[wp-trac] [WordPress Trac] #51939: Basic Auth staging protections conflicts with App Passwords
WordPress Trac
noreply at wordpress.org
Fri Dec 4 16:01:02 UTC 2020
#51939: Basic Auth staging protections conflicts with App Passwords
-----------------------------------+-----------------------
Reporter: TimothyBlynJacobs | Owner: (none)
Type: defect (bug) | Status: new
Priority: highest omg bbq | Milestone: 5.6
Component: Application Passwords | Version: 5.6
Severity: blocker | Resolution:
Keywords: | Focuses: rest-api
-----------------------------------+-----------------------
Comment (by georgestephanis):
Replying to [comment:3 TimothyBlynJacobs]:
> > Also, if the site itself is accessed via basic auth, maybe we could
detect that and set an option disabling application passwords in the first
place?
>
> Ooh nice. I like how deviously simple this would be. Where would we put
that logic? Perhaps detect that on `wp_loaded()`? We'd need to regularly
invalidate it and make sure that they weren't passing it to a REST API
route.
I have no opinions to when the check this. I'd shy away from dropping it
in a transient in case the transient expires when unauthed api requests
are still happening?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51939#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list