#52066 closed defect (bug) (fixed)
Application Passwords are unusable in combination with password protected /wp-admin
Reported by: | SeBsZ | Owned by: | TimothyBlynJacobs |
---|---|---|---|
Milestone: | 5.6.1 | Priority: | normal |
Severity: | major | Version: | 5.6 |
Component: | Application Passwords | Keywords: | has-patch commit fixed-major |
Focuses: | Cc: |
Description
We've been using the Application Passwords for years to allow our REST-API to make use of authentication using basic auth. This worked perfectly fine.
Now, in WordPress 5.6.0 Application Passwords seems to have been merged into the main code, and suddenly we can't create new passwords because basic Auth has been detected in use on the site. The discussion and changeset that caused this are here: #51939
I totally understand that site-wide basic auth using .htaccess clashes with Application Passwords - but we only use .htaccess basic auth protection on the /wp-admin folder. There's absolutely not reason we should be blocked from creating new Application Passwords.
I don't know how you could solve this - either allow us to dismiss the warning and use AP anyway - or you might need another method to only detect conflicting basic auth on the REST API side - which may be impossible to do.
I've set the severity to major because we have upgraded to 5.6 and can now no longer create new authentication tokens for our REST API users.
Many thanks for your help.
Change History (17)
#2
@
4 years ago
That'd be a fine solution, or maybe just have it as a UI setting. After all, if we had Application Passwords before, that was our "yes, this is supported and should be on" toggle, but with 5.6, we lost it.
A direct upgrade to 5.6 also broke API authentication for us - it started coming back with 401, but @SeBsZ traced it down to the using_application_passwords
key not getting created during the db migration for some reason. Have you had other reports of this?
#3
@
4 years ago
I just reran the upgrade since we had to downgrade back to 5.5.3, and this time the using_application_passwords
key got created correctly. Not sure why it didn't the first time.
#4
@
4 years ago
@archon810 I haven't seen other reports of that issue. It is a fairly straightforward upgrade routine. Were there any associated errors during the first upgrade routine?
#5
@
4 years ago
No, I don't recall any update issues. The db update screen showed up, I clicked it, it updated very quickly, and it was done.
This ticket was mentioned in PR #848 on WordPress/wordpress-develop by TimothyBJacobs.
4 years ago
#6
- Keywords has-patch added
Trac ticket: https://core.trac.wordpress.org/ticket/52066
This ticket was mentioned in Slack in #core-passwords by timothybjacobs. View the logs.
4 years ago
#8
@
4 years ago
Thanks @TimothyBlynJacobs, this patch/PR looks great. We'll be able to hook into this filter and it'll fix the issue for us. Looking forward to 5.6.1.
#9
@
4 years ago
- Keywords commit added
The patch here looks good to me - I think this one is ready to go in.
#10
follow-up:
↓ 11
@
4 years ago
One of the issues here is what we really care about is whether the front-end is protected by Basic Auth, but we are forced to check this in the admin area. So after thinking on this and @ocean90's comment, I tweaked the function to accept a specific context
to check for. I think this makes it clear how this function is intended to be used, and its current shortcomings.
I think for 5.7 we could explore making this more robust by doing a loopback request and checking for a WWW-Authenticate
header.
What are people's thoughts on this?
#11
in reply to:
↑ 10
@
4 years ago
Replying to TimothyBlynJacobs:
I think this makes it clear how this function is intended to be used, and its current shortcomings.
The approach in the current PR makes sense to me for 5.6.1. Inaccurate results are not ideal, but it looks like a filter is the most straightforward solution for now.
I think for 5.7 we could explore making this more robust by doing a loopback request and checking for a
WWW-Authenticate
header.
That would be great :)
#12
@
4 years ago
- Owner set to TimothyBlynJacobs
- Resolution set to fixed
- Status changed from new to closed
In 50006:
Thanks for the ticket @SeBsZ. I think for 5.6.1 what we'll probably want to do is extract that into a function in
wp-admin/includes/user.php
and put a filter on that check. Maybewp_is_server_compatible_with_app_passwords()
? Not sure, would very much like input :)Would you be interested in putting together a patch for that @SeBsZ?