dev: disable SiteToken provider if CORS domains are unrestricted.

AxeWP / wp-graphql-headless-login

A WordPress plugin that provides Headless login and authentication for WPGraphQL, supporting traditional passwords, OAuth2/OpenID Connect, JWT, and more.

GNU General Public License v3.0

72 stars 11 forks source link

dev: disable SiteToken provider if CORS domains are unrestricted. #50

Closed justlevine closed 1 year ago

justlevine commented 1 year ago

What

This PR disables the SITETOKEN provider if the shouldBlockUnauthorizedDomains is false.

Why

Limits the possibility for abuse of site token authentication.

How

Testing Instructions

Additional Info

Checklist:

[x] My code is tested to the best of my abilities.
[x] My code follows the WordPress Coding Standards.
[x] My code has proper inline documentation.
[x] I have added unit tests to verify the code works as intended.
[x] I included the relevant changes in CHANGELOG.md

coveralls commented 1 year ago

Coverage: 83.741% (+0.02%) from 83.718% when pulling a27f3fa1f20808b44d45f2ff3dd44aec945563b8 on justlevine:dev/limit-sitetoken-to-cors into 97839af448a2011af96f4bea8f6fa64aec045149 on AxeWP:develop.