[wp-trac] [WordPress Trac] #46595: Allow more than one valid recovery mode link
WordPress Trac
noreply at wordpress.org
Thu Mar 21 22:09:10 UTC 2019
#46595: Allow more than one valid recovery mode link
----------------------------+-------------------------------
Reporter: flixos90 | Owner: timothyblynjacobs
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 5.2
Component: Bootstrap/Load | Version: trunk
Severity: normal | Keywords: needs-patch
Focuses: |
----------------------------+-------------------------------
In the new recovery mode (see #46130), it is currently only possible for a
single recovery mode link at a time to be valid. That is because the key
is stored in a `recovery_key` option, with the latest key always
overriding the previous one.
This is not too critical at this point since those links are only sent via
a rate-limited email, and due to that rate limit the link would expire
when the next one is sent anyway. However, a future iteration of the
recovery mode will allow additional ways of obtaining such a link, most
likely via request by a user with sufficient permissions. This means
multiple links need to be valid at the same time.
I talked about this with @timothyblynjacobs earlier, and we think the
following would be a good fix:
* Store key under `recovery_key_{$random_chars}`
* Add `{$random_chars}` to recovery link URL, so that it looks like `wp-
login.php?action=enter_recovery_mode&rm_key={$key}&rm_lookup={$random_chars}`
(not sure about the term "rm_lookup", but that's the general idea.
* When checking the key, get the option with the suffix `{$random_chars}`
that is included in the URL.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46595>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list