize.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'siteoptions' ) ) {
 			return;
 		}
@@ -291,6 +293,8 @@ public function validate_resetpass_form( $user_data ) {
 	public function validate_strong_password( $errors, $user_data ) {
 		$password_ok = true;
 		$enforce     = true;
+		// This is being sanitized later in the function, no need to sanitize for isset().
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		$password    = ( isset( $_POST['pass1'] ) && trim( $_POST['pass1'] ) ) ? sanitize_text_field( $_POST['pass1'] ) : false;
 		$role        = isset( $_POST['role'] ) ? sanitize_text_field( $_POST['role'] ) : false;
 		$user_id     = isset( $user_data->ID ) ? sanitize_text_field( $user_data->ID ) : false;
@@ -322,7 +326,7 @@ public function validate_strong_password( $errors, $user_data ) {
 			if ( function_exists( 'mb_ord' ) && version_compare( PHP_VERSION, '7.2.0' ) >= 0 ) {
 				$zxcvbn = new Zxcvbn();
 
-				$pw = $zxcvbn->passwordStrength( $_POST['pass1'] );
+				$pw = $zxcvbn->passwordStrength( $password );
 
 				if ( 3 > (int) $pw['score'] ) {
 					$password_ok = false;

includes/classes/SSO/SSO.php

@@ -71,15 +71,19 @@ public function ms_save_settings() {
 			return;
 		}
 
+		// We're only checking if the nonce exists here, so no need to sanitize.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'siteoptions' ) ) {
 			return;
 		}
 
+		// We're only checking if the var exists here, so no need to sanitize.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( ! isset( $_POST['tenup_allow_sso'] ) ) {
 			return;
 		}
 
-		$setting = $this->validate_sso_setting( $_POST['tenup_allow_sso'] );
+		$setting = $this->validate_sso_setting( sanitize_text_field( $_POST['tenup_allow_sso'] ) );
 
 		update_site_option( 'tenup_allow_sso', $setting );
 	}
@@ -216,6 +220,7 @@ public function process_client_login() {
 			);
 
 			$response = wp_remote_get( $verify );
+
 			if ( wp_remote_retrieve_response_code( $response ) !== 200 ) {
 				wp_safe_redirect( wp_login_url() );
 				exit;
@@ -233,9 +238,22 @@ public function process_client_login() {
 					? TENUPSSO_DEFAULT_ROLE
 					: 'subscriber';
 
+				$username = current( explode( '@', $email ) );
+
+				if ( username_exists( $username ) ) {
+					// Turn periods into dashes.
+					$username = str_replace( '.', '-', $username );
+					// Add the domain onto the end, so it's more unique.
+					$username = sprintf(
+						'%s-%s',
+						$username,
+						explode( '.', explode( '@', $email )[1], 2 )[0]
+					);
+				}
+
 				$user_id = wp_insert_user(
 					array(
-						'user_login'   => current( explode( '@', $email ) ),
+						'user_login'   => $username,
 						'user_pass'    => wp_generate_password(),
 						'user_email'   => $email,
 						'display_name' => filter_input( INPUT_GET, 'full_name' ),
@@ -270,9 +288,11 @@ public function process_client_login() {
 				$redirect_to           = admin_url();
 				$requested_redirect_to = '';
 
+				// We're only checking if the var exists here, so no need to sanitize.
+				// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 				if ( isset( $_REQUEST['redirect_to'] ) ) {
-					$redirect_to           = $_REQUEST['redirect_to'];
-					$requested_redirect_to = $_REQUEST['redirect_to'];
+					$redirect_to           = sanitize_text_field( $_REQUEST['redirect_to'] );
+					$requested_redirect_to = sanitize_text_field( $_REQUEST['redirect_to'] );
 				}
 
 				$redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );
@@ -297,14 +317,15 @@ public function process_client_login() {
 			$tenup_login_failed = true;
 		} else {
 			$redirect_url = wp_login_url();
-			if ( isset( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) {
-				$redirect_url = add_query_arg( 'redirect_to', rawurlencode( $_REQUEST['redirect_to'] ), $redirect_url );
+			if ( isset( $_REQUEST['redirect_to'] ) && is_string( sanitize_text_field( $_REQUEST['redirect_to'] ) ) ) {
+				$redirect_url = add_query_arg( 'redirect_to', rawurlencode( sanitize_text_field( $_REQUEST['redirect_to'] ) ), $redirect_url );
 			}
 
 			$proxy_url = add_query_arg(
 				array(
 					'action'      => '10up-login',
 					'redirect'    => rawurlencode( $redirect_url ),
+					'type'        => filter_input( INPUT_GET, 'type' ),
 					'sso_version' => TENUP_EXPERIENCE_VERSION,
 				),
 				TENUPSSO_PROXY_URL
@@ -321,19 +342,27 @@ public function process_client_login() {
 	public function update_login_form() {
 		$google_login = add_query_arg( 'action', '10up-login', wp_login_url() );
 		if ( isset( $_REQUEST['redirect_to'] ) ) {
-			$google_login = add_query_arg( 'redirect_to', rawurlencode( $_REQUEST['redirect_to'] ), $google_login );
+			$google_login = add_query_arg( 'redirect_to', rawurlencode( sanitize_text_field( $_REQUEST['redirect_to'] ) ), $google_login );
 		}
 
+		$buttons_html = '<div class="sso"><div class="buttons">';
+
+		$buttons_html .= '<a href="' . esc_url( add_query_arg( 'type', '10up', $google_login ) ) . '" class="tenup-button button"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 235.84 269.94"><g id="Layer_2" data-name="Layer 2"><g id="Layer_1-2" data-name="Layer 1"><path d="M60.93,4.5,0,34.5,12.08,48.92V186.13l48.85-48.87Z" fill="#df2b26"></path><path d="M117.5,215.8c0,7.53-5.09,10.75-10.75,10.75-7.51,0-9.26-4.57-9.26-9.54V173.88h-.32L73,198v24.64c0,13.57,7.26,25.52,24,25.52A30.65,30.65,0,0,0,117.5,240v6.58H142V173.88H117.5Zm84.25-43.4a28.58,28.58,0,0,0-20.69,8.33v-6.85H156.48v96.06h24.58V240a29.6,29.6,0,0,0,20.69,8.19c20.29,0,32.93-16.25,32.93-37.88,0-21.36-12.64-37.89-32.93-37.89Zm-6.58,54.82c-9.4,0-14.11-7.8-14.11-17.06s4.58-16.93,14.11-16.93c9.28,0,13.57,7.78,13.57,16.93C208.74,219.16,204.45,227.22,195.17,227.22Z" fill="#000"></path><path d="M157.09,0A78.6,78.6,0,0,0,85.93,112.26l.82.86L135.4,64.47,120.1,49.18h66.56v66.56l-15.3-15.3-48.92,48.92A78.71,78.71,0,1,0,157.09,0Z" fill="#df2b26"></path></g></g></svg>' .
+		'<span>Login</span></a>';
+
+		if ( defined( 'TENUPSSO_ALLOW_FUELED_SSO' ) && TENUPSSO_ALLOW_FUELED_SSO ) {
+			$buttons_html .= '<span class="sep"></span><a href="' . esc_url( add_query_arg( 'type', 'fueled', $google_login ) ) . '" class="fueled-button button"><svg xmlns="http://www.w3.org/2000/svg" width="25" height="30" viewBox="0 0 25 30" class="m-logo__svg"><path fill-rule="evenodd" d="M21 7v1h2v2l-1 1v3l1 1v9h-2V14l-1-1h-2V3l-3-3H5L2 3v25H0v2h20v-2h-2V14h2v10l1 1h2l1-1v-9l1-1V9l-2-2h-2zm-5 6H4V3l1-1h10l1 1v10z"></path></svg>' .
+			'<span>Login</span></a>';
+		}
+
+		$buttons_html .= '</div><span class="or"><span>or</span></span>';
+		$buttons_html .= '</div>';
+
 		?><script type="text/javascript">
 			(function() {
 				document.getElementById('loginform').insertAdjacentHTML(
 					'beforebegin',
-					'<div id="tenup_sso" class="tenup-sso">' +
-						'<a href="<?php echo esc_url( $google_login ); ?>" class="button button-hero button-primary">' +
-							'<?php esc_html_e( 'Login with 10up account', 'tenup' ); ?>' +
-						'</a>' +
-						'<span class="tenup-sso-or"><span><?php echo esc_html_e( 'or', 'tenup' ); ?></span></span>' +
-					'</div>'
+					'<?php echo $buttons_html; // phpcs:ignore ?>'
 				);
 			})();
 		</script>
@@ -346,10 +375,9 @@ public function update_login_form() {
 	public function render_login_form_styles() {
 		?>
 		<style>
-			.tenup-sso {
+			.sso {
 				font-weight: normal;
 				overflow: hidden;
-				text-align: center;
 
 				margin-top: 20px;
 				margin-left: 0;
@@ -359,43 +387,79 @@ public function render_login_form_styles() {
 				background: #fff;
 				border: 1px solid #c3c4c7;
 				box-shadow: 0 1px 3px rgb(0 0 0 / 4%);
-
 			}
 
-			#loginform {
-				margin-top: 0;
-				border-top: 0;
-				position: relative;
-				top: -17px;
-				padding-top: 0;
+			.sso .buttons {
+				display: flex;
+				justify-content: center;
+				align-items: center;
 			}
 
-			.tenup-sso .button-primary {
+			.sso .button {
 				float: none;
-				text-transform: capitalize;
+				display: block;
+				border: 0;
+				color: #50575e;
+				display: flex;
+				align-items: center;
+				justify-content: center;
+				background-color: transparent;
+				padding: 10px;
 			}
 
-			.tenup-sso-or {
-				margin: 2em 0;
+			.sso .button:hover {
+				background-color: transparent;
+				color: #135e96;
+			}
+
+			.sso .button svg {
+				height: 30px;
+				margin-right: 10px;
+			}
+
+			.sso .fueled-button svg {
+				height: 28px;
+			}
+
+			.sso .fueled-button svg path {
+				fill: #950001;
+			}
+
+			.sso .sep {
+				margin: 0 1em;
+				border-right: 1px solid rgba(0,0,0,0.13);
+				height: 20px;
+			}
+
+			.sso .or {
+				margin: .8em 0 2em 0;
 				width: 100%;
 				display: block;
 				border-bottom: 1px solid rgba(0,0,0,0.13);
 				text-align: center;
 				line-height: 1;
 			}
 
-			.tenup-sso-or span {
+			.sso .or span {
 				position: relative;
 				top: 0.5em;
 				background: white;
 				padding: 0 1em;
 				color: #72777c;
 			}
 
+			#loginform {
+				margin-top: 0;
+				border-top: 0;
+				position: relative;
+				top: -17px;
+				padding-top: 0;
+			}
+
 			<?php if ( defined( 'TENUPSSO_DISALLOW_ALL_DIRECT_LOGIN' ) && TENUPSSO_DISALLOW_ALL_DIRECT_LOGIN ) : ?>
 				#loginform,
 				#nav,
-				.tenup-sso-or {
+				.sso .or {
 					display: none;
 				}
 			<?php endif; ?>