<?php
|
namespace JVBase\managers;
|
|
use WP_User;
|
use WP_Error;
|
|
if (!defined('ABSPATH')) {
|
exit;
|
}
|
|
/**
|
* Magic Link Authentication Manager
|
*
|
* NOTE: Login form integration is now handled by LoginManager.php
|
* This class focuses solely on magic link generation and verification
|
*/
|
class MagicLinkManager
|
{
|
protected Cache $cache;
|
protected Cache $referral_cache;
|
|
// Token settings
|
protected int $token_expiry = 900; // 15 minutes in seconds
|
protected int $rate_limit_window = 3600; // 1 hour
|
protected int $max_attempts_per_hour = 5;
|
|
// Link types
|
const TYPE_LOGIN = 'login';
|
const TYPE_SIGNUP = 'signup';
|
const TYPE_REFERRAL = 'referral';
|
const TYPE_RESET = 'reset';
|
|
public function __construct()
|
{
|
$this->cache = Cache::for('magic_links', $this->token_expiry);
|
$this->referral_cache = Cache::for('referral_magic_links', 14 * DAY_IN_SECONDS);
|
|
// Hook into WordPress auth flow
|
add_action('template_redirect', [$this, 'handleMagicLinkClick']);
|
add_action('wp_login_failed', [$this, 'handleFailedLogin']);
|
add_action('jvb_process_login_tokens', [$this, 'processRegistrationToken'], 10, 3);
|
}
|
|
/**
|
* Generate and send a magic link
|
*
|
* @param string $email User's email address
|
* @param string $type Type of magic link (login, signup, referral, reset)
|
* @param array $context Additional context (referral_code, redirect_url, etc.)
|
* @return true|WP_Error
|
*/
|
public function sendMagicLink(string $email, string $type = self::TYPE_LOGIN, array $context = [])
|
{
|
// Validate email
|
$email = sanitize_email($email);
|
if (!is_email($email)) {
|
return new WP_Error('invalid_email', 'Invalid email address');
|
}
|
|
// Check rate limiting
|
$rate_check = $this->checkRateLimit($email);
|
if (is_wp_error($rate_check)) {
|
return $rate_check;
|
}
|
|
// Handle different link types
|
switch ($type) {
|
case self::TYPE_LOGIN:
|
return $this->sendLoginLink($email, $context);
|
|
case self::TYPE_SIGNUP:
|
return $this->sendSignupLink($email, $context);
|
|
case self::TYPE_REFERRAL:
|
return $this->sendReferralLink($email, $context);
|
|
case self::TYPE_RESET:
|
return $this->sendResetLink($email, $context);
|
|
default:
|
return new WP_Error('invalid_type', 'Invalid magic link type');
|
}
|
}
|
|
/**
|
* Generate a secure token
|
*/
|
protected function generateToken(string $email, string $type, array $data = []): string
|
{
|
$token = wp_generate_password(32, false);
|
|
$token_data = array_merge([
|
'email' => $email,
|
'type' => $type,
|
'created' => time()
|
], $data);
|
|
// Use longer expiry for referral tokens
|
if ($type === self::TYPE_REFERRAL) {
|
$this->referral_cache->set($token, $token_data);
|
} else {
|
$this->cache->set($token, $token_data);
|
}
|
|
return $token;
|
}
|
|
/**
|
* Verify a token
|
*/
|
public function verifyToken(string $token, string $email): array|WP_Error
|
{
|
// Try regular cache first, then referral cache
|
$token_data = $this->cache->get($token);
|
|
if (!$token_data) {
|
$token_data = $this->referral_cache->get($token);
|
}
|
|
if (!$token_data) {
|
error_log('Token not found. Checking cache stats...');
|
return new WP_Error('invalid_token', 'Invalid or expired token');
|
}
|
|
if ($token_data['email'] !== $email) {
|
return new WP_Error('email_mismatch', 'Token does not match email');
|
}
|
|
// Delete token after verification (single use)
|
// Check which cache it's in and delete from the correct one
|
if ($token_data['type'] === 'referral') {
|
$this->referral_cache->forget($token);
|
} else {
|
$this->cache->forget($token);
|
}
|
|
return $token_data;
|
}
|
|
/**
|
* Check rate limiting for sending magic links
|
*/
|
protected function checkRateLimit(string $email): bool|WP_Error
|
{
|
$cache_key = 'rate_limit_' . md5($email);
|
$attempts = $this->cache->get($cache_key);
|
|
if (!$attempts) {
|
$attempts = ['count' => 0, 'timestamp' => time()];
|
}
|
|
// Reset counter if window has passed
|
if (time() - $attempts['timestamp'] > $this->rate_limit_window) {
|
$attempts = ['count' => 0, 'timestamp' => time()];
|
}
|
|
// Check if limit exceeded
|
if ($attempts['count'] >= $this->max_attempts_per_hour) {
|
return new WP_Error(
|
'rate_limit_exceeded',
|
'Too many magic link requests. Please try again in an hour.'
|
);
|
}
|
|
// Increment counter
|
$attempts['count']++;
|
$this->cache->set($cache_key, $attempts, $this->rate_limit_window);
|
|
return true;
|
}
|
|
/**
|
* Send login magic link to existing user
|
*/
|
protected function sendLoginLink(string $email, array $context): bool|WP_Error
|
{
|
$user = get_user_by('email', $email);
|
if (!$user) {
|
return new WP_Error('user_not_found', 'No account found with this email');
|
}
|
|
$token = $this->generateToken($email, self::TYPE_LOGIN, [
|
'user_id' => $user->ID
|
]);
|
|
$magic_url = add_query_arg([
|
'magic_token' => $token,
|
'email' => rawurlencode($email),
|
'action' => 'magic_login'
|
], home_url('/'));
|
|
if (!empty($context['redirect_to'])) {
|
$magic_url = add_query_arg('redirect_to', urlencode($context['redirect_to']), $magic_url);
|
}
|
|
$subject = 'Sign in to ' . get_bloginfo('name');
|
$message = $this->getLoginEmailTemplate($user->display_name, $magic_url);
|
|
$sent = JVB()->email()->sendEmail($email, $subject, $message, 'Log in to '. get_bloginfo('name'));
|
|
return $sent ? true : new WP_Error('email_failed', 'Failed to send magic link');
|
}
|
|
/**
|
* Send signup magic link for new user registration
|
*/
|
protected function sendSignupLink(string $email, array $context): bool|WP_Error
|
{
|
// Check if user already exists
|
if (email_exists($email)) {
|
return $this->sendLoginLink($email, $context);
|
}
|
|
$token_data = [
|
'name' => $context['name'] ?? '',
|
'role' => $context['role'] ?? 'subscriber',
|
'meta' => $context['meta'] ?? []
|
];
|
|
$token = $this->generateToken($email, self::TYPE_SIGNUP, $token_data);
|
|
$magic_url = add_query_arg([
|
'magic_token' => $token,
|
'email' => rawurlencode($email),
|
'action' => 'magic_signup'
|
], home_url('/'));
|
|
$subject = 'Complete your ' . get_bloginfo('name') . ' registration';
|
$message = $this->getSignupEmailTemplate($context['name'] ?? '', $magic_url);
|
|
$sent = JVB()->email()->sendEmail($email, $subject, $message, 'Complete Registration');
|
|
return $sent ? true : new WP_Error('email_failed', 'Failed to send signup link');
|
}
|
|
/**
|
* Send referral signup link
|
*/
|
protected function sendReferralLink(string $email, array $context): bool|WP_Error
|
{
|
if (empty($context['referral_code'])) {
|
return new WP_Error('missing_referral', 'Referral code is required');
|
}
|
|
$token_data = [
|
'referral_code' => $context['referral_code'],
|
'name' => $context['name'] ?? '',
|
'role' => $context['role'] ?? 'subscriber',
|
'email' => $email
|
];
|
|
$token = $this->generateToken($email, self::TYPE_REFERRAL, $token_data);
|
|
$magic_url = add_query_arg([
|
'magic_token' => $token,
|
'email' => rawurlencode($email),
|
'action' => 'magic_referral'
|
], home_url('/'));
|
|
$referrer_name = $context['referrer_name'] ?? 'A friend';
|
$reward_text = $context['reward_text'] ?? '';
|
|
$subject = (array_key_exists('subject', $context) && $context['subject'] !== '') ? $context['subject'] : $referrer_name . ' invited you to join ' . get_bloginfo('name');
|
$message = $this->getReferralEmailTemplate($context['name'] ?? '', $referrer_name, $magic_url, $reward_text, $context);
|
|
$sent = JVB()->email()->sendEmail($email, $subject, $message, 'Accept Invitation');
|
|
return $sent ? true : new WP_Error('email_failed', 'Failed to send referral link');
|
}
|
|
/**
|
* Send password reset magic link
|
*/
|
protected function sendResetLink(string $email, array $context): bool|WP_Error
|
{
|
$user = get_user_by('email', $email);
|
if (!$user) {
|
return new WP_Error('user_not_found', 'No account found with this email');
|
}
|
|
$token = $this->generateToken($email, self::TYPE_RESET, [
|
'user_id' => $user->ID
|
]);
|
|
$magic_url = add_query_arg([
|
'magic_token' => $token,
|
'email' => rawurlencode($email),
|
'action' => 'magic_reset'
|
], home_url('/'));
|
|
$subject = 'Reset your password';
|
$message = $this->getResetEmailTemplate($user->display_name, $magic_url);
|
|
$sent = JVB()->email()->sendEmail($email, $subject, $message, 'Reset Password');
|
|
return $sent ? true : new WP_Error('email_failed', 'Failed to send reset link');
|
}
|
|
/**
|
* Handle magic link click
|
*/
|
public function handleMagicLinkClick(): void
|
{
|
if (!isset($_GET['action']) || !isset($_GET['magic_token']) || !isset($_GET['email'])) {
|
return;
|
}
|
|
$action = sanitize_text_field($_GET['action']);
|
$token = sanitize_text_field($_GET['magic_token']);
|
$email = sanitize_email(rawurldecode($_GET['email']));
|
|
if (!in_array($action, ['magic_login', 'magic_signup', 'magic_referral', 'magic_reset'])) {
|
return;
|
}
|
|
$token_data = $this->verifyToken($token, $email);
|
|
if (is_wp_error($token_data)) {
|
$this->handleInvalidToken($token_data);
|
return;
|
}
|
|
switch ($action) {
|
case 'magic_login':
|
$this->processLogin($token_data);
|
break;
|
|
case 'magic_signup':
|
$this->processSignup($token_data);
|
break;
|
|
case 'magic_referral':
|
$this->processReferralSignup($token_data);
|
break;
|
|
case 'magic_reset':
|
$this->processPasswordReset($token_data);
|
break;
|
}
|
}
|
|
/**
|
* Process login via magic link
|
*/
|
protected function processLogin(array $token_data): void
|
{
|
$user = get_user_by('ID', $token_data['user_id']);
|
|
if (!$user) {
|
wp_die('Invalid user');
|
}
|
|
wp_clear_auth_cookie();
|
wp_set_current_user($user->ID);
|
wp_set_auth_cookie($user->ID, true);
|
|
do_action('wp_login', $user->user_login, $user);
|
|
$redirect = isset($_GET['redirect_to']) ? esc_url_raw($_GET['redirect_to']) : home_url('/dash');
|
|
wp_safe_redirect($redirect);
|
exit;
|
}
|
|
/**
|
* Process signup via magic link
|
*/
|
protected function processSignup(array $token_data): void
|
{
|
if (!array_key_exists('email', $token_data) || !array_key_exists('name', $token_data)) {
|
JVB()->error()->log('[MagicLinkManager]Could not process Signup');
|
return;
|
}
|
$user_id = wp_create_user(
|
$token_data['email'],
|
wp_generate_password(20, true, true),
|
$token_data['email']
|
);
|
|
if (is_wp_error($user_id)) {
|
wp_die('Failed to create account: ' . $user_id->get_error_message());
|
}
|
|
$user = get_user_by('ID', $user_id);
|
$user->set_role($token_data['role']);
|
|
if (!empty($token_data['name'])) {
|
wp_update_user([
|
'ID' => $user_id,
|
'display_name' => $token_data['name'],
|
'first_name' => $token_data['name']
|
]);
|
}
|
|
if (!empty($token_data['meta'])) {
|
foreach ($token_data['meta'] as $key => $value) {
|
update_user_meta($user_id, BASE . $key, $value);
|
}
|
}
|
|
wp_set_current_user($user_id);
|
wp_set_auth_cookie($user_id, true);
|
|
do_action('user_register', $user_id);
|
do_action('wp_login', $user->user_login, $user);
|
|
wp_safe_redirect(home_url('/dash?welcome=1'));
|
exit;
|
}
|
|
/**
|
* Process referral signup via magic link
|
*/
|
/**
|
* Process referral signup via magic link
|
*/
|
protected function processReferralSignup(array $token_data): void
|
{
|
if (!array_key_exists('email', $token_data) || !array_key_exists('name', $token_data)) {
|
JVB()->error()->log('[MagicLinkManager]Could not process Referral Signup');
|
return;
|
}
|
|
$email = sanitize_email($token_data['email']);
|
if (email_exists($email)) {
|
wp_die('Looks like you already have an account!');
|
}
|
$role = JVB()->referrals()->getRole();
|
$pass = wp_generate_password(20, true, true);
|
$name = sanitize_text_field($token_data['name']);
|
$user_id = wp_insert_user([
|
'user_login' => $email,
|
'user_email' => $email,
|
'user_pass' => $pass,
|
'display_name' => $name,
|
'role' => $role
|
]);
|
if (!is_wp_error($user_id)) {
|
$response = JVB()->routes('login')->login($email, $pass, true);
|
if ($response) {
|
wp_safe_redirect(home_url('/dash?welcome=1&referral=1'));
|
exit;
|
}
|
} else {
|
JVB()->error()->log(
|
'[MagicLinkManager]',
|
$user_id->get_error_message(),
|
$token_data
|
);
|
}
|
}
|
|
/**
|
* Process password reset via magic link
|
*/
|
protected function processPasswordReset(array $token_data): void
|
{
|
$user = get_user_by('ID', $token_data['user_id']);
|
|
if (!$user) {
|
wp_die('Invalid user');
|
}
|
|
// Log user in and redirect to password change page
|
wp_set_current_user($user->ID);
|
wp_set_auth_cookie($user->ID, true);
|
|
wp_safe_redirect(admin_url('profile.php?password_reset=1'));
|
exit;
|
}
|
|
/**
|
* Handle invalid token
|
*/
|
protected function handleInvalidToken(WP_Error $error): void
|
{
|
wp_die($error->get_error_message());
|
}
|
|
/**
|
* Handle failed login - offer magic link option
|
*/
|
public function handleFailedLogin(string $username): void
|
{
|
// Could add logic here to automatically offer magic link
|
// after multiple failed attempts
|
}
|
|
/**
|
* Optionally block standard password auth for magic-link-only users
|
*/
|
public function blockStandardAuth($user, $username, $password)
|
{
|
if ($user instanceof WP_User) {
|
$magic_only = get_user_meta($user->ID, BASE . 'magic_link_only', true);
|
if ($magic_only) {
|
return new WP_Error('magic_link_required', 'Please use the login link sent to your email');
|
}
|
}
|
|
return $user;
|
}
|
|
// ========================================
|
// EMAIL TEMPLATES
|
// ========================================
|
|
protected function getLoginEmailTemplate(string $name, string $magic_url): string
|
{
|
$content = JVB()->email()->h2('Hey ' . esc_html($name) . '!');
|
$content .= '<p>Click the button below to sign in to your account instantly - no password needed!</p>';
|
$content .= JVB()->email()->button($magic_url, 'Sign In Now');
|
$content .= '<p>Or copy and paste this link into your browser:</p>';
|
$content .= JVB()->email()->link($magic_url);
|
$content .= JVB()->email()->divider();
|
$content .= '<p>If you didn\'t request this, you can safely ignore this email. This link expires in 15 minutes.</p>';
|
return $content;
|
}
|
|
protected function getSignupEmailTemplate(string $name, string $magic_url): string
|
{
|
$content = JVB()->email()->h2('Welcome' . ($name ? ', ' . esc_html($name) : '') . '!');
|
$content .= '<p>Click the button below to complete your registration and access your account!</p>';
|
$content .= JVB()->email()->button($magic_url, 'Complete Registration');
|
$content .= '<p>Or copy and paste this link:</p>';
|
$content .= JVB()->email()->link($magic_url);
|
$content .= JVB()->email()->spacer(10);
|
$content .= '<p><small>This link expires in 24 hours.</small></p>';
|
return $content;
|
}
|
|
protected function getReferralEmailTemplate(string $name, string $referrer_name, string $magic_url, string $reward_text, array $context): string
|
{
|
$content = JVB()->email()->h2('Hey' . ($name ? ' ' . esc_html($name) : '') . '!');
|
$content .= sprintf(
|
'<p><strong>%s</strong> thinks you\'d love %s!</p>',
|
esc_html($referrer_name),
|
esc_html(get_bloginfo('name'))
|
);
|
|
if (!empty($context['message'])) {
|
$content .= JVB()->email()->callout(nl2br(esc_html($context['message'])));
|
}
|
|
if ($reward_text) {
|
$content .= JVB()->email()->alert(
|
'<strong>Special Welcome Offer:</strong> ' . esc_html($reward_text),
|
'success'
|
);
|
}
|
|
$content .= JVB()->email()->button($magic_url, 'Join Now');
|
$content .= '<p>Or copy and paste this link:</p>';
|
$content .= JVB()->email()->link($magic_url);
|
$content .= JVB()->email()->spacer(10);
|
$content .= '<p><small>This invitation expires in 14 days.</small></p>';
|
|
return $content;
|
}
|
}
|
