[wp-trac] [WordPress Trac] #55870: WP App Passwords Should be URL Decoded
WordPress Trac
noreply at wordpress.org
Mon May 30 04:52:34 UTC 2022
#55870: WP App Passwords Should be URL Decoded
-----------------------------------+------------------------------
Reporter: mrahmadawais | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: 5.6
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses: rest-api
-----------------------------------+------------------------------
Comment (by mrahmadawais):
Hi @TimothyBlynJacobs
Glad to hear back from you. Before creating a ticket I was reading your
work on #51939.
I have a similar situation. I don't want App passwords to support OAuth. I
want WordPress to do that. The problem I have is that if there's an
`Authorization: Basic whatever` header, WP thinks it's App Passwords.
That's not always the case. Especially not in OAuth.
I want to be able to send an `Authorization: Basic whatever` header —
without getting a `401 Unauthorized` error — and tell WordPress `No this
is not an App Pass so don't try to authenticate with that`.
----
My current solution to this seems a bit hacky.
{{{#!php
<?php
<?
add_filter('determine_current_user', __NAMESPACE__ .
'\\skip_app_pass_auth', 19);
/**
* Skip App Pass Authentication if a custom header exists by faking
*
* @since 1.0.0
*
* @param int|false $input_user User ID if one has been determined, false
otherwise.
* @return int|false The authenticated user ID if successful, false
otherwise.
*/
function skip_app_pass_auth($input_user) {
// Don't authenticate twice.
if (!empty($input_user)) {
return $input_user;
}
// Check that we're trying to authenticate via Wordless.
$skip_app_pass_auth = isset($_SERVER['HTTP_SKIP_APP_PASS'])?
$_SERVER['HTTP_SKIP_APP_PASS']: false;
if (!$skip_app_pass_auth) {
return $input_user;
}
// Fake return true to say we have a valid user and allow OAuth token
workflow to run from the REST API request which gets stopped by App
Passwords auth when WP sees `Authorization: Basic whatever` ← this is
required for OAuth token workflow to run and doesn't have user:pass
instead has clientID:clientSecret.
// Could also run OAuth code to get WP user ID and return that, which
might be the right idea.
return true;
}
}}}
----
See. Not trying to make App passwords support OAuth. Only trying to get in
a new auth method but getting stopped too early by WP with a `401
Unauthorized` error since WP thinks every `Authorization: Basic whatever`
is an App Pass — whereas it should be more explicit than that. Probably
use an extra header to say `X-WP-APP-PASS` or something.
Also, not sure if this solution is the right way to go.
Thoughts?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55870#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list