WordPress.org

Make WordPress Core


Ignore:
Timestamp:
01/29/2021 12:05:20 AM (3 months ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Introduce introspection endpoint.

This introduces a new endpoint, wp/v2/users/me/application-passwords/introspect, that will return details about the App Password being used to authenticate the current request. This allows for an application to disambiguate between multiple installations of their application which would all share the same app_id.

Props xkon, peterwilsoncc, TimothyBlynJacobs.
Fixes #52275.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/auth.php

    r49919 r50065  
    3939        wp_set_current_user( self::$user_id );
    4040        update_site_option( 'using_application_passwords', 1 );
     41
     42        unset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'], $GLOBALS['wp_rest_application_password_status'], $GLOBALS['wp_rest_application_password_uuid'] );
    4143    }
    4244
     
    4547
    4648        // Cleanup all the global state.
    47         unset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'], $GLOBALS['wp_rest_application_password_status'] );
     49        unset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'], $GLOBALS['wp_rest_application_password_status'], $GLOBALS['wp_rest_application_password_uuid'] );
    4850    }
    4951
     
    443445
    444446        // Create a new app-only password.
    445         list( $user_app_password ) = WP_Application_Passwords::create_new_application_password( $user_id, array( 'name' => 'phpunit' ) );
     447        list( $user_app_password, $item ) = WP_Application_Passwords::create_new_application_password( $user_id, array( 'name' => 'phpunit' ) );
    446448
    447449        // Fake a REST API request.
     
    453455        $_SERVER['PHP_AUTH_PW']   = 'http_auth_pass';
    454456
    455         $this->assertSame(
    456             null,
     457        $this->assertNull(
    457458            wp_validate_application_password( null ),
    458459            'Regular user account password should not be allowed for API authentication'
    459460        );
     461        $this->assertNull( rest_get_authenticated_app_password() );
    460462
    461463        // Not try with an App password instead.
     
    467469            'Application passwords should be allowed for API authentication'
    468470        );
     471        $this->assertEquals( $item['uuid'], rest_get_authenticated_app_password() );
    469472    }
    470473
Note: See TracChangeset for help on using the changeset viewer.