[wp-trac] [WordPress Trac] #55870: WP App Passwords Should be URL Decoded

WordPress Trac noreply at wordpress.org
Mon May 30 04:52:34 UTC 2022

#55870: WP App Passwords Should be URL Decoded
 Reporter:  mrahmadawais           |       Owner:  (none)
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  Awaiting Review
Component:  Application Passwords  |     Version:  5.6
 Severity:  normal                 |  Resolution:
 Keywords:  reporter-feedback      |     Focuses:  rest-api

Comment (by mrahmadawais):

 Hi @TimothyBlynJacobs

 Glad to hear back from you. Before creating a ticket I was reading your
 work on #51939.

 I have a similar situation. I don't want App passwords to support OAuth. I
 want WordPress to do that. The problem I have is that if there's an
 `Authorization: Basic whatever` header, WP thinks it's App Passwords.
 That's not always the case. Especially not in OAuth.

 I want to be able to send an `Authorization: Basic whatever` header —
 without getting a `401 Unauthorized` error — and tell WordPress `No this
 is not an App Pass so don't try to authenticate with that`.


 My current solution to this seems a bit hacky.

 add_filter('determine_current_user', __NAMESPACE__ .
 '\\skip_app_pass_auth', 19);

  * Skip App Pass Authentication if a custom header exists by faking
  * @since 1.0.0
  * @param int|false $input_user User ID if one has been determined, false
  * @return int|false The authenticated user ID if successful, false
 function skip_app_pass_auth($input_user) {
         // Don't authenticate twice.
         if (!empty($input_user)) {
                 return $input_user;

         // Check that we're trying to authenticate via Wordless.
         $skip_app_pass_auth = isset($_SERVER['HTTP_SKIP_APP_PASS'])?

         if (!$skip_app_pass_auth) {
                 return $input_user;

     // Fake return true to say we have a valid user and allow OAuth token
 workflow to run from the REST API request which gets stopped by App
 Passwords auth when WP sees `Authorization: Basic whatever` ← this is
 required for OAuth token workflow to run and doesn't have user:pass
 instead has clientID:clientSecret.

     // Could also run OAuth code to get WP user ID and return that, which
 might be the right idea.
         return true;




 See. Not trying to make App passwords support OAuth. Only trying to get in
 a new auth method but getting stopped too early by WP with a `401
 Unauthorized` error since WP thinks every `Authorization: Basic whatever`
 is an App Pass — whereas it should be more explicit than that. Probably
 use an extra header to say `X-WP-APP-PASS` or something.

 Also, not sure if this solution is the right way to go.


Ticket URL: <https://core.trac.wordpress.org/ticket/55870#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list