From d1dcf08cb6caa6bd16f6e7ba1fa1e78d485e1096 Mon Sep 17 00:00:00 2001
From: Alexander Forselius <alexander.forselius@buddhalow.com>
Date: Wed, 4 Mar 2020 13:40:05 +0100
Subject: [PATCH 1/2] Added password grant type

---
 inc/endpoints/class-token.php | 82 ++++++++++++++++++++++++-----------
 1 file changed, 56 insertions(+), 26 deletions(-)

diff --git a/inc/endpoints/class-token.php b/inc/endpoints/class-token.php
index 07fcd07..85800c0 100644
--- a/inc/endpoints/class-token.php
+++ b/inc/endpoints/class-token.php
@@ -52,7 +52,7 @@ public function register_routes() {
 	 * @return bool Whether or not the grant type is valid.
 	 */
 	public function validate_grant_type( $type ) {
-		return 'authorization_code' === $type;
+		return 'authorization_code' === $type || 'password';
 	}
 
 	/**
@@ -76,36 +76,66 @@ public function exchange_token( WP_REST_Request $request ) {
 			);
 		}
 
-		$auth_code = $client->get_authorization_code( $request['code'] );
-		if ( is_wp_error( $auth_code ) ) {
-			return $auth_code;
-		}
-
-		$is_valid = $auth_code->validate();
-		if ( is_wp_error( $is_valid ) ) {
-			// Invalid request, but code itself exists, so we should delete
-			// (and silently ignore errors).
-			$auth_code->delete();
+		if ($request->get_param('grant_type') == 'authorization_code') {
+            $auth_code = $client->get_authorization_code($request['code']);
+            if (is_wp_error($auth_code)) {
+                return $auth_code;
+            }
 
-			return $is_valid;
-		}
+            $is_valid = $auth_code->validate();
+            if (is_wp_error($is_valid)) {
+                // Invalid request, but code itself exists, so we should delete
+                // (and silently ignore errors).
+                $auth_code->delete();
 
-		// Looks valid, delete the code and issue a token.
-		$user = $auth_code->get_user();
-		if ( is_wp_error( $user ) ) {
-			return $user;
-		}
+                return $is_valid;
+            }
 
-		$did_delete = $auth_code->delete();
-		if ( is_wp_error( $did_delete ) ) {
-			return $did_delete;
-		}
+            // Looks valid, delete the code and issue a token.
+            $user = $auth_code->get_user();
+            if (is_wp_error($user)) {
+                return $user;
+            }
 
-		$token = $client->issue_token( $user );
-		if ( is_wp_error( $token ) ) {
-			return $token;
-		}
+            $did_delete = $auth_code->delete();
+            if (is_wp_error($did_delete)) {
+                return $did_delete;
+            }
 
+            $token = $client->issue_token($user);
+            if (is_wp_error($token)) {
+                return $token;
+            }
+        } else if ($request->get_param('grant_type') === 'password') {
+            $username = $request->get_param('username');
+            $password = $request->get_param('password');
+            try {
+                $user = wp_authenticate($username, $password);
+                $token = $client->issue_token($user);
+                if (is_wp_error($token)) {
+                    return $token;
+                }
+                $token = $client->issue_token($user);
+                if (is_wp_error($token)) {
+                    return $token;
+                }
+                $data = [
+                    'access_token' => $token->get_key(),
+                    'token_type'   => 'bearer',
+                ];
+                return $data;
+            } catch (Exception $e) {
+                return new WP_Error(
+                    'oauth2.endpoints.token.exchange_token.invalid_client',
+                    /* translators: %s: client ID */
+                    sprintf(__('Client ID %s is invalid.', 'oauth2'), $request['client_id']),
+                    [
+                        'status' => WP_Http::BAD_REQUEST,
+                        'client_id' => $request['client_id'],
+                    ]
+                );
+            }
+        }
 		$data = [
 			'access_token' => $token->get_key(),
 			'token_type'   => 'bearer',

From 8475e0f76c3f0c100e6ab057b377c3e5394ce1b6 Mon Sep 17 00:00:00 2001
From: Alexander Forselius <alexander.forselius@buddhalow.com>
Date: Wed, 4 Mar 2020 14:03:13 +0100
Subject: [PATCH 2/2] Added password grant type

---
 inc/endpoints/class-token.php | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/inc/endpoints/class-token.php b/inc/endpoints/class-token.php
index 85800c0..d160d7b 100644
--- a/inc/endpoints/class-token.php
+++ b/inc/endpoints/class-token.php
@@ -34,10 +34,17 @@ public function register_routes() {
 						'type'              => 'string',
 						'validate_callback' => 'rest_validate_request_arg',
 					],
+					'username '=> [
+                        'required'          => false,
+                        'type'              => 'string',
+                    ],
+                    'password'=> [
+                        'required'          => false,
+                        'type'              => 'string',
+                    ],
 					'code'       => [
-						'required'          => true,
-						'type'              => 'string',
-						'validate_callback' => 'rest_validate_request_arg',
+						'required'          => false,
+						'type'              => 'string'
 					],
 				],
 			]
@@ -111,6 +118,9 @@ public function exchange_token( WP_REST_Request $request ) {
             $password = $request->get_param('password');
             try {
                 $user = wp_authenticate($username, $password);
+                if (is_wp_error($user)) {
+                    return $user;
+                }
                 $token = $client->issue_token($user);
                 if (is_wp_error($token)) {
                     return $token;