plugins which use the 'authenticate' hook unable to return errors
|Reported by:||willnorris||Owned by:|
The 'authenticate' hook is designed to allow functions to return either an authenticated WP_User object (which will cause the user to be logged in), or a WP_Error object, which will cause the errors to be displayed to the user.
In practice, most plugins that use this hook don't rely on the username and password at all, but instead on other means entirely. So what is happening with these plugins (the OpenID plugin chief among them), is that they are returning a WP_Error object that describes the error, but then the wp_authenticate_username_password function is ignoring that and returning its own WP_Error object which rightfully shows that the username and password fields were left empty. Unfortunately, this error object (containing both an empty username AND password) is explicitly checked for and removed in the wp_signon method. This is normally the right behavior and handles the case of a user who simply clicks "Log In" without entering anything... we don't show them an error, we just redraw the login form. However, in the case described above, an actual error did occur with an authentication plugin, but the user simply sees the normal login form with no error displayed.