Add require login bypass tokens feature

composer.json

@@ -13,7 +13,8 @@
 		"files": [
 			"inc/namespace.php",
 			"inc/passwords/namespace.php",
-			"inc/php_basic_auth/namespace.php"
+			"inc/php_basic_auth/namespace.php",
+			"inc/require_login/namespace.php"
 		],
 		"classmap": [
 			"inc/",
@@ -42,4 +43,4 @@
 			]
 		}
 	}
-}
+}

docs/require-login.md

@@ -15,6 +15,36 @@ Requiring login on individual sites is as easy as unchecking the site's public s
 
 ## Excluding Pages and Endpoints
 
+There are 2 ways to exclude pages and endpoints from requiring login, using the `bypass-tokens` config option or the `hm-require-login.allowed_pages` filter.
+
+### Bypass Tokens
+
+Bypass tokens are a way to allow tools like Lighthouse or Qualys access to development or staging environments using a unique query string token. This lets you check performance insights on non-production environments for non-logged in users so you can see the experience most site visitors will get.
+
+Set the `require-login` config value as an object with the property `bypass-tokens`. This should be an array of string tokens that can be set as the value of the query variable `altis-auth`.
+
+For example with the following config a development URL like `https://project-dev.altis.cloud/?altis-auth=gf6sa9fgds7a9bhfdb` will bypass the login requirement:
+
+```json
+{
+	"extra": {
+		"altis": {
+			"modules": {
+				"security": {
+					"require-login": {
+						"bypass-tokens": [
+							"gf6sa9fgds7a9bhfdb"
+						]
+					}
+				}
+			}
+		}
+	}
+}
+```
+
+### Allowed Pages Filter
+
 In certain cases you may need to exclude a URL or PHP file from redirecting to the login page when Require Login is active. This is possible using the `hm-require-login.allowed_pages` filter:
 
 ```php

inc/namespace.php

@@ -38,6 +38,7 @@ function on_plugins_loaded() {
 
 	if ( ! is_site_public() ) {
 		require_once Altis\ROOT_DIR . '/vendor/humanmade/require-login/plugin.php';
+		Require_Login\bootstrap();
 	}
 
 	if ( $config['audit-log'] ) {

inc/require_login/namespace.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * Addons for Require Login.
+ *
+ * Pass query arg like: foo/bar?altis-auth=TOKEN
+ */
+
+namespace Altis\Security\Require_Login;
+
+use Altis;
+
+const QUERY_ARG = 'altis-auth';
+
+/**
+ * Setup.
+ *
+ * @return void
+ */
+function bootstrap() : void {
+	add_filter( 'hm-require-login.allowed_pages', __NAMESPACE__ . '\\allow_request_for_valid_token', 10, 2 );
+}
+
+/**
+ * Filter require login to allow request if a valid token is passed. .
+ *
+ * @param array $allowed Allowed pages.
+ * @param string|null $page Page.
+ * @return array
+ */
+function allow_request_for_valid_token( array $allowed, ?string $page ) : array {
+	$tokens = (array) ( Altis\get_config()['modules']['security']['require-login']['bypass-tokens'] ?? [] );
+
+	/**
+	 * Filters the list of accepted values for $_GET['altis-auth'] to bypass require login.
+	 *
+	 * @param array $tokens Array of string tokens that by pass require login.
+	 */
+	$tokens = apply_filters( 'altis.security.require-login.bypass-tokens', $tokens );
+
+	if (
+		isset( $_GET[ QUERY_ARG ] ) &&
+		in_array( $_GET[ QUERY_ARG ], array_values( $tokens ), true )
+	) {
+		$allowed[] = $page;
+	}
+
+	return $allowed;
+}