Allow custom authentication handlers for all requests
|Reported by:||rmccue||Owned by:||nacin|
While it's possible to write custom authentication handlers with WordPress, these methods all eventually rely on using cookies to store the current user.
It should be possible to switch out the other half of this equation. For example, OAuth handlers should be able to set the current user based on query parameters, as well as checking their own nonces.
Currently, the main obstacle to this is get_currentuserinfo(), which is hardcoded to use wp_validate_auth_cookie(). To work around this, you have to check on plugins_loaded or a similar early hook; before any other code calls is_user_logged_in(), wp_get_current_user() or anything else that uses the underlying function.
I'd like to propose adding a filter to replace the existing wp_validate_auth_cookie() call, and have it return a WP_User. wp_validate_auth_cookie() can then be hooked into this by default.
(I don't have a patch for this one yet; just noting it so I don't forget.)