Make WordPress Core

Opened 4 years ago

Last modified 18 months ago

#51173 new feature request

Add support for /.well-known/change-password

Reported by: romainmrhenry's profile romainmrhenry Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: needs-unit-tests needs-patch
Focuses: Cc:

Description

[Chrome Feature](https://www.chromestatus.com/feature/6256768407568384)
[Editors Draft](https://wicg.github.io/change-password-url/)

This already landed in Safari

Would it be possible to add support for /.well-known/change-password into WordPress?

This might redirect to wp_login_url()

Attachments (1)

canonical.diff (476 bytes) - added by romainmrhenry 4 years ago.

Download all attachments as: .zip

Change History (14)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Login and Registration

#2 @johnbillion
4 years ago

  • Version trunk deleted

Note: Some hosts handle routing for the .well-known path internally, meaning that such requests might not ever reach the web server that WordPress is running on. I know for example that SiteGround does this.

#3 @romainmrhenry
4 years ago

Yes, also read some anecdotes of either hosts or proxies handling all .well-known paths. I personally think this is a bad practice, but unfortunately the [spec](https://www.rfc-editor.org/rfc/rfc8615.html) does not prohibit this.

Last edited 4 years ago by romainmrhenry (previous) (diff)

#4 @ayeshrajans
4 years ago

  • Keywords needs-unit-tests added

+1 from me. I think it's a really nice addition. I'm not sure redirecting to the login page is the correct approach though. Shouldn't we send the user to wp-admin/profile.php, where the new password field is located? WordPress will take care to redirect the user to the login page with redirect_to parameter set back to wp-admin/profile.php in case the user is not logged in.

#5 @romainmrhenry
4 years ago

I though about redirecting to wp-admin/profile.php and still consider it a good option.

wp_login_url() might offer more options to theme builders, especially those with custom user flows (ecommerce).

It might need to be a separate thing altogether with a dedicated filter.

#6 @ayeshrajans
4 years ago

This URL is intended to be used when the user tries to change the password, as in a password manager helping to automatically or semi-automatically change the password. I think a redirect to the profile page is fine, because any custom workflows for user profile would redirect the user from profile page to any custom page anyway.

#7 @pfefferle
3 years ago

Maybe we should also consider to use the autocomplete attributes:

<input type="password" autocomplete="new-password">

or:

<input type="password" autocomplete="current-password">

for the password field(s).

See: https://adactio.com/journal/17794

Last edited 3 years ago by pfefferle (previous) (diff)

#8 @johnbillion
3 years ago

Great point @pfefferle , can you open a separate ticket for this please?

#10 @pfefferle
3 years ago

@johnbillion I found this old ticket: https://core.trac.wordpress.org/ticket/49608

Should we re-open it, or should I write a new one with the fokus on autocomplete="current-password"?

Last edited 3 years ago by pfefferle (previous) (diff)

#11 @swissspidy
3 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

#12 @romainmrhenry
2 years ago

This is now also supported in 1Password and Chrome.
Would be great if we could move forward with this :)

#13 @romainmrhenry
18 months ago

The specification for this has reached First Public Working Draft : https://www.w3.org/TR/2022/WD-change-password-url-20220927/

Who on the WordPress core team can champion this feature?

Note: See TracTickets for help on using tickets.