[wp-trac] [WordPress Trac] #52066: Application Passwords are unusable in combination with password protected /wp-admin

WordPress Trac noreply at wordpress.org
Sat Jan 9 21:59:06 UTC 2021


#52066: Application Passwords are unusable in combination with password protected
/wp-admin
-----------------------------------+---------------------
 Reporter:  SeBsZ                  |       Owner:  (none)
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  5.6.1
Component:  Application Passwords  |     Version:  5.6
 Severity:  major                  |  Resolution:
 Keywords:  has-patch commit       |     Focuses:
-----------------------------------+---------------------

Comment (by TimothyBlynJacobs):

 One of the issues here is what we really care about is whether the front-
 end is protected by Basic Auth, but we are forced to check this in the
 admin area. So after thinking on this and @ocean90's comment, I tweaked
 the function to accept a specific `context` to check for. I think this
 makes it clear how this function is intended to be used, and its current
 shortcomings.

 I think for 5.7 we could explore making this more robust by doing a
 loopback request and checking for a `WWW-Authenticate` header.

 What are people's thoughts on this?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52066#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list