[wp-trac] [WordPress Trac] #61644: Invalidate application password
WordPress Trac
noreply at wordpress.org
Fri Jul 12 11:51:32 UTC 2024
#61644: Invalidate application password
-----------------------------------+-----------------------------
Reporter: senna765 | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: 6.5.5
Severity: major | Keywords:
Focuses: |
-----------------------------------+-----------------------------
Currently application passwords does not have any expiration. Due security
issue as `password` is returned in query string and all GET requests are
logged in webserver logs we need to invalidate those tokens
programatically.
To revoke token we need to get uuid because it is not possible to delete
token by appId. Currently there is endpoint GET /wp-json/wp/v2/users/me
/application-passwords/introspect but because this is GET request method
it is cached by litespeed cache plugin and returns cached results.
So my proposal would be to:
1. Add ability to revoke token based on appId as this is known value to
application
2. Change request method to POST for wp-json/wp/v2/users/me/application-
passwords/introspect as litespeed cache plugin is not caching POST
requests
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61644>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list