From 3296f1a0b36c7992749d6209bce3ed3ef2ea5ec5 Mon Sep 17 00:00:00 2001
From: Adam Cassis <adam.cassis@automattic.com>
Date: Wed, 15 May 2024 22:07:48 +0200
Subject: [PATCH 1/2] fix(google-login): get the email from the /tokeninfo
 endpoint (#3117)

* fix(google-login): get the email from the /tokeninfo endpoint

* chore: add more details to logging

* chore: add request time to logging

* fix: avoid blank error when canceling SSO login

---------

Co-authored-by: dkoo <derrick.koo@automattic.com>
---
 assets/reader-activation/auth.js              | 10 ++++----
 includes/oauth/class-google-login.php         | 24 ++++++++++++++++---
 includes/oauth/class-google-oauth.php         | 22 +++++++++--------
 .../class-reader-activation.php               |  1 +
 4 files changed, 38 insertions(+), 19 deletions(-)

diff --git a/assets/reader-activation/auth.js b/assets/reader-activation/auth.js
index fd0a240f6e..dbd3dc461b 100644
--- a/assets/reader-activation/auth.js
+++ b/assets/reader-activation/auth.js
@@ -631,14 +631,12 @@ window.newspackRAS.push( function ( readerActivation ) {
 						} else if ( authWindow ) {
 							authWindow.location = data;
 							const interval = setInterval( () => {
-								if ( authWindow.closed ) {
-									if ( ! googleOAuthSuccess ) {
-										if ( googleLoginForm?.endLoginFlow ) {
-											googleLoginForm.endLoginFlow();
-										}
+								if ( ! googleOAuthSuccess ) {
+									if ( googleLoginForm?.endLoginFlow ) {
+										googleLoginForm.endLoginFlow( newspack_reader_auth_labels.login_canceled, 401 );
 									}
-									clearInterval( interval );
 								}
+								clearInterval( interval );
 							}, 500 );
 						} else if ( googleLoginForm?.endLoginFlow ) {
 							googleLoginForm.endLoginFlow( newspack_reader_auth_labels.blocked_popup );
diff --git a/includes/oauth/class-google-login.php b/includes/oauth/class-google-login.php
index 357b5765b0..041ded2812 100644
--- a/includes/oauth/class-google-login.php
+++ b/includes/oauth/class-google-login.php
@@ -145,10 +145,12 @@ public static function oauth_callback() {
 		Logger::log( 'Got user email from Google: ' . $user_email );
 
 		// Associate the email address with the a unique ID for later retrieval.
-		$set_transient_result = OAuth_Transients::set( OAuth::get_unique_id(), 'email', $user_email );
+		$uid = OAuth::get_unique_id();
+		$set_transient_result = OAuth_Transients::set( $uid, 'email', $user_email );
 		// If transient setting failed, the email address will not be available for the registration endpoint.
 		if ( $set_transient_result === false ) {
-			self::handle_error( __( 'Failed setting transient.', 'newspack-plugin' ) );
+			/* translators: %s is a unique user id */
+			self::handle_error( sprintf( __( 'Failed setting email transient for id: %s', 'newspack-plugin' ), $uid ) );
 			\wp_die( \esc_html__( 'Authentication failed.', 'newspack-plugin' ) );
 		}
 
@@ -169,7 +171,23 @@ public static function oauth_callback() {
 	 * @param string $message The message to log.
 	 */
 	private static function handle_error( $message ) {
-		Logger::error( $message );
+		// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__HTTP_USER_AGENT__
+		Logger::error(
+			sprintf(
+				// Translators: %1$s is the error message, %2$s is the user agent.
+				__( '%1$s | Details: %2$s', 'newspack-plugin' ),
+				$message,
+				\wp_json_encode(
+					[
+						'user_agent'   => isset( $_SERVER['HTTP_USER_AGENT'] ) ? sanitize_text_field( $_SERVER['HTTP_USER_AGENT'] ) : 'N/A',
+						'referrer'     => isset( $_SERVER['HTTP_REFERER'] ) ? esc_url( $_SERVER['HTTP_REFERER'] ) : 'N/A',
+						'request_time' => isset( $_SERVER['REQUEST_TIME'] ) ? gmdate( 'Y-m-d\TH:i:s', intval( $_SERVER['REQUEST_TIME'] ) ) : 'N/A',
+					],
+					JSON_PRETTY_PRINT
+				)
+			)
+		);
+		// phpcs:enable
 		do_action( 'newspack_google_login_error', new WP_Error( 'newspack_google_login', $message ) );
 	}
 
diff --git a/includes/oauth/class-google-oauth.php b/includes/oauth/class-google-oauth.php
index baaa15aa4d..83bace41e5 100644
--- a/includes/oauth/class-google-oauth.php
+++ b/includes/oauth/class-google-oauth.php
@@ -322,6 +322,7 @@ public static function get_google_auth_saved_data() {
 	 *
 	 * @param array $access_token Authentication token.
 	 * @param array $required_scopes Required scopes.
+	 * @return string|WP_Error User's email address or error.
 	 */
 	public static function validate_token_and_get_email_address( $access_token, $required_scopes ) {
 		// Validate access token.
@@ -348,16 +349,17 @@ public static function validate_token_and_get_email_address( $access_token, $req
 				return new \WP_Error( 'newspack_google_oauth', __( 'Newspack can’t access all necessary data because you haven’t granted all permissions requested during setup. Please reconnect your Google account.', 'newspack' ) );
 			}
 
-			$user_info_response = wp_safe_remote_get(
-				add_query_arg(
-					'access_token',
-					$access_token,
-					'https://www.googleapis.com/oauth2/v2/userinfo'
-				)
-			);
-			if ( 200 === wp_remote_retrieve_response_code( $user_info_response ) ) {
-				$user_info = json_decode( $user_info_response['body'] );
-				return $user_info->email;
+			// The /tokeninfo response will contain the email address, as long as the email scope is present in the request.
+			// We always request the email scope. Otherwise, the https://www.googleapis.com/oauth2/v2/userinfo endpoint can be used
+			// to retrieve the user email.
+			if ( isset( $token_info->email ) ) {
+				return $token_info->email;
+			} else {
+				Logger::error( 'User email missing in the response.' );
+				return new \WP_Error(
+					'newspack_google_oauth',
+					__( 'User email missing in the response.', 'newspack' )
+				);
 			}
 		} else {
 			Logger::error( 'Failed retrieving user info – invalid credentials.' );
diff --git a/includes/reader-activation/class-reader-activation.php b/includes/reader-activation/class-reader-activation.php
index a1bcce29a5..cb8165ce5c 100644
--- a/includes/reader-activation/class-reader-activation.php
+++ b/includes/reader-activation/class-reader-activation.php
@@ -158,6 +158,7 @@ public static function enqueue_scripts() {
 				'invalid_email'    => __( 'Please enter a valid email address.', 'newspack-plugin' ),
 				'invalid_password' => __( 'Please enter a password.', 'newspack-plugin' ),
 				'blocked_popup'    => __( 'The popup has been blocked. Allow popups for the site and try again.', 'newspack-plugin' ),
+				'login_canceled'   => __( 'Login canceled.', 'newspack-plugin' ),
 			]
 		);
 		\wp_script_add_data( self::AUTH_SCRIPT_HANDLE, 'async', true );

From 1bce4f874fadac8a8d65f7d80270323ca858b261 Mon Sep 17 00:00:00 2001
From: matticbot <semantic-release-bot@martynus.net>
Date: Wed, 15 May 2024 20:12:11 +0000
Subject: [PATCH 2/2] chore(release): 3.8.6 [skip ci]

## [3.8.6](https://github.com/Automattic/newspack-plugin/compare/v3.8.5...v3.8.6) (2024-05-15)

### Bug Fixes

* **google-login:** get the email from the /tokeninfo endpoint ([#3117](https://github.com/Automattic/newspack-plugin/issues/3117)) ([3296f1a](https://github.com/Automattic/newspack-plugin/commit/3296f1a0b36c7992749d6209bce3ed3ef2ea5ec5))
---
 CHANGELOG.md      | 7 +++++++
 newspack.php      | 4 ++--
 package-lock.json | 4 ++--
 package.json      | 2 +-
 4 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1fd9ee7607..7439315da2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## [3.8.6](https://github.com/Automattic/newspack-plugin/compare/v3.8.5...v3.8.6) (2024-05-15)
+
+
+### Bug Fixes
+
+* **google-login:** get the email from the /tokeninfo endpoint ([#3117](https://github.com/Automattic/newspack-plugin/issues/3117)) ([3296f1a](https://github.com/Automattic/newspack-plugin/commit/3296f1a0b36c7992749d6209bce3ed3ef2ea5ec5))
+
 ## [3.8.5](https://github.com/Automattic/newspack-plugin/compare/v3.8.4...v3.8.5) (2024-05-14)
 
 
diff --git a/newspack.php b/newspack.php
index f50a616dc5..aabb113907 100644
--- a/newspack.php
+++ b/newspack.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: Newspack
  * Description: An advanced open-source publishing and revenue-generating platform for news organizations.
- * Version: 3.8.5
+ * Version: 3.8.6
  * Author: Automattic
  * Author URI: https://newspack.com/
  * License: GPL2
@@ -14,7 +14,7 @@
 
 defined( 'ABSPATH' ) || exit;
 
-define( 'NEWSPACK_PLUGIN_VERSION', '3.8.5' );
+define( 'NEWSPACK_PLUGIN_VERSION', '3.8.6' );
 
 // Load language files.
 load_plugin_textdomain( 'newspack-plugin', false, dirname( plugin_basename( __FILE__ ) ) . '/languages' );
diff --git a/package-lock.json b/package-lock.json
index c73855dbcb..8e672c14ee 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
 	"name": "newspack",
-	"version": "3.8.5",
+	"version": "3.8.6",
 	"lockfileVersion": 2,
 	"requires": true,
 	"packages": {
 		"": {
 			"name": "newspack",
-			"version": "3.8.5",
+			"version": "3.8.6",
 			"hasInstallScript": true,
 			"dependencies": {
 				"@babel/plugin-transform-runtime": "^7.24.3",
diff --git a/package.json b/package.json
index 26112868a2..2a1082fbb2 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "newspack",
-	"version": "3.8.5",
+	"version": "3.8.6",
 	"description": "The Newspack plugin. https://newspack.com",
 	"bugs": {
 		"url": "https://github.com/Automattic/newspack-plugin/issues"