Make WordPress Core


Ignore:
Timestamp:
12/04/2020 09:46:42 PM (4 years ago)
Author:
helen
Message:

App Passwords: Prevent conflicts when Basic Auth is already used by the site.

Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request.

Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist.

Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication.

Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs.
Reviewed by TimothyBlynJacobs, helen.
Merges [49752] to the 5.6 branch.
Fixes #51939.

Location:
branches/5.6
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.6

  • branches/5.6/tests/phpunit/tests/auth.php

    r49617 r49754  
    3838        $this->user = clone self::$_user;
    3939        wp_set_current_user( self::$user_id );
     40        update_site_option( 'using_application_passwords', 1 );
    4041    }
    4142
     
    605606        $this->assertSame( self::$user_id, $user->ID );
    606607    }
     608
     609    /**
     610     * @ticket 51939
     611     */
     612    public function test_authenticate_application_password_returns_null_if_not_in_use() {
     613        delete_site_option( 'using_application_passwords' );
     614
     615        $authenticated = wp_authenticate_application_password( null, 'idonotexist', 'password' );
     616        $this->assertNull( $authenticated );
     617    }
    607618}
Note: See TracChangeset for help on using the changeset viewer.