Make WordPress Core


Ignore:
Timestamp:
12/04/2020 09:42:52 PM (3 years ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Prevent conflicts when Basic Auth is already used by the site.

Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request.

Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist.

Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication.

Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs.
Fixes #51939.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-application-passwords.php

    r49739 r49752  
    2424
    2525    /**
     26     * The option name used to store whether application passwords is in use.
     27     *
     28     * @since 5.6.0
     29     *
     30     * @type string
     31     */
     32    const OPTION_KEY_IN_USE = 'using_application_passwords';
     33
     34    /**
    2635     * The generated application password length.
    2736     *
     
    3140     */
    3241    const PW_LENGTH = 24;
     42
     43    /**
     44     * Checks if Application Passwords are being used by the site.
     45     *
     46     * This returns true if at least one App Password has ever been created.
     47     *
     48     * @since 5.6.0
     49     *
     50     * @return bool
     51     */
     52    public static function is_in_use() {
     53        return (bool) get_site_option( self::OPTION_KEY_IN_USE );
     54    }
    3355
    3456    /**
     
    6688        if ( ! $saved ) {
    6789            return new WP_Error( 'db_error', __( 'Could not save application password.' ) );
     90        }
     91
     92        if ( ! get_site_option( self::OPTION_KEY_IN_USE ) ) {
     93            update_site_option( self::OPTION_KEY_IN_USE, true );
    6894        }
    6995
Note: See TracChangeset for help on using the changeset viewer.