Make WordPress Core


Ignore:
Timestamp:
10/08/2020 10:12:02 PM (3 years ago)
Author:
TimothyBlynJacobs
Message:

REST API: Introduce Application Passwords for API authentication.

In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API.

This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers.

Application Passwords uses Basic Authentication, and by default is only available over an SSL connection.

Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns.
Fixes #42790.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api.php

    r49108 r49109  
    210210
    211211    add_filter( 'rest_pre_dispatch', 'rest_handle_options_request', 10, 3 );
     212    add_filter( 'rest_index', 'rest_add_application_passwords_to_index' );
    212213}
    213214
     
    263264    // Users.
    264265    $controller = new WP_REST_Users_Controller;
     266    $controller->register_routes();
     267
     268    // Application Passwords
     269    $controller = new WP_REST_Application_Passwords_Controller();
    265270    $controller->register_routes();
    266271
     
    311316    $controller = new WP_REST_Block_Directory_Controller();
    312317    $controller->register_routes();
    313 
    314318}
    315319
     
    10331037
    10341038    $wp_rest_auth_cookie = true;
     1039}
     1040
     1041/**
     1042 * Collects the status of authenticating with an application password.
     1043 *
     1044 * @since 5.6.0
     1045 *
     1046 * @global WP_User|WP_Error|null $wp_rest_application_password_status
     1047 *
     1048 * @param WP_Error $user_or_error The authenticated user or error instance.
     1049 */
     1050function rest_application_password_collect_status( $user_or_error ) {
     1051    global $wp_rest_application_password_status;
     1052
     1053    $wp_rest_application_password_status = $user_or_error;
     1054}
     1055
     1056/**
     1057 * Checks for errors when using application password-based authentication.
     1058 *
     1059 * @since 5.6.0
     1060 *
     1061 * @global WP_User|WP_Error|null $wp_rest_application_password_status
     1062 *
     1063 * @param WP_Error|null|true $result Error from another authentication handler,
     1064 *                                   null if we should handle it, or another value if not.
     1065 * @return WP_Error|null|true WP_Error if the application password is invalid, the $result, otherwise true.
     1066 */
     1067function rest_application_password_check_errors( $result ) {
     1068    global $wp_rest_application_password_status;
     1069
     1070    if ( ! empty( $result ) ) {
     1071        return $result;
     1072    }
     1073
     1074    if ( is_wp_error( $wp_rest_application_password_status ) ) {
     1075        $data = $wp_rest_application_password_status->get_error_data();
     1076
     1077        if ( ! isset( $data['status'] ) ) {
     1078            $data['status'] = 401;
     1079        }
     1080
     1081        $wp_rest_application_password_status->add_data( $data );
     1082
     1083        return $wp_rest_application_password_status;
     1084    }
     1085
     1086    if ( $wp_rest_application_password_status instanceof WP_User ) {
     1087        return true;
     1088    }
     1089
     1090    return $result;
     1091}
     1092
     1093/**
     1094 * Adds Application Passwords info to the REST API index.
     1095 *
     1096 * @since 5.6.0
     1097 *
     1098 * @param WP_REST_Response $response The index response object.
     1099 * @return WP_REST_Response
     1100 */
     1101function rest_add_application_passwords_to_index( $response ) {
     1102    if ( ! wp_is_application_passwords_available() ) {
     1103        return $response;
     1104    }
     1105
     1106    $response->data['authentication']['application-passwords'] = array(
     1107        'endpoints' => array(
     1108            'authorization' => admin_url( 'authorize-application.php' ),
     1109        ),
     1110    );
     1111
     1112    return $response;
    10351113}
    10361114
Note: See TracChangeset for help on using the changeset viewer.