From 5b0be97e7c0ab8f8d1beadb8f4ae151872f30b61 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Mon, 10 Feb 2020 05:42:52 +0000
Subject: [PATCH] Privacy: Include session tokens in Personal Data Export.

Session tokens contain an IP address and user agent.

Props garrett-eclipse, nickylimjj, lakenh, xkon, rconde.
Fixes #45889.

git-svn-id: https://develop.svn.wordpress.org/trunk@47237 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/user.php     | 43 +++++++++++++++++++++++++++++++-----
 tests/phpunit/tests/user.php | 43 ++++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+), 5 deletions(-)

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index ac0f6a62e0..c58d290bfe 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -2939,6 +2939,8 @@ function wp_register_user_personal_data_exporter( $exporters ) {
  * Finds and exports personal data associated with an email address from the user and user_meta table.
  *
  * @since 4.9.6
+ * @since 5.4.0 Added 'Community Events Location' group to the export data.
+ * @since 5.4.0 Added 'Session Tokens' group to the export data.
  *
  * @param string $email_address  The users email address.
  * @return array An array of personal data.
@@ -3012,11 +3014,6 @@ function wp_user_personal_data_exporter( $email_address ) {
 		'data'              => $user_data_to_export,
 	);
 
-	/**
-	 * Introduce any Community Events Location data that is available.
-	 *
-	 * @since 5.4.0
-	 */
 	if ( isset( $user_meta['community-events-location'] ) ) {
 		$location = maybe_unserialize( $user_meta['community-events-location'][0] );
 
@@ -3048,6 +3045,42 @@ function wp_user_personal_data_exporter( $email_address ) {
 		);
 	}
 
+	if ( isset( $user_meta['session_tokens'] ) ) {
+		$session_tokens = maybe_unserialize( $user_meta['session_tokens'][0] );
+
+		$session_tokens_props_to_export = array(
+			'expiration' => __( 'Expiration' ),
+			'ip'         => __( 'IP' ),
+			'ua'         => __( 'User Agent' ),
+			'login'      => __( 'Last Login' ),
+		);
+
+		foreach ( $session_tokens as $token_key => $session_token ) {
+			$session_tokens_data_to_export = array();
+
+			foreach ( $session_tokens_props_to_export as $key => $name ) {
+				if ( ! empty( $session_token[ $key ] ) ) {
+					$value = $session_token[ $key ];
+					if ( in_array( $key, array( 'expiration', 'login' ) ) ) {
+						$value = date_i18n( 'F d, Y H:i A', $value );
+					}
+					$session_tokens_data_to_export[] = array(
+						'name'  => $name,
+						'value' => $value,
+					);
+				}
+			}
+
+			$data_to_export[] = array(
+				'group_id'          => 'session-tokens',
+				'group_label'       => __( 'Session Tokens' ),
+				'group_description' => __( 'User&#8217;s Session Tokens data.' ),
+				'item_id'           => "session-tokens-{$user->ID}-{$token_key}",
+				'data'              => $session_tokens_data_to_export,
+			);
+		}
+	}
+
 	return array(
 		'data' => $data_to_export,
 		'done' => true,
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index f2dc637040..7fb561c7df 100644
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@@ -1751,4 +1751,47 @@ class Tests_User extends WP_UnitTestCase {
 		$this->assertEquals( '-84.5143900', $actual['data'][1]['data'][3]['value'] );
 
 	}
+
+	/**
+	 * Testing the `wp_user_personal_data_exporter()` function
+	 * with Session Tokens data.
+	 *
+	 * @ticket 45889
+	 */
+	function test_wp_session_tokens_personal_data_exporter() {
+		$test_user = new WP_User( self::$contrib_id );
+
+		$session_tokens_data = array(
+			'yft87y56457687sfd897867545fg76ds78iyuhgjyui7865' => array(
+				'expiration' => 1580461981,
+				'ip'         => '0.0.0.0',
+				'ua'         => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36',
+				'login'      => 1580289181,
+			),
+		);
+		update_user_option( $test_user->ID, 'session_tokens', $session_tokens_data, true );
+
+		$actual = wp_user_personal_data_exporter( $test_user->user_email );
+
+		$this->assertTrue( $actual['done'] );
+
+		// Contains Session Tokens.
+		$this->assertEquals( 'Session Tokens', $actual['data'][1]['group_label'] );
+
+		// Contains Expiration.
+		$this->assertEquals( 'Expiration', $actual['data'][1]['data'][0]['name'] );
+		$this->assertEquals( 'January 31, 2020 09:13 AM', $actual['data'][1]['data'][0]['value'] );
+
+		// Contains IP.
+		$this->assertEquals( 'IP', $actual['data'][1]['data'][1]['name'] );
+		$this->assertEquals( '0.0.0.0', $actual['data'][1]['data'][1]['value'] );
+
+		// Contains IP.
+		$this->assertEquals( 'User Agent', $actual['data'][1]['data'][2]['name'] );
+		$this->assertEquals( 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36', $actual['data'][1]['data'][2]['value'] );
+
+		// Contains IP.
+		$this->assertEquals( 'Last Login', $actual['data'][1]['data'][3]['name'] );
+		$this->assertEquals( 'January 29, 2020 09:13 AM', $actual['data'][1]['data'][3]['value'] );
+	}
 }