nicumicle · RenTheProgrammer · Nov 1, 2024 · Nov 1, 2024 · Nov 1, 2024 · Nov 1, 2024
diff --git a/phpstan_bootstrap.php b/phpstan_bootstrap.php
@@ -122,6 +122,12 @@ function sanitize_text_field($value)
         return $value;
     }
 }
+if (!function_exists('sanitizePassword')) {
+    function sanitizePassword($value)
+    {
+        return $value;
+    }
+}
 if (!function_exists('wp_delete_user')) {
     function wp_delete_user($value)
     {
@@ -428,6 +434,12 @@ function wp_remote_retrieve_response_code($response){
     function wp_remote_retrieve_body($response) {
     }
 }
+if (!function_exists('wp_slash')) {
+    function wp_slash($value)
+    {
+        return $value;
+    }
+}
 
 if (!class_exists('WP_REST_Response')) {
     class WP_REST_Response

diff --git a/simple-jwt-login/src/Modules/WordPressData.php b/simple-jwt-login/src/Modules/WordPressData.php
@@ -120,7 +120,7 @@ public function checkUserExistsByUsernameAndEmail($username, $email)
     public function createUser($username, $email, $password, $role, $extraParameters = [])
     {
         $userParameters = [
-            'user_pass'  => $password,
+            'user_pass'  => $this->sanitizePassword($password),
             'user_login' => $username,
             'user_email' => $email,
         ];
@@ -499,4 +499,10 @@ public function isUserLoggedIn()
     {
         return is_user_logged_in();
     }
+
+    public function sanitizePassword($value)
+    {
+        $sanitizedValue = sanitize_text_field($value);
+        return wp_slash($sanitizedValue);
+    }
 }
diff --git a/simple-jwt-login/src/Modules/WordPressDataInterface.php b/simple-jwt-login/src/Modules/WordPressDataInterface.php
@@ -286,4 +286,10 @@ public function getUserRoles($user);
      * @return bool
      */
     public function isUserLoggedIn();
+
+    /**
+     * @param string $value
+     * @return string
+     */
+    public function sanitizePassword(value);
 }
diff --git a/simple-jwt-login/src/Services/AuthenticateService.php b/simple-jwt-login/src/Services/AuthenticateService.php
@@ -117,8 +117,9 @@ public function authenticateUser()
             );
         }
 
+
         $password = isset($this->request['password'])
-            ? $this->wordPressData->sanitizeTextField($this->request['password'])
+            ? $this->wordPressData->sanitizePassword($this->request['password'])
             : null;
         $passwordHash = isset($this->request['password_hash'])
             ? $this->wordPressData->sanitizeTextField($this->request['password_hash'])

diff --git a/tests/Feature/Authentication/SuccessTest.php b/tests/Feature/Authentication/SuccessTest.php
@@ -67,6 +67,33 @@ public function testAuthenticationEmail()
         $this->assertSame(200, $statusCode, "unable to delete the user");
     }
 
+    #[TestDox("User can authenticate with email and password that contains special characters")]
+    public function testAuthenticationEmailWithSpecialCharacterPassword()
+    {
+        // Register random user
+        list ($email, $password, $statusCode, $response) = $this->registerRandomUser("I!Wqn^&oZg*kscZVrzH^41yvaRj'");
+
+        $this->assertSame(200, $statusCode, "Unable to register user");
+
+        // Auth new USer
+        list ($statusCode, $responseContents) = $this->authUser($email, $password);
+
+        $this->assertSame(
+            200,
+            $statusCode,
+            "Auth User Failed"
+        );
+        $responseArray = json_decode($responseContents, true);
+        $this->assertArrayHasKey('success', $responseArray);
+        $this->assertTrue($responseArray['success']);
+        $this->assertArrayHasKey('data', $responseArray);
+        $this->assertArrayHasKey('jwt', $responseArray['data']);
+        $jwt = $responseArray['data']['jwt'];
+        // Cleanup
+        list($statusCode, $response) = $this->deleteUser($jwt);
+        $this->assertSame(200, $statusCode, "unable to delete the user");
+    }
+
 
     #[TestDox("User can refresh a valid JWT")]
     public function testRefreshToken()

diff --git a/tests/Feature/RegisterUsers/SuccessTest.php b/tests/Feature/RegisterUsers/SuccessTest.php
@@ -94,6 +94,30 @@ public function testSuccessWithJSONBody()
         $this->assertSame(true, $json['success']);
     }
 
+    #[TestDox("User can register with JSON body and a password that includes special characters")]
+    public function testSuccessWithJSONBodyAndSpecialCharacterPassword()
+    {
+        $faker = Factory::create();
+        $uri = self::API_URL . "?rest_route=/simple-jwt-login/v1/users";
+        $result = $this->client->post($uri, [
+            'body' => json_encode([
+                "email"  => $faker->numberBetween(0, 1000) . $faker->email(),
+                "password" => "I!Wqn^&oZg*kscZVrzH^41yvaRj'",
+            ]),
+        ]);
+
+        $this->assertSame(
+            200,
+            $result->getStatusCode()
+        );
+
+        $contents = $result->getBody()->getContents();
+        $this->assertJson($contents);
+        $json = json_decode($contents, true);
+        $this->assertArrayHasKey('success', $json);
+        $this->assertSame(true, $json['success']);
+    }
+
     #[TestDox("User can register with custom user_meta")]
     /**
      * @return void

diff --git a/tests/Feature/TestBase.php b/tests/Feature/TestBase.php
@@ -204,11 +204,14 @@ protected static function initDbDefaultOption()
     /**
      * @return array<int,string>
      */
-    protected function registerRandomUser()
+    protected function registerRandomUser(string $overridePassword = null)
     {
         $faker = Factory::create();
         $email = $faker->randomNumber(6) . $faker->email();
         $password = "1234";
+        if ($overridePassword !== null) {
+            $password = $overridePassword;
+        }
 
         $uri = self::API_URL . "?rest_route=/simple-jwt-login/v1/users";
         $result = $this->client->post($uri, [