[wp-trac] [WordPress Trac] #42790: Permit basic authentication to the REST API over SSL
WordPress Trac
noreply at wordpress.org
Fri Mar 20 12:36:49 UTC 2020
#42790: Permit basic authentication to the REST API over SSL
-----------------------------------+---------------------------
Reporter: kadamwhite | Owner: andraganescu
Type: feature request | Status: assigned
Priority: high | Milestone: 5.5
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion has-patch | Focuses: rest-api
-----------------------------------+---------------------------
Comment (by spacedmonkey):
I foundamentally disagree with this being core. I think it is a massive
security issue that allow bad actors to create, edit or delete content on
a users site. Without brute force protection in core, it would also bad
actors to brute force a password. I know this issue with the normal
password login screen, the rest api allow for a high level of
automatication when it comes to attacking sites.
How about the following.
- Create a new API that allow for password and username to be submitted (
requiring SSL ).
- This endpoint returns a token ( maybe a JW Token ).
- This token would live for the same amount of time as the users cookie (
2 days / 2 weeks ).
- Another api could be added to get a refreshed a get a new token.
- If a user changes passwords, all tokens will be revoked.
- Authicated requests will require the token to sent as a header.
There is already a plugin that does this on github called
[https://github.com/Tmeister/wp-api-jwt-auth Tmeister/wp-api-jwt-auth].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42790#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list