Opened 8 years ago
Last modified 8 years ago
#40556 new enhancement
REST API: Allow for server generating a user's password
Reported by: | TimothyBlynJacobs | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.7 |
Component: | REST API | Keywords: | has-patch has-unit-tests |
Focuses: | rest-api | Cc: |
Description
Currently the REST API requires the client to send a password when creating a user. Ideally, the server should generate a random password when none is provided.
In WP Admin contexts this can be worked around by using the existing WP Ajax action to generate a password, but this does require a separate round trip.
In non WP Admin contexts this forces the client to generate their own password securely and it also means filters like random_password
won't be called.
Patch incoming to automatically generate a password if the request parameter is omitted. If an empty string is passed, that still errors.
Attachments (1)
Change History (4)
#3
@
8 years ago
I think there is value in having the server generate the password, even without returning it in the response.
When relying on the password set/reset email, the user might not get to it quickly, or at all in some cases. The default password still needs to be strong in the meantime. And In conjunction with #40477 to create user accounts that don't notify the user at all. Even in those cases, the user should have a strong password to prevent brute force attacks.
Unlike in wp-admin, the user has no way to see their generated password using this functionality. I think this is something we'd want to address, but it's not clear to me how we would do it.
This is likely why we deferred this task to the client for the v2 endpoints.