Make WordPress Core

Opened 3 years ago

Closed 16 months ago

Last modified 15 months ago

#52617 closed enhancement (fixed)

App Passwords: allow http success and reject URLs with local environment type.

Reported by: peterwilsoncc's profile peterwilsoncc Owned by: johnbillion's profile johnbillion
Milestone: 6.2 Priority: normal
Severity: normal Version: 5.6
Component: Application Passwords Keywords: good-first-bug has-patch has-unit-tests commit add-to-field-guide
Focuses: rest-api Cc:

Description

wp_is_authorize_application_password_request_valid() prevents an authorization request if either the success or reject URLs are over insecure connections (http).

On systems with the environment type set to local it would be helpful if these checks were bypassed in line with other aspects of the app passwords component.

Attachments (1)

52617.diff (1.1 KB) - added by viralsampat 20 months ago.
Hello @peterwilsoncc I have checked this patch and its works for me as well. Here, I have added comment for condition.

Download all attachments as: .zip

Change History (19)

#1 @TimothyBlynJacobs
3 years ago

  • Focuses rest-api added
  • Keywords good-first-bug added
  • Milestone changed from Awaiting Review to Future Release
  • Version set to 5.6

#2 @wppunk
3 years ago

Leave it with me. I'm going to fix it.

This ticket was mentioned in PR #1109 on WordPress/wordpress-develop by wppunk.


3 years ago
#3

  • Keywords has-patch added

I've update the wp_is_authorize_application_password_request_valid function and allow to use unsecure connection for the local environment.

Trac ticket: https://core.trac.wordpress.org/ticket/52617

#4 @cadic
21 months ago

I've tested this patch and it works.

With the local environment, it's now possible to authorize an application where a Success URL, Rejection URL or both are server over an insecure connection.

With other environments, the usual "The Authorize Application request is not allowed." error is displayed.

#5 @JeffPaul
20 months ago

@peterwilsoncc probably too late for 6.1, but we could milestone to 6.2 and mark for commit as well perhaps?

#6 @peterwilsoncc
20 months ago

  • Keywords commit added
  • Milestone changed from Future Release to 6.2

probably too late for 6.1, but we could milestone to 6.2 and mark for commit as well perhaps?

Works for me.

@viralsampat
20 months ago

Hello @peterwilsoncc I have checked this patch and its works for me as well. Here, I have added comment for condition.

@peterwilsoncc commented on PR #1109:


16 months ago
#8

G'day Max,

Closing this in favour of PR https://github.com/WordPress/wordpress-develop/pull/3912 as the repo structure has changed a bit and I didn't want to push to your branch.

You'll still get props though.

#9 @peterwilsoncc
16 months ago

  • Keywords needs-unit-tests added; commit removed

I've refreshed the original PR against trunk and it all seems to work via manual testing.

Prior to commit, I'll add some tests to ensure the insecure values are permitted for local environments.

#10 @peterwilsoncc
16 months ago

  • Keywords has-unit-tests added; needs-unit-tests removed

Extended the unit tests to include the environment in the linked pull request.

if someone else can sign off of the tests, I think this is good for commit.

Props @costdev for rubber ducking the tests with me.

This ticket was mentioned in Slack in #core by costdev. View the logs.


16 months ago

This ticket was mentioned in Slack in #core by mukeshpanchal27. View the logs.


16 months ago

#13 @costdev
16 months ago

  • Keywords commit added

@mukesh27 has reviewed and approved PR 3912. I think this is ready for commit consideration now.

This ticket was mentioned in Slack in #core by costdev. View the logs.


16 months ago

#15 @johnbillion
16 months ago

  • Owner set to johnbillion
  • Status changed from new to accepted

#16 @johnbillion
16 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 55283:

Application Passwords: Allow plain HTTP success and reject URLs when using a local environment type.

It's not uncommon for local environments to run over HTTP due to the relative complexity of configuring HTTPS for a local environment. This change allows HTTP URLs for application password responses when that is the case.

Props peterwilsoncc, wppunk, cadic, viralsampat

Fixes #52617

#18 @milana_cap
15 months ago

  • Keywords add-to-field-guide added
Note: See TracTickets for help on using tickets.