Add AuthCookie for Login with SameSite cookie option

phpstan.neon.dist

@@ -15,6 +15,10 @@ parameters:
 		reportAlwaysTrueInLastCondition: true
 		reportStaticMethodSignatures: true
 		reportWrongPhpDocTypeInVarTag: true
+		dynamicConstantNames:
+			- ADMIN_COOKIE_PATH
+			- COOKIEPATH
+			- SITECOOKIEPATH
 		bootstrapFiles:
 			- phpstan/constants.php
 		paths:

phpstan/constants.php

@@ -8,3 +8,12 @@
 define( 'WPGRAPHQL_LOGIN_PLUGIN_FILE', 'wp-graphql-headless-login.php' );
 define( 'WPGRAPHQL_LOGIN_VERSION', '0.3.1' );
 define( 'WPGRAPHQL_LOGIN_PLUGIN_DIR', '' );
+
+// WordPress Constants.
+define( 'AUTH_COOKIE', 'wordpress_' );
+define( 'SECURE_AUTH_COOKIE', 'wordpress_sec_' );
+define( 'COOKIEPATH', '/' );
+define( 'SITECOOKIEPATH', '/' );
+define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . 'wp-admin' );
+define( 'PLUGINS_COOKIE_PATH', '/wp-content/plugins' );
+define( 'LOGGED_IN_COOKIE', 'wordpress_logged_in_' );

src/Admin/Settings/AccessControlSettings.php

@@ -48,7 +48,7 @@ public function get_description(): string {
 	public function get_config(): array {
 		return [
 			// Should Block Unauthorized Domains.
-			'shouldBlockUnauthorizedDomains'   => [
+			'shouldBlockUnauthorizedDomains' => [
 				'description'       => __( 'Whether to block requests from unauthorized domains', 'wp-graphql-headless-login' ),
 				'label'             => __( 'Block unauthorized domains', 'wp-graphql-headless-login' ),
 				'type'              => 'boolean',
@@ -59,25 +59,8 @@ public function get_config(): array {
 				'required'          => true,
 				'sanitize_callback' => 'rest_sanitize_boolean',
 			],
-			// Has Access Control Allow Credentials.
-			'hasAccessControlAllowCredentials' => [
-				'description'       => __( 'Whether the `Access-Control-Allow-Credentials` header should be added to the request.', 'wp-graphql-headless-login' ),
-				'label'             => __( 'Add Access-Control-Allow-Credentials', 'wp-graphql-headless-login' ),
-				'type'              => 'boolean',
-				'isAdvanced'        => false,
-				'default'           => false,
-				'help'              => __( 'If enabled, the `Access-Control-Allow-Credentials` header will be included in the request. Requires `Block Unauthorized Domains` to be enabled.', 'wp-graphql-headless-login' ),
-				'order'             => 2,
-				'required'          => false,
-				'sanitize_callback' => 'rest_sanitize_boolean',
-				'conditionalLogic'  => [
-					'slug'     => 'shouldBlockUnauthorizedDomains',
-					'operator' => '==',
-					'value'    => true,
-				],
-			],
 			// Has Site Address In Origin.
-			'hasSiteAddressInOrigin'           => [
+			'hasSiteAddressInOrigin'         => [
 				'description'       => __( 'Whether the Site URL should be added to the `Access-Control-Allow-Origin` header', 'wp-graphql-headless-login' ),
 				'label'             => __( 'Add Site URL to Access-Control-Allow-Origin', 'wp-graphql-headless-login' ),
 				'type'              => 'boolean',
@@ -89,7 +72,7 @@ public function get_config(): array {
 				'sanitize_callback' => 'rest_sanitize_boolean',
 			],
 			// Additional Authorized Domains.
-			'additionalAuthorizedDomains'      => [
+			'additionalAuthorizedDomains'    => [
 				'description'       => __( 'An array additional authorized domains to include in the Access-Control-Allow-Origin header.', 'wp-graphql-headless-login' ),
 				'label'             => __( 'Additional authorized domains', 'wp-graphql-headless-login' ),
 				'type'              => 'array',
@@ -116,7 +99,7 @@ static function ( $domain ) {
 				},
 			],
 			// Custom Headers.
-			'customHeaders'                    => [
+			'customHeaders'                  => [
 				'description'       => __( 'An array of custom headers to add to the response', 'wp-graphql-headless-login' ),
 				'label'             => __( 'Custom Headers', 'wp-graphql-headless-login' ),
 				'type'              => 'array',

src/Admin/Settings/CookieSettings.php

@@ -0,0 +1,122 @@
+<?php
+/**
+ * Registers the Cookie Settings
+ *
+ * @package WPGraphQL\Login\Admin\Settings
+ * @since @todo
+ */
+
+declare( strict_types = 1 );
+
+namespace WPGraphQL\Login\Admin\Settings;
+
+/**
+ * Class CookieSettings
+ */
+class CookieSettings extends AbstractSettings {
+	/**
+	 * {@inheritDoc}
+	 */
+	public static function get_slug(): string {
+		return self::SETTINGS_PREFIX . 'cookies';
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	public function get_title(): string {
+		return __( 'Cookie Settings', 'wp-graphql-headless-login' );
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	public function get_label(): string {
+		return __( 'Cookies', 'wp-graphql-headless-login' );
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	public function get_description(): string {
+		return __( 'Manage Cookie generation, headers, and settings for the plugin.', 'wp-graphql-headless-login' );
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	public function get_config(): array {
+		return [
+			// Has Access Control Allow Credentials.
+			'hasAccessControlAllowCredentials' => [
+				'description'       => __( 'Whether the `Access-Control-Allow-Credentials` header should be added to the request.', 'wp-graphql-headless-login' ),
+				'label'             => __( 'Add Access-Control-Allow-Credentials', 'wp-graphql-headless-login' ),
+				'type'              => 'boolean',
+				'isAdvanced'        => false,
+				'default'           => false,
+				'help'              => __( 'If enabled, the `Access-Control-Allow-Credentials` header will be included in the request. Requires `Access Control > Block Unauthorized Domains` to be enabled.', 'wp-graphql-headless-login' ),
+				'order'             => 1,
+				'required'          => false,
+				'sanitize_callback' => 'rest_sanitize_boolean',
+				// @todo add `disabled` attribute.
+			],
+			// Has Logout Mutation.
+			'hasLogoutMutation'                => [
+				'description'       => __( 'Whether the `logout` mutation should be exposed to the GraphQL schema.', 'wp-graphql-headless-login' ),
+				'label'             => __( 'Enable Logout Mutation', 'wp-graphql-headless-login' ),
+				'type'              => 'boolean',
+				'default'           => false,
+				'help'              => __( 'If enabled, the `logout` mutation will be exposed to the GraphQL schema, which will clear the user\'s session.', 'wp-graphql-headless-login' ),
+				'isAdvanced'        => false,
+				'order'             => 2,
+				'required'          => false,
+				'sanitize_callback' => 'rest_sanitize_boolean',
+				'conditionalLogic'  => [
+					'slug'     => 'hasAccessControlAllowCredentials',
+					'operator' => '==',
+					'value'    => true,
+				],
+			],
+			// SameSite Option.
+			'sameSiteOption'                   => [
+				'description'       => __( 'Specify the SameSite attribute for authentication.', 'wp-graphql-headless-login' ),
+				'label'             => __( 'Samesite Cookie Mode', 'wp-graphql-headless-login' ),
+				'type'              => 'string',
+				'controlType'       => 'select',
+				'default'           => 'Lax',
+				'help'              => __( 'Choose "None" if cross-site access is required, "Lax" for moderate protection, or "Strict" for maximum protection.', 'wp-graphql-headless-login' ),
+				'isAdvanced'        => true,
+				'order'             => 3,
+				'required'          => false,
+				'enum'              => [
+					'Lax',
+					'None',
+					'Strict',
+				],
+				'sanitize_callback' => 'sanitize_text_field',
+				'conditionalLogic'  => [
+					'slug'     => 'hasAccessControlAllowCredentials',
+					'operator' => '==',
+					'value'    => true,
+				],
+			],
+			// Login Cookie Domain.
+			'cookieDomain'                     => [
+				'description'       => __( 'Override the cookie domain.', 'wp-graphql-headless-login' ),
+				'label'             => __( 'Cookie Domain', 'wp-graphql-headless-login' ),
+				'type'              => 'string',
+				'default'           => '',
+				'help'              => __( 'Leave blank by default. To share across all subdomains, use your root domain prefixed with a period (e.g., .mysite.com).', 'wp-graphql-headless-login' ),
+				'isAdvanced'        => true,
+				'order'             => 4,
+				'required'          => false,
+				'sanitize_callback' => 'sanitize_text_field',
+				'conditionalLogic'  => [
+					'slug'     => 'hasAccessControlAllowCredentials',
+					'operator' => '==',
+					'value'    => true,
+				],
+			],
+		];
+	}
+}

src/Admin/SettingsRegistry.php

@@ -33,6 +33,7 @@ public static function init(): void {
 
 		$classes_to_register = [
 			Settings\AccessControlSettings::class,
+			Settings\CookieSettings::class,
 			Settings\PluginSettings::class,
 		];
 

src/Admin/Upgrade/V0_4_0.php

@@ -10,6 +10,8 @@
 
 namespace WPGraphQL\Login\Admin\Upgrade;
 
+use WPGraphQL\Login\Admin\Settings\AccessControlSettings;
+use WPGraphQL\Login\Admin\Settings\CookieSettings;
 use WPGraphQL\Login\Admin\Settings\PluginSettings;
 
 /**
@@ -29,6 +31,8 @@ class V0_4_0 extends AbstractUpgrade {
 	protected function upgrade(): void {
 		// Migrate Plugin Settings.
 		$this->migrate_plugin_settings();
+		// Migrate Access Control Settings.
+		$this->migrate_access_control_settings();
 	}
 
 	/**
@@ -71,4 +75,46 @@ private function migrate_plugin_settings(): void {
 			}
 		}
 	}
+
+	/**
+	 * Migrates relevant Access Control settings to Cookie settings.
+	 *
+	 * @throws \Exception Throws an exception if the migration fails.
+	 */
+	private function migrate_access_control_settings(): void {
+		$setttings_map = [
+			'hasAccessControlAllowCredentials' => 'hasAccessControlAllowCredentials',
+		];
+
+		$access_control_settings = get_option( AccessControlSettings::get_slug(), [] );
+
+		// If there are no existing values, there is nothing to migrate.
+		if ( empty( $access_control_settings ) ) {
+			return;
+		}
+
+		$cookie_settings = get_option( CookieSettings::get_slug(), [] );
+
+		foreach ( $setttings_map as $old_key => $new_key ) {
+			if ( ! isset( $access_control_settings[ $old_key ] ) ) {
+				continue;
+			}
+
+			$cookie_settings[ $new_key ] = $access_control_settings[ $old_key ];
+			unset( $access_control_settings[ $old_key ] );
+		}
+
+		$success = update_option( CookieSettings::get_slug(), $cookie_settings );
+
+		if ( ! $success ) {
+			throw new \Exception( 'Failed to migrate access control settings.' );
+		}
+
+		// Update the access control settings.
+		$success = update_option( AccessControlSettings::get_slug(), $access_control_settings );
+
+		if ( ! $success ) {
+			throw new \Exception( 'Failed to update access control settings.' );
+		}
+	}
 }

src/Auth/Auth.php

@@ -81,7 +81,7 @@ public static function login( array $input ): array {
 		// Set the auth cookie if the provider is configured to use it.
 		$config = $client->get_config();
 		if ( ! empty( $config['loginOptions']['useAuthenticationCookie'] ) ) {
-			wp_set_auth_cookie( $user->ID, false );
+			AuthCookie::set_auth_cookie( $user->ID, false );
 		}
 
 		// Trigger the login action.