[wp-trac] [WordPress Trac] #42790: Permit basic authentication to the REST API over SSL

WordPress Trac noreply at wordpress.org
Wed Mar 4 12:14:14 UTC 2020


#42790: Permit basic authentication to the REST API over SSL
-------------------------------------------------+-------------------------
 Reporter:  kadamwhite                           |       Owner:  (none)
     Type:  feature request                      |      Status:  new
 Priority:  high                                 |   Milestone:  5.5
Component:  REST API                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-testing dev-         |     Focuses:  rest-api
  feedback 2nd-opinion                           |
-------------------------------------------------+-------------------------
Changes (by andraganescu):

 * keywords:   => has-patch needs-testing dev-feedback 2nd-opinion
 * priority:  normal => high
 * focuses:   => rest-api
 * milestone:  Awaiting Review => 5.5


Comment:

 The patch linked in te Github PR above is ready for review.

 This ticket aims to add BasicAuth to the REST API on hosts that support
 SSL. Basic Auth, although it is not the best authentication method, having
 the downsides of sending passwords over the wire, the likely storing
 passwords on clients for re-authentication and being a probable target for
 brute force, it is a very convenient authentication method, especially for
 apps that require the admin credentials of users anyway.

 Moreover, the downsides of having BasicAuth for the REST API on SSL
 enabled hosts are not regressions considering the fact that XML-RPC
 already supports it and is turned on by default. The fact that this
 implementation is only enabling BasicAuth when SSL communication is on is
 in fact a progress, which addresses very well the "password over the wire"
 downside.

 Given the above, this Ticket is just a feature request which helps when
 developing with REST clients in 3rd party apps and which doesn't make
 WordPres any less secure, than the current status quo. Of course, when
 there will be a clear way forward and a better authentication will be
 available the opportunity of still having BasicAuth should be reassessed,
 provided there will also be a way to maintain users logged in status on
 migration.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/42790#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list