[wp-trac] [WordPress Trac] #42790: Permit basic authentication to the REST API over SSL
WordPress Trac
noreply at wordpress.org
Thu Jun 4 19:48:13 UTC 2020
#42790: Permit basic authentication to the REST API over SSL
-----------------------------------+---------------------------
Reporter: kadamwhite | Owner: andraganescu
Type: feature request | Status: assigned
Priority: high | Milestone: 5.5
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion has-patch | Focuses: rest-api
-----------------------------------+---------------------------
Comment (by TimothyBlynJacobs):
From my experience the fundamental difference between Basic Auth and
logging in via wp-login.php is that one mechanism can easily have
additional security protections put in place, and one can't.
With wp-login.php, it can easily support Recaptcha, Two-Factor,
Passwordless, SSO, network-based protection ( like Jetpack ) Cloudflare
and other protections.
With XML-RPC that is a lot more difficult. Anything interactive like
Recaptcha, Passwordless or SSO doesn't work because it isn't interactive
auth.
Two-Factor can be done, but it is an incredibly painful user experience,
and pretty much only works with a TOTP type system since you'll typically
append the 2fa code to the password.
Adding IP based protection is also much more difficult to impossible if
you want to integrate with non-browser based applications. Both something
like Jetpack Protect that is network based, or local to the server using
fail2ban, etc... Take a hypothetical Zapier app. All the login requests
will be occurring from the same set of IPs. If a user types in their
WordPress password to Zapier wrong one too many times, they could lock out
the entirety of Zapier.
Cloudflare based protections also are much weaker since it can really only
be done in [https://support.cloudflare.com/hc/en-us/articles/200504045
-Using-CloudFlare-with-your-API API mode].
From our data, we see far more attacks via XML-RPC, and this is with a
plugin that recommends disabling XML-RPC if possible. It appears that APIs
are being used and more for credential stuffing attacks:
https://www.csoonline.com/article/3527858/apis-are-becoming-a-major-
target-for-credential-stuffing-attacks.html
----
If the only use case we were interested in was that of something like
MarsEdit where your password would only sit in your machine, I would be
less worried about all of the above. But there is also the matter of
giving your password to another service.
There is the obvious concern that making this the way applications
interact with your WordPress site will make users more comfortable
entering their WordPress password into places other than their WordPress
site. This has clear phishing implications.
What if the service gets compromised? With OAuth or Application Passwords
revocation becomes much simpler. Any non-compromised integrations can
continue to work, but the compromised service key can be revoked. With
basic auth, you'll need to rotate your actual WP password which would
involve changing it with _every_ service you've signed up for.
Additionally, users reuse passwords, a lot. If the service gets
compromised, we shouldn't add to the damage that compromise can do.
----
> While everything you stated is a totally valid concern, I don't
understand how it's any different from the status quo?
I agree that it isn't different than the status quo. But in my opinion,
the status quo is not great. Since the REST API is how we want 3rd party
developers to interact with WordPress going forward ( a future GraphQL
core project could also reuse the wp-api authentication mechanism ), I
think we have a duty to make the authentication alongside it much more
sound.
One of the reasons so many people disable XML-RPC is because of the
security ramifications, as I outlined above I don't think those concerns
are unwarranted. If we shipped basic auth for the REST API, I think a
large number of users would disable it, and we wouldn't have made any
progress.
----
@andraganescu I think the WP-API team's authentication project is in great
shape for a merge proposal in 5.6 with plenty of time to spare. If you are
interested in getting involved: https://github.com/WP-
API/authentication/projects/2 It follows fairly closely to how
WooCommerce's authentication flow that seems to work quite well and is
standards based.
So from my perspective, we should continue to address the open issues in
the wp-api/authentication repo and finish our MVP. My goal would be to
complete a merge proposal by mid-July. If that merge proposal is rejected,
then taking another look at this basic auth ticket or @georgestephanis's
app passwords would be what I'd endorse. Chatting in #core-restapi, my and
@spacedmonkey current preference would be to take this out of the 5.5
milestone.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42790#comment:34>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list