Feature/refresh token flow

[marchrius]

Supports to REST API flow (in body or parameter) instead of cookie.
The flow can be changed by hook 'jwt_auth_flow'.

• Implement different flow
• Edit tests to test the different flow
• Update README.md

[rtorrente]

Hello @marchrius,

Very interested by your PR, i'm facing the same issue

Is there anything missing from this MR to send it in for review? Do you need help?

[marchrius]

Hi @rtorrente,

the missing part is the README.md update with docs on new error codes and how to use the flow hook.

[sun]

Thanks a lot for contributing this enhancement! ❤️

From what I can see, the changes seem to be backwards-compatible with the current code in 3.x/master. Therefore, I believe we do not need to block the 3.0 release on this change.

However, before going into further details – there are a lot of coding style changes in this PR, which make it really hard to review the functional changes. So I'd like to ask you whether you can move all of the coding style changes into a separate PR (which we could merge fairly quickly), so that we can focus solely on the functional changes in this PR here?

This would be important, because we are touching security related functionality with this PR, and it would be embarrassing to introduce a security vulnerability just because a tiny but substantial change was hidden in a lot of code formatting changes.

[dominic-ks]

@marchrius are you able to have a look at @sun 's requested changes? It would be good to get this in as a few people are asking.

[marchrius]

Hi @sun and @dominic-ks, I'll be happy to do that, can you give me some pointers on what might be the best way to split the two things?

I'm using PHPStorm as IDE and I have the option
PHP -> Framework -> WordPress -> Enable WordPress integration
to help me format the code automatically.

If you have some default rules I can use them for future commits and style changes.

[sun]

For the moment it would be best to disable all automated formattings and then revert all changes in this PR that are not functional changes.

In an issue separate from this here we can look into correcting the formatting – although I think we’ll rather look at automations like prettier and phpcs to do so, so that it doesn’t depend on anyone’s editor settings.

[marchrius]

Hi @sun, I've removed all non-necessary integrations and style modifications.

[sun]

Thanks a lot – this at least allowed me to do a first round of review of the actual code changes. 👍

We should try to make this change in a backwards compatible way, so that existing production sites can update without headaches. We should also minimize the additional code introduced here by reusing the existing code. I added some insights on how we can achieve that, which should not require much effort.

And there are still a bunch of unnecessary code style changes in the surrounding files - if you can revert those, we can see and review the full picture with more certainty.

[sun]

1. It seems you have changed the content of the refresh token - this means that all existing users will be logged-out when deploying the update. We can avoid that by implementing a backwards compatibility for the previous refresh tokens, so they are migrated individually to the new value when they are silently refreshed or the user re-authenticates. We can then safely remove this B/C layer in an upcoming release.
2. Is this a copy of validate_token() now? We can avoid duplicate code by passing a parameter $type to validate_token() that contains either "refresh" or "access" (by default). Mainly seems to be necessary for hook names and error codes. However, let's keep the separate method for the temporary B/C layer and the backend/device validation.

As a result of these two suggestions, the amount of changes in this PR should reduce further.

[sun]

Ditto about generate_token() here (DRY)