[wp-trac] [WordPress Trac] #51939: Basic Auth staging protections conflicts with App Passwords

WordPress Trac noreply at wordpress.org
Fri Dec 4 16:01:02 UTC 2020


#51939: Basic Auth staging protections conflicts with App Passwords
-----------------------------------+-----------------------
 Reporter:  TimothyBlynJacobs      |       Owner:  (none)
     Type:  defect (bug)           |      Status:  new
 Priority:  highest omg bbq        |   Milestone:  5.6
Component:  Application Passwords  |     Version:  5.6
 Severity:  blocker                |  Resolution:
 Keywords:                         |     Focuses:  rest-api
-----------------------------------+-----------------------

Comment (by georgestephanis):

 Replying to [comment:3 TimothyBlynJacobs]:
 > > Also, if the site itself is accessed via basic auth, maybe we could
 detect that and set an option disabling application passwords in the first
 place?
 >
 > Ooh nice. I like how deviously simple this would be. Where would we put
 that logic? Perhaps detect that on `wp_loaded()`? We'd need to regularly
 invalidate it and make sure that they weren't passing it to a REST API
 route.

 I have no opinions to when the check this.  I'd shy away from dropping it
 in a transient in case the transient expires when unauthed api requests
 are still happening?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51939#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list