Make WordPress Core


Ignore:
Timestamp:
01/24/2021 02:56:18 AM (4 years ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Extract Basic Auth check into a reusable filterable function.

In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end.

This commit extracts the Basic Auth check into a reusable function, wp_is_site_protected_by_basic_auth(), which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature.

In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a WWW-Authenticate header to make this detection more robust out of the box.

Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs.
Fixes #52066.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/authorize-application.php

    r50003 r50006  
    8989}
    9090
    91 if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
     91if ( wp_is_site_protected_by_basic_auth( 'front' ) ) {
    9292    wp_die(
    9393        __( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ),
Note: See TracChangeset for help on using the changeset viewer.