Refactor logging out of external services

to ensure compatibility with the User Switching plugin that relies on the logout routines not firing in clear_auth_cookie. #91 (comment)
uhm-coe · Feb 25, 2020 · 30d902b · 30d902b
1 parent 88daeb5
commit 30d902b
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 13 deletions.
diff --git a/src/authorizer/class-authentication.php b/src/authorizer/class-authentication.php
@@ -19,6 +19,12 @@
  */
 class Authentication extends Static_Instance {
 
+	/**
+	 * Tracks the external service used by the user currently logging out.
+	 * @var string
+	 */
+	private static $authenticated_by = '';
+
 	/**
 	 * Authenticate against an external service.
 	 *
@@ -746,6 +752,26 @@ protected function custom_authenticate_ldap( $auth_settings, $username, $passwor
 	}
 
 
+	/**
+	 * Fetch the logging out user's external service (so we can log out of it
+	 * below in the wp_logout hook).
+	 *
+	 * Action: clear_auth_cookie
+	 *
+	 * @return void
+	 */
+	public function pre_logout() {
+		self::$authenticated_by = get_user_meta( get_current_user_id(), 'authenticated_by', true );
+
+		// If we didn't find an authenticated method, check $_REQUEST (if this is a
+		// pending user facing the "no access" message, their logout link will
+		// include "external=?" since they don't have a WP_User to attach the
+		// "authenticated_by" usermeta to).
+		if ( empty( self::$authenticated_by ) && ! empty( $_REQUEST['external'] ) ) {
+			self::$authenticated_by = $_REQUEST['external'];
+		}
+	}
+
 	/**
 	 * Log out of the attached external service.
 	 *
@@ -765,18 +791,8 @@ public function custom_logout() {
 			session_start();
 		}
 
-		$current_user_authenticated_by = get_user_meta( get_current_user_id(), 'authenticated_by', true );
-
-		// If we didn't find an authenticated method, check $_REQUEST (if this is a
-		// pending user facing the "no access" message, their logout link will
-		// include "external=?" since they don't have a WP_User to attach the
-		// "authenticated_by" usermeta to).
-		if ( empty( $current_user_authenticated_by ) && ! empty( $_REQUEST['external'] ) ) {
-			$current_user_authenticated_by = $_REQUEST['external'];
-		}
-
 		// If logged in to CAS, Log out of CAS.
-		if ( 'cas' === $current_user_authenticated_by && '1' === $auth_settings['cas'] ) {
+		if ( 'cas' === self::$authenticated_by && '1' === $auth_settings['cas'] ) {
 			if ( ! array_key_exists( 'PHPCAS_CLIENT', $GLOBALS ) || ! array_key_exists( 'phpCAS', $_SESSION ) ) {
 
 				/**
@@ -813,7 +829,7 @@ public function custom_logout() {
 		}
 
 		// If session token set, log out of Google.
-		if ( 'google' === $current_user_authenticated_by || array_key_exists( 'token', $_SESSION ) ) {
+		if ( 'google' === self::$authenticated_by || array_key_exists( 'token', $_SESSION ) ) {
 			$token = $_SESSION['token'];
 
 			// Edge case: if another plugin has already defined the Google_Client class,

diff --git a/src/authorizer/class-wp-plugin-authorizer.php b/src/authorizer/class-wp-plugin-authorizer.php
@@ -41,7 +41,8 @@ public function __construct() {
 		add_filter( 'authenticate', array( Authentication::get_instance(), 'custom_authenticate' ), 1, 3 );
 
 		// Custom logout action using external service.
-		add_action( 'clear_auth_cookie', array( Authentication::get_instance(), 'custom_logout' ) );
+		add_action( 'clear_auth_cookie', array( Authentication::get_instance(), 'pre_logout' ) );
+		add_action( 'wp_logout', array( Authentication::get_instance(), 'custom_logout' ) );
 
 		// Create settings link on Plugins page.
 		add_filter( 'plugin_action_links_' . plugin_basename( plugin_root() ), array( Admin_Page::get_instance(), 'plugin_settings_link' ) );