Make WordPress Core

10/08/2020 10:12:02 PM (4 years ago)

REST API: Introduce Application Passwords for API authentication.

In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API.

This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers.

Application Passwords uses Basic Authentication, and by default is only available over an SSL connection.

Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns.
Fixes #42790.

1 edited


  • trunk/src/wp-includes/rest-api/class-wp-rest-server.php

    r49075 r49109  
    224224     * @see WP_REST_Server::dispatch()
    225225     *
     226     * @global WP_User $current_user The currently authenticated user.
     227     *
    226228     * @param string $path Optional. The request route. If not set, `$_SERVER['PATH_INFO']` will be used.
    227229     *                     Default null.
    229231     */
    230232    public function serve_request( $path = null ) {
     233        /* @var WP_User|null $current_user */
     234        global $current_user;
     236        if ( $current_user instanceof WP_User && ! $current_user->exists() ) {
     237            /*
     238             * If there is no current user authenticated via other means, clear
     239             * the cached lack of user, so that an authenticate check can set it
     240             * properly.
     241             *
     242             * This is done because for authentications such as Application
     243             * Passwords, we don't want it to be accepted unless the current HTTP
     244             * request is an API request, which can't always be identified early
     245             * enough in evaluation.
     246             */
     247            $current_user = null;
     248        }
    231250        $content_type = isset( $_GET['_jsonp'] ) ? 'application/javascript' : 'application/json';
    232251        $this->send_header( 'Content-Type', $content_type . '; charset=' . get_option( 'blog_charset' ) );
Note: See TracChangeset for help on using the changeset viewer.