WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/08/2020 10:12:02 PM (12 months ago)
Author:
TimothyBlynJacobs
Message:

REST API: Introduce Application Passwords for API authentication.

In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API.

This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers.

Application Passwords uses Basic Authentication, and by default is only available over an SSL connection.

Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns.
Fixes #42790.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/user-edit.php

    r47808 r49109  
    2727
    2828wp_enqueue_script( 'user-profile' );
     29
     30if ( wp_is_application_passwords_available_for_user( $user_id ) ) {
     31    wp_enqueue_script( 'application-passwords' );
     32}
    2933
    3034if ( IS_PROFILE_PAGE ) {
     
    703707    </table>
    704708
     709
     710        <?php if ( wp_is_application_passwords_available_for_user( $user_id ) ) : ?>
     711    <div class="application-passwords hide-if-no-js" id="application-passwords-section">
     712        <h2><?php _e( 'Application Passwords' ); ?></h2>
     713        <p><?php _e( 'Application passwords allow authentication via non-interactive systems, such as XML-RPC or the REST API, without providing your actual password. Application passwords can be easily revoked. They cannot be used for traditional logins to your website.' ); ?></p>
     714        <div class="create-application-password">
     715            <label for="new_application_password_name" class="screen-reader-text"><?php _e( 'New Application Password Name' ); ?></label>
     716            <input type="text" size="30" id="new_application_password_name" name="new_application_password_name" placeholder="<?php esc_attr_e( 'New Application Password Name' ); ?>" class="input" />
     717
     718            <?php
     719            /**
     720             * Fires in the create Application Passwords form.
     721             *
     722             * @since 5.6.0
     723             *
     724             * @param WP_User $profileuser The current WP_User object.
     725             */
     726            do_action( 'wp_create_application_password_form', $profileuser );
     727            ?>
     728
     729            <?php submit_button( __( 'Add New' ), 'secondary', 'do_new_application_password', false ); ?>
     730        </div>
     731
     732        <div class="application-passwords-list-table-wrapper">
     733            <?php
     734            $application_passwords_list_table = _get_list_table( 'WP_Application_Passwords_List_Table', array( 'screen' => 'application-passwords-user' ) );
     735            $application_passwords_list_table->prepare_items();
     736            $application_passwords_list_table->display();
     737            ?>
     738        </div>
     739    </div>
     740<?php endif; ?>
     741
    705742        <?php
    706743        if ( IS_PROFILE_PAGE ) {
     
    788825    }
    789826</script>
     827
     828<?php if ( isset( $application_passwords_list_table ) ) : ?>
     829    <script type="text/html" id="tmpl-new-application-password">
     830        <div class="notice notice-success is-dismissible new-application-password-notice" role="alert" tabindex="0">
     831            <p>
     832                <?php
     833                printf(
     834                    /* translators: 1: Application name, 2: Generated password. */
     835                    esc_html__( 'Your new password for %1$s is: %2$s' ),
     836                    '<strong>{{ data.name }}</strong>',
     837                    '<kbd>{{ data.password }}</kbd>'
     838                );
     839                ?>
     840            </p>
     841            <p><?php esc_attr_e( 'Be sure to save this in a safe location. You will not be able to retrieve it.' ); ?></p>
     842            <button type="button" class="notice-dismiss">
     843                <span class="screen-reader-text"><?php __( 'Dismiss this notice.' ); ?></span>
     844            </button>
     845        </div>
     846    </script>
     847
     848    <script type="text/html" id="tmpl-application-password-row">
     849        <?php $application_passwords_list_table->print_js_template_row(); ?>
     850    </script>
     851<?php endif; ?>
    790852<?php
    791853require_once ABSPATH . 'wp-admin/admin-footer.php';
Note: See TracChangeset for help on using the changeset viewer.