WP_Session_Tokens::__construct() - Code Metrics - ntwb/wordpress - Measure and Improve Code Quality continuously with Scrutinizer

WP_Session_Tokens::__construct() A
last analyzed 2017-06-24 04:06 UTC

↳ Parent: WP_Session_Tokens

Complexity

Conditions	1
Paths	1

Size

Total Lines	3
Code Lines	2

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	1
eloc	2
nc	1
nop	1
dl	0
loc	3
rs	10
c	0
b	0
f	0

<?php
/**
 * Session API: WP_Session_Tokens class
 *
 * @package WordPress
 * @subpackage Session
 * @since 4.7.0
 */

/**
 * Abstract class for managing user session tokens.
 *
 * @since 4.0.0
 */
abstract class WP_Session_Tokens {

	/**
	 * User ID.
	 *
	 * @since 4.0.0
	 * @access protected
	 * @var int User ID.
	 */
	protected $user_id;

	/**
	 * Protected constructor.
	 *
	 * @since 4.0.0
	 *
	 * @param int $user_id User whose session to manage.
	 */
	protected function __construct( $user_id ) {
		$this->user_id = $user_id;
	}

	/**
	 * Get a session token manager instance for a user.
	 *
	 * This method contains a filter that allows a plugin to swap out
	 * the session manager for a subclass of WP_Session_Tokens.
	 *
	 * @since 4.0.0
	 * @access public
	 * @static
	 *
	 * @param int $user_id User whose session to manage.
	 */
	final public static function get_instance( $user_id ) {
		/**
		 * Filters the session token manager used.
		 *
		 * @since 4.0.0
		 *
		 * @param string $session Name of class to use as the manager.
		 *                        Default 'WP_User_Meta_Session_Tokens'.
		 */
		$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
		return new $manager( $user_id );
	}

	/**
	 * Hashes a session token for storage.
	 *
	 * @since 4.0.0
	 * @access private
	 *
	 * @param string $token Session token to hash.
	 * @return string A hash of the session token (a verifier).
	 */
	final private function hash_token( $token ) {
		// If ext/hash is not present, use sha1() instead.
		if ( function_exists( 'hash' ) ) {
			return hash( 'sha256', $token );
		} else {
			return sha1( $token );
		}
	}

	/**
	 * Get a user's session.
	 *
	 * @since 4.0.0
	 * @access public
	 *
	 * @param string $token Session token
	 * @return array User session

	 */
	final public function get( $token ) {
		$verifier = $this->hash_token( $token );
		return $this->get_session( $verifier );
	}

	/**
	 * Validate a user's session token as authentic.
	 *
	 * Checks that the given token is present and hasn't expired.
	 *
	 * @since 4.0.0
	 * @access public
	 *
	 * @param string $token Token to verify.
	 * @return bool Whether the token is valid for the user.
	 */
	final public function verify( $token ) {
		$verifier = $this->hash_token( $token );
		return (bool) $this->get_session( $verifier );
	}

	/**
	 * Generate a session token and attach session information to it.
	 *
	 * A session token is a long, random string. It is used in a cookie
	 * link that cookie to an expiration time and to ensure the cookie
	 * becomes invalidated upon logout.
	 *
	 * This function generates a token and stores it with the associated
	 * expiration time (and potentially other session information via the
	 * {@see 'attach_session_information'} filter).
	 *
	 * @since 4.0.0
	 * @access public
	 *
	 * @param int $expiration Session expiration timestamp.
	 * @return string Session token.
	 */
	final public function create( $expiration ) {
		/**
		 * Filters the information attached to the newly created session.
		 *
		 * Could be used in the future to attach information such as
		 * IP address or user agent to a session.
		 *
		 * @since 4.0.0
		 *
		 * @param array $session Array of extra data.
		 * @param int   $user_id User ID.
		 */
		$session = apply_filters( 'attach_session_information', array(), $this->user_id );
		$session['expiration'] = $expiration;

		// IP address.
		if ( !empty( $_SERVER['REMOTE_ADDR'] ) ) {
			$session['ip'] = $_SERVER['REMOTE_ADDR'];
		}

		// User-agent.
		if ( ! empty( $_SERVER['HTTP_USER_AGENT'] ) ) {
			$session['ua'] = wp_unslash( $_SERVER['HTTP_USER_AGENT'] );
		}

		// Timestamp
		$session['login'] = time();

		$token = wp_generate_password( 43, false, false );

		$this->update( $token, $session );

		return $token;
	}

	/**
	 * Update a session token.
	 *
	 * @since 4.0.0
	 * @access public
	 *
	 * @param string $token Session token to update.
	 * @param array  $session Session information.
	 */
	final public function update( $token, $session ) {
		$verifier = $this->hash_token( $token );
		$this->update_session( $verifier, $session );
	}

	/**
	 * Destroy a session token.
	 *
	 * @since 4.0.0
	 * @access public
	 *
	 * @param string $token Session token to destroy.
	 */
	final public function destroy( $token ) {
		$verifier = $this->hash_token( $token );
		$this->update_session( $verifier, null );
	}

	/**
	 * Destroy all session tokens for this user,
	 * except a single token, presumably the one in use.
	 *
	 * @since 4.0.0
	 * @access public
	 *
	 * @param string $token_to_keep Session token to keep.
	 */
	final public function destroy_others( $token_to_keep ) {
		$verifier = $this->hash_token( $token_to_keep );
		$session = $this->get_session( $verifier );
		if ( $session ) {
			$this->destroy_other_sessions( $verifier );
		} else {
			$this->destroy_all_sessions();
		}
	}

	/**
	 * Determine whether a session token is still valid,
	 * based on expiration.
	 *
	 * @since 4.0.0
	 * @access protected
	 *
	 * @param array $session Session to check.
	 * @return bool Whether session is valid.
	 */
	final protected function is_still_valid( $session ) {
		return $session['expiration'] >= time();
	}

	/**
	 * Destroy all session tokens for a user.
	 *
	 * @since 4.0.0
	 * @access public
	 */
	final public function destroy_all() {
		$this->destroy_all_sessions();
	}

	/**
	 * Destroy all session tokens for all users.
	 *
	 * @since 4.0.0
	 * @access public
	 * @static
	 */
	final public static function destroy_all_for_all_users() {
		/** This filter is documented in wp-includes/class-wp-session-tokens.php */
		$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
		call_user_func( array( $manager, 'drop_sessions' ) );
	}

	/**
	 * Retrieve all sessions of a user.
	 *
	 * @since 4.0.0
	 * @access public
	 *
	 * @return array Sessions of a user.
	 */
	final public function get_all() {
		return array_values( $this->get_sessions() );
	}

	/**
	 * This method should retrieve all sessions of a user, keyed by verifier.
	 *
	 * @since 4.0.0
	 * @access protected
	 *
	 * @return array Sessions of a user, keyed by verifier.
	 */
	abstract protected function get_sessions();

	/**
	 * This method should look up a session by its verifier (token hash).
	 *
	 * @since 4.0.0
	 * @access protected
	 *
	 * @param string $verifier Verifier of the session to retrieve.
	 * @return array|null The session, or null if it does not exist.
	 */
	abstract protected function get_session( $verifier );

	/**
	 * This method should update a session by its verifier.
	 *
	 * Omitting the second argument should destroy the session.
	 *
	 * @since 4.0.0
	 * @access protected
	 *
	 * @param string $verifier Verifier of the session to update.
	 * @param array  $session  Optional. Session. Omitting this argument destroys the session.

	 */
	abstract protected function update_session( $verifier, $session = null );


	/**
	 * This method should destroy all session tokens for this user,
	 * except a single session passed.
	 *
	 * @since 4.0.0
	 * @access protected
	 *
	 * @param string $verifier Verifier of the session to keep.
	 */
	abstract protected function destroy_other_sessions( $verifier );


	/**
	 * This method should destroy all sessions for a user.
	 *
	 * @since 4.0.0
	 * @access protected
	 */
	abstract protected function destroy_all_sessions();


	/**
	 * This static method should destroy all session tokens for all users.
	 *
	 * @since 4.0.0
	 * @access public
	 * @static
	 */
	public static function drop_sessions() {}
}


1			<?php
2			/**
3			* Session API: WP_Session_Tokens class
4			*
5			* @package WordPress
6			* @subpackage Session
7			* @since 4.7.0
8			*/
9
10			/**
11			* Abstract class for managing user session tokens.
12			*
13			* @since 4.0.0
14			*/
15			abstract class WP_Session_Tokens {
16
17			/**
18			* User ID.
19			*
20			* @since 4.0.0
21			* @access protected
22			* @var int User ID.
23			*/
24			protected $user_id;
25
26			/**
27			* Protected constructor.
28			*
29			* @since 4.0.0
30			*
31			* @param int $user_id User whose session to manage.
32			*/
33			protected function __construct( $user_id ) {
34			$this->user_id = $user_id;
35			}
36
37			/**
38			* Get a session token manager instance for a user.
39			*
40			* This method contains a filter that allows a plugin to swap out
41			* the session manager for a subclass of WP_Session_Tokens.
42			*
43			* @since 4.0.0
44			* @access public
45			* @static
46			*
47			* @param int $user_id User whose session to manage.
48			*/
49			final public static function get_instance( $user_id ) {
50			/**
51			* Filters the session token manager used.
52			*
53			* @since 4.0.0
54			*
55			* @param string $session Name of class to use as the manager.
56			* Default 'WP_User_Meta_Session_Tokens'.
57			*/
58			$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
59			return new $manager( $user_id );
60			}
61
62			/**
63			* Hashes a session token for storage.
64			*
65			* @since 4.0.0
66			* @access private
67			*
68			* @param string $token Session token to hash.
69			* @return string A hash of the session token (a verifier).
70			*/
71			final private function hash_token( $token ) {
72			// If ext/hash is not present, use sha1() instead.
73			if ( function_exists( 'hash' ) ) {
74			return hash( 'sha256', $token );
75			} else {
76			return sha1( $token );
77			}
78			}
79
80			/**
81			* Get a user's session.
82			*
83			* @since 4.0.0
84			* @access public
85			*
86			* @param string $token Session token
87			* @return array User session
			0 ignored issues – show Documentation introduced 2017-06-24 04:05 UTC by Report Bug Copy Issue Report Should the return type not be `array\|null`? Also, consider making the array more specific, something like `array<String>`, or `String[]`. This check compares the return type specified in the `@return` annotation of a function or method doc comment with the types returned by the function and raises an issue if they mismatch. If the return type contains the type array, this check recommends the use of a more specific type like `String[]` or `array<String>`. Loading history...
88			*/
89			final public function get( $token ) {
90			$verifier = $this->hash_token( $token );
91			return $this->get_session( $verifier );
92			}
93
94			/**
95			* Validate a user's session token as authentic.
96			*
97			* Checks that the given token is present and hasn't expired.
98			*
99			* @since 4.0.0
100			* @access public
101			*
102			* @param string $token Token to verify.
103			* @return bool Whether the token is valid for the user.
104			*/
105			final public function verify( $token ) {
106			$verifier = $this->hash_token( $token );
107			return (bool) $this->get_session( $verifier );
108			}
109
110			/**
111			* Generate a session token and attach session information to it.
112			*
113			* A session token is a long, random string. It is used in a cookie
114			* link that cookie to an expiration time and to ensure the cookie
115			* becomes invalidated upon logout.
116			*
117			* This function generates a token and stores it with the associated
118			* expiration time (and potentially other session information via the
119			* {@see 'attach_session_information'} filter).
120			*
121			* @since 4.0.0
122			* @access public
123			*
124			* @param int $expiration Session expiration timestamp.
125			* @return string Session token.
126			*/
127			final public function create( $expiration ) {
128			/**
129			* Filters the information attached to the newly created session.
130			*
131			* Could be used in the future to attach information such as
132			* IP address or user agent to a session.
133			*
134			* @since 4.0.0
135			*
136			* @param array $session Array of extra data.
137			* @param int $user_id User ID.
138			*/
139			$session = apply_filters( 'attach_session_information', array(), $this->user_id );
140			$session['expiration'] = $expiration;
141
142			// IP address.
143			if ( !empty( $_SERVER['REMOTE_ADDR'] ) ) {
144			$session['ip'] = $_SERVER['REMOTE_ADDR'];
145			}
146
147			// User-agent.
148			if ( ! empty( $_SERVER['HTTP_USER_AGENT'] ) ) {
149			$session['ua'] = wp_unslash( $_SERVER['HTTP_USER_AGENT'] );
150			}
151
152			// Timestamp
153			$session['login'] = time();
154
155			$token = wp_generate_password( 43, false, false );
156
157			$this->update( $token, $session );
158
159			return $token;
160			}
161
162			/**
163			* Update a session token.
164			*
165			* @since 4.0.0
166			* @access public
167			*
168			* @param string $token Session token to update.
169			* @param array $session Session information.
170			*/
171			final public function update( $token, $session ) {
172			$verifier = $this->hash_token( $token );
173			$this->update_session( $verifier, $session );
174			}
175
176			/**
177			* Destroy a session token.
178			*
179			* @since 4.0.0
180			* @access public
181			*
182			* @param string $token Session token to destroy.
183			*/
184			final public function destroy( $token ) {
185			$verifier = $this->hash_token( $token );
186			$this->update_session( $verifier, null );
187			}
188
189			/**
190			* Destroy all session tokens for this user,
191			* except a single token, presumably the one in use.
192			*
193			* @since 4.0.0
194			* @access public
195			*
196			* @param string $token_to_keep Session token to keep.
197			*/
198			final public function destroy_others( $token_to_keep ) {
199			$verifier = $this->hash_token( $token_to_keep );
200			$session = $this->get_session( $verifier );
201			if ( $session ) {
202			$this->destroy_other_sessions( $verifier );
203			} else {
204			$this->destroy_all_sessions();
205			}
206			}
207
208			/**
209			* Determine whether a session token is still valid,
210			* based on expiration.
211			*
212			* @since 4.0.0
213			* @access protected
214			*
215			* @param array $session Session to check.
216			* @return bool Whether session is valid.
217			*/
218			final protected function is_still_valid( $session ) {
219			return $session['expiration'] >= time();
220			}
221
222			/**
223			* Destroy all session tokens for a user.
224			*
225			* @since 4.0.0
226			* @access public
227			*/
228			final public function destroy_all() {
229			$this->destroy_all_sessions();
230			}
231
232			/**
233			* Destroy all session tokens for all users.
234			*
235			* @since 4.0.0
236			* @access public
237			* @static
238			*/
239			final public static function destroy_all_for_all_users() {
240			/** This filter is documented in wp-includes/class-wp-session-tokens.php */
241			$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
242			call_user_func( array( $manager, 'drop_sessions' ) );
243			}
244
245			/**
246			* Retrieve all sessions of a user.
247			*
248			* @since 4.0.0
249			* @access public
250			*
251			* @return array Sessions of a user.
252			*/
253			final public function get_all() {
254			return array_values( $this->get_sessions() );
255			}
256
257			/**
258			* This method should retrieve all sessions of a user, keyed by verifier.
259			*
260			* @since 4.0.0
261			* @access protected
262			*
263			* @return array Sessions of a user, keyed by verifier.
264			*/
265			abstract protected function get_sessions();
266
267			/**
268			* This method should look up a session by its verifier (token hash).
269			*
270			* @since 4.0.0
271			* @access protected
272			*
273			* @param string $verifier Verifier of the session to retrieve.
274			* @return array\|null The session, or null if it does not exist.
275			*/
276			abstract protected function get_session( $verifier );
277
278			/**
279			* This method should update a session by its verifier.
280			*
281			* Omitting the second argument should destroy the session.
282			*
283			* @since 4.0.0
284			* @access protected
285			*
286			* @param string $verifier Verifier of the session to update.
287			* @param array $session Optional. Session. Omitting this argument destroys the session.
			0 ignored issues – show Documentation introduced 2017-06-24 04:05 UTC by Report Bug Copy Issue Report Should the type for parameter `$session` not be `array\|null`? Also, consider making the array more specific, something like `array<String>`, or `String[]`. This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. In addition it looks for parameters that have the generic type `array` and suggests a stricter type like `array<String>`. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
288			*/
289			abstract protected function update_session( $verifier, $session = null );
			0 ignored issues – show Documentation introduced 2017-06-24 04:05 UTC by Report Bug Copy Issue Report For interfaces and abstract methods it is generally a good practice to add a `@return` annotation even if it is just `@return void` or `@return null`, so that implementors know what to do in the overridden method. For interface and abstract methods, it is impossible to infer the return type from the immediate code. In these cases, it is generally advisible to explicitly annotate these methods with a `@return` doc comment to communicate to implementors of these methods what they are expected to return. Loading history...
290
291			/**
292			* This method should destroy all session tokens for this user,
293			* except a single session passed.
294			*
295			* @since 4.0.0
296			* @access protected
297			*
298			* @param string $verifier Verifier of the session to keep.
299			*/
300			abstract protected function destroy_other_sessions( $verifier );
			0 ignored issues – show Documentation introduced 2017-06-24 04:05 UTC by Report Bug Copy Issue Report For interfaces and abstract methods it is generally a good practice to add a `@return` annotation even if it is just `@return void` or `@return null`, so that implementors know what to do in the overridden method. For interface and abstract methods, it is impossible to infer the return type from the immediate code. In these cases, it is generally advisible to explicitly annotate these methods with a `@return` doc comment to communicate to implementors of these methods what they are expected to return. Loading history...
301
302			/**
303			* This method should destroy all sessions for a user.
304			*
305			* @since 4.0.0
306			* @access protected
307			*/
308			abstract protected function destroy_all_sessions();
			0 ignored issues – show Documentation introduced 2017-06-24 04:05 UTC by Report Bug Copy Issue Report For interfaces and abstract methods it is generally a good practice to add a `@return` annotation even if it is just `@return void` or `@return null`, so that implementors know what to do in the overridden method. For interface and abstract methods, it is impossible to infer the return type from the immediate code. In these cases, it is generally advisible to explicitly annotate these methods with a `@return` doc comment to communicate to implementors of these methods what they are expected to return. Loading history...
309
310			/**
311			* This static method should destroy all session tokens for all users.
312			*
313			* @since 4.0.0
314			* @access public
315			* @static
316			*/
317			public static function drop_sessions() {}
318			}
319

ntwb / wordpress

WP_Session_Tokens::__construct() A last analyzed 2017-06-24 04:06 UTC

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like

WP_Session_Tokens::__construct() A
last analyzed 2017-06-24 04:06 UTC