WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#34180 closed enhancement (fixed)

Generate and Retrieve Password Reset Key Without Sorcery

Reported by: mikeschroder Owned by: SergeyBiryukov
Milestone: 4.4 Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: has-patch commit
Focuses: Cc:

Description

Internally, we have the need to create a WordPress Reset Password link via WP-CLI.

This is something that's currently quite difficult, since the keys are created within retrieve_password() in wp-login.php, making the only apparent way to get one to fake a POST request to wp-login.php with appropriate username, then filter key in retrieve_password_message, while also returning false to fake a send email failure, and keeping the wp_die() that follows from affecting anything.

Obviously, this is not ideal. After chatting with @markjaquith about this, he suggested a ticket and patch to refactor a bit of retrieve_password() to make it simpler.

Attached is a first pass, get_password_reset_key(), which takes a WP_User, for compatibility with existing filters, and lets the existing associated actions and filters continue to block creation, for backcompat.

Attachments (2)

password_reset_key.diff (4.9 KB) - added by mikeschroder 4 years ago.
First Pass
34180.patch (671 bytes) - added by ocean90 4 years ago.

Download all attachments as: .zip

Change History (11)

@mikeschroder
4 years ago

First Pass

This ticket was mentioned in Slack in #core by mike. View the logs.


4 years ago

#3 @voldemortensen
4 years ago

+∞

We've explored using this internally as well. Eventually I just ended up writing my own subcommand class and copied a bunch of the code over. And eventually, we just abandoned it and haven't really touched it for a year-ish.

Screenshot of the function: https://cloudup.com/ih46qxH0pG8

As you can see, its pretty much copy/pasta, and not really ideal, not fun to maintain in case of changes, etc.

Last edited 4 years ago by voldemortensen (previous) (diff)

#4 @SergeyBiryukov
4 years ago

  • Milestone changed from Awaiting Review to 4.4

#5 @SergeyBiryukov
4 years ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#6 @SergeyBiryukov
4 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 34923:

Reset Password: Move the code for creating password reset key into a new function, get_password_reset_key(), and use it in retrieve_password().

Previously: [25231].

Props DH-Shredder.
Fixes #34180.

@ocean90
4 years ago

#7 @ocean90
4 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

34180.patch WP_Error is not a function.

#8 @dd32
4 years ago

  • Keywords commit added

34180.patch Looks good to me.

#9 @ocean90
4 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 35764:

Reset Password: Add a missing new operator for WP_Error in get_password_reset_key().

Missed in [34923].

Fixes #34180.

Note: See TracTickets for help on using tickets.