From 8aeb9374f856669c562c5ccdfa57b775cff04a83 Mon Sep 17 00:00:00 2001 From: Robert O'Rourke Date: Thu, 24 Nov 2022 12:06:54 +0000 Subject: [PATCH 1/2] Add require login bypass tokens feature Intended for use with Lightouse / Qualys to check performance of non-prod envs. --- composer.json | 5 ++-- docs/require-login.md | 30 +++++++++++++++++++++ inc/namespace.php | 1 + inc/require_login/namespace.php | 48 +++++++++++++++++++++++++++++++++ 4 files changed, 82 insertions(+), 2 deletions(-) create mode 100644 inc/require_login/namespace.php diff --git a/composer.json b/composer.json index f36f0e9..08a4d0d 100644 --- a/composer.json +++ b/composer.json @@ -13,7 +13,8 @@ "files": [ "inc/namespace.php", "inc/passwords/namespace.php", - "inc/php_basic_auth/namespace.php" + "inc/php_basic_auth/namespace.php", + "inc/require_login/namespace.php" ], "classmap": [ "inc/", @@ -42,4 +43,4 @@ ] } } -} \ No newline at end of file +} diff --git a/docs/require-login.md b/docs/require-login.md index 3fb3934..dd667ad 100644 --- a/docs/require-login.md +++ b/docs/require-login.md @@ -15,6 +15,36 @@ Requiring login on individual sites is as easy as unchecking the site's public s ## Excluding Pages and Endpoints +There are 2 ways to exclude pages and endpoints from requiring login, using the `bypass-tokens` config option or the `hm-require-login.allowed_pages` filter. + +### Bypass Tokens + +Bypass tokens are a way to allow tools like Lighthouse or Qualys access to development or staging environments using a unique query string token. This lets you check performance insights on non-production environments for non-logged in users so you can see the experience most site visitors will get. + +Set the `require-login` config value as an object with the property `bypass-tokens`. This should be an array of string tokens that can be set as the value of the query variable `altis-auth`. + +For example with the following config a development URL like `https://project-dev.altis.cloud/?altis-auth=gf6sa9fgds7a9bhfdb` will bypass the login requirement: + +```json +{ + "extra": { + "altis": { + "modules": { + "security": { + "require-login": { + "bypass-tokens": [ + "gf6sa9fgds7a9bhfdb" + ] + } + } + } + } + } +} +``` + +### Allowed Pages Filter + In certain cases you may need to exclude a URL or PHP file from redirecting to the login page when Require Login is active. This is possible using the `hm-require-login.allowed_pages` filter: ```php diff --git a/inc/namespace.php b/inc/namespace.php index 5266a2b..d244997 100644 --- a/inc/namespace.php +++ b/inc/namespace.php @@ -38,6 +38,7 @@ function on_plugins_loaded() { if ( ! is_site_public() ) { require_once Altis\ROOT_DIR . '/vendor/humanmade/require-login/plugin.php'; + Require_Login\bootstrap(); } if ( $config['audit-log'] ) { diff --git a/inc/require_login/namespace.php b/inc/require_login/namespace.php new file mode 100644 index 0000000..6cfa617 --- /dev/null +++ b/inc/require_login/namespace.php @@ -0,0 +1,48 @@ + Date: Thu, 24 Nov 2022 12:43:58 +0000 Subject: [PATCH 2/2] Fix filter naming --- inc/require_login/namespace.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/require_login/namespace.php b/inc/require_login/namespace.php index 6cfa617..648a3c8 100644 --- a/inc/require_login/namespace.php +++ b/inc/require_login/namespace.php @@ -35,7 +35,7 @@ function allow_request_for_valid_token( array $allowed, ?string $page ) : array * * @param array $tokens Array of string tokens that by pass require login. */ - $tokens = apply_filters( 'altis.security.require-login.bypass-tokens', $tokens ); + $tokens = apply_filters( 'altis.security.require_login.bypass_tokens', $tokens ); if ( isset( $_GET[ QUERY_ARG ] ) &&