Context Navigation

← Previous Changeset
Next Changeset →

Changeset 49109

Timestamp:

10/08/2020 10:12:02 PM (4 years ago)

Author:

TimothyBlynJacobs

Message:

REST API: Introduce Application Passwords for API authentication.

In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API.

This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers.

Application Passwords uses Basic Authentication, and by default is only available over an SSL connection.

Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns.
Fixes #42790.

Location:

trunk

Files:

: 8 added
: 17 edited

Gruntfile.js (modified) (2 diffs)
src/js/_enqueues/admin/application-passwords.js (added)
src/js/_enqueues/admin/auth-app.js (added)
src/wp-admin/authorize-application.php (added)
src/wp-admin/css/forms.css (modified) (2 diffs)
src/wp-admin/includes/class-wp-application-passwords-list-table.php (added)
src/wp-admin/includes/list-table.php (modified) (1 diff)
src/wp-admin/includes/user.php (modified) (1 diff)
src/wp-admin/user-edit.php (modified) (3 diffs)
src/wp-includes/class-wp-application-passwords.php (added)
src/wp-includes/class-wp-rewrite.php (modified) (1 diff)
src/wp-includes/default-filters.php (modified) (2 diffs)
src/wp-includes/load.php (modified) (1 diff)
src/wp-includes/rest-api.php (modified) (4 diffs)
src/wp-includes/rest-api/class-wp-rest-server.php (modified) (2 diffs)
src/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php (added)
src/wp-includes/script-loader.php (modified) (1 diff)
src/wp-includes/user.php (modified) (2 diffs)
src/wp-login.php (modified) (1 diff)
src/wp-settings.php (modified) (2 diffs)
tests/phpunit/tests/admin/includesUser.php (added)
tests/phpunit/tests/auth.php (modified) (3 diffs)
tests/phpunit/tests/rest-api/rest-application-passwords-controller.php (added)
tests/phpunit/tests/rest-api/rest-schema-setup.php (modified) (2 diffs)
tests/qunit/fixtures/wp-api-generated.js (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Gruntfile.js

-                      r49101
+                      r49109
                 files: {
                     [ WORKING_DIR + 'wp-admin/js/accordion.js' ]: [ './src/js/_enqueues/lib/accordion.js' ],
                     [ WORKING_DIR + 'wp-admin/js/code-editor.js' ]: [ './src/js/_enqueues/wp/code-editor.js' ],
                     [ WORKING_DIR + 'wp-admin/js/color-picker.js' ]: [ './src/js/_enqueues/lib/color-picker.js' ],
 …
                 file_mappings: {
                     'src/wp-admin/js/accordion.js': 'src/js/_enqueues/lib/accordion.js',
                     'src/wp-admin/js/code-editor.js': 'src/js/_enqueues/wp/code-editor.js',
                     'src/wp-admin/js/color-picker.js': 'src/js/_enqueues/lib/color-picker.js',

trunk/src/wp-admin/css/forms.css

r48419	r49109
757	757	}
758	758
759		.form-table td fieldset p label {
	759	.form-table td fieldset p label {
760	760	margin-top: 0 !important;
761	761	}
…	…
840	840	.color-option {
841	841	cursor: pointer;
	842
	843
	844
	845
	846
842	847	}
843	848

trunk/src/wp-admin/includes/list-table.php

r48574	r49109
34	34	'WP_Theme_Install_List_Table' => array( 'themes', 'theme-install' ),
35	35	'WP_Plugins_List_Table' => 'plugins',
	36
36	37
37	38	// Network Admin.

trunk/src/wp-admin/includes/user.php

r48313	r49109
595	595	);
596	596	}
	597
	598
	599
	600
	601
	602
	603
	604
	605
	606
	607
	608
	609
	610
	611
	612
	613
	614
	615
	616
	617
	618
	619
	620
	621
	622
	623
	624
	625
	626
	627
	628
	629
	630
	631
	632
	633
	634
	635
	636
	637
	638
	639
	640
	641
	642
	643
	644
	645
	646
	647
	648
	649
	650
	651
	652
	653
	654

trunk/src/wp-admin/user-edit.php

-                      r47808
+                      r49109
 wp_enqueue_script( 'user-profile' );
 if ( IS_PROFILE_PAGE ) {
 …
     </table>
         <?php
         if ( IS_PROFILE_PAGE ) {
 …
+    }
 </script>
 <?php
 require_once ABSPATH . 'wp-admin/admin-footer.php';

trunk/src/wp-includes/class-wp-rewrite.php

r48585	r49109
1510	1510	$rules = "<IfModule mod_rewrite.c>\n";
1511	1511	$rules .= "RewriteEngine On\n";
	1512
1512	1513	$rules .= "RewriteBase $home_root\n";
1513	1514

trunk/src/wp-includes/default-filters.php

-                      r48966
+                      r49109
 add_action( 'auth_cookie_bad_hash', 'rest_cookie_collect_status' );
 add_action( 'auth_cookie_valid', 'rest_cookie_collect_status' );
 add_filter( 'rest_authentication_errors', 'rest_cookie_check_errors', 100 );
 …
 add_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 );
 add_filter( 'authenticate', 'wp_authenticate_email_password', 20, 3 );
 add_filter( 'authenticate', 'wp_authenticate_spam_check', 99 );
 add_filter( 'determine_current_user', 'wp_validate_auth_cookie' );
 add_filter( 'determine_current_user', 'wp_validate_logged_in_cookie', 20 );
 // Split term updates.

trunk/src/wp-includes/load.php

r49023	r49109
87	87	$PHP_SELF = $_SERVER['PHP_SELF'];
88	88	}
	89
	90
	91
	92
	93
	94
	95
	96
	97
	98
	99
	100
	101
	102
	103
	104
	105
	106
	107
	108
	109
	110
	111
	112
	113
	114
	115
	116
	117
	118
	119
	120
	121
	122
	123
	124
	125
	126
	127
	128
	129
89	130	}
90	131

trunk/src/wp-includes/rest-api.php

r49108	r49109
210	210
211	211	add_filter( 'rest_pre_dispatch', 'rest_handle_options_request', 10, 3 );
	212
212	213	}
213	214
…	…
263	264	// Users.
264	265	$controller = new WP_REST_Users_Controller;
	266
	267
	268
	269
265	270	$controller->register_routes();
266	271
…	…
311	316	$controller = new WP_REST_Block_Directory_Controller();
312	317	$controller->register_routes();
313
314	318	}
315	319
…	…
1033	1037
1034	1038	$wp_rest_auth_cookie = true;
	1039
	1040
	1041
	1042
	1043
	1044
	1045
	1046
	1047
	1048
	1049
	1050
	1051
	1052
	1053
	1054
	1055
	1056
	1057
	1058
	1059
	1060
	1061
	1062
	1063
	1064
	1065
	1066
	1067
	1068
	1069
	1070
	1071
	1072
	1073
	1074
	1075
	1076
	1077
	1078
	1079
	1080
	1081
	1082
	1083
	1084
	1085
	1086
	1087
	1088
	1089
	1090
	1091
	1092
	1093
	1094
	1095
	1096
	1097
	1098
	1099
	1100
	1101
	1102
	1103
	1104
	1105
	1106
	1107
	1108
	1109
	1110
	1111
	1112
1035	1113	}
1036	1114

trunk/src/wp-includes/rest-api/class-wp-rest-server.php

-                      r49075
+                      r49109
      * @see WP_REST_Server::dispatch()
+     *
      * @param string $path Optional. The request route. If not set, `$_SERVER['PATH_INFO']` will be used.
      *                     Default null.
 …
      */
     public function serve_request( $path = null ) {
         $content_type = isset( $_GET['_jsonp'] ) ? 'application/javascript' : 'application/json';
         $this->send_header( 'Content-Type', $content_type . '; charset=' . get_option( 'blog_charset' ) );

trunk/src/wp-includes/script-loader.php

-                      r49104
+                      r49109
     $scripts->set_translations( 'password-strength-meter' );
     $scripts->add( 'user-profile', "/wp-admin/js/user-profile$suffix.js", array( 'jquery', 'password-strength-meter', 'wp-util' ), false, 1 );
     $scripts->set_translations( 'user-profile' );

trunk/src/wp-includes/user.php

r49090	r49109
296	296
297	297	return $user;
	298
	299
	300
	301
	302
	303
	304
	305
	306
	307
	308
	309
	310
	311
	312
	313
	314
	315
	316
	317
	318
	319
	320
	321
	322
	323
	324
	325
	326
	327
	328
	329
	330
	331
	332
	333
	334
	335
	336
	337
	338
	339
	340
	341
	342
	343
	344
	345
	346
	347
	348
	349
	350
	351
	352
	353
	354
	355
	356
	357
	358
	359
	360
	361
	362
	363
	364
	365
	366
	367
	368
	369
	370
	371
	372
	373
	374
	375
	376
	377
	378
	379
	380
	381
	382
	383
	384
	385
	386
	387
	388
	389
	390
	391
	392
	393
	394
	395
	396
	397
	398
	399
	400
	401
	402
	403
	404
	405
	406
	407
	408
	409
	410
	411
	412
	413
	414
	415
	416
	417
	418
	419
	420
	421
	422
	423
	424
	425
	426
	427
	428
	429
	430
	431
	432
	433
	434
	435
	436
	437
	438
	439
	440
	441
	442
	443
	444
	445
	446
	447
	448
	449
	450
	451
	452
	453
	454
	455
	456
	457
	458
	459
	460
	461
	462
	463
	464
	465
	466
	467
298	468	}
299	469
…	…
3924	4094	return new WP_User_Request( $post );
3925	4095	}
	4096
	4097
	4098
	4099
	4100
	4101
	4102
	4103
	4104
	4105
	4106
	4107
	4108
	4109
	4110
	4111
	4112
	4113
	4114
	4115
	4116
	4117
	4118
	4119
	4120
	4121
	4122
	4123
	4124
	4125
	4126
	4127
	4128
	4129
	4130
	4131
	4132
	4133
	4134
	4135
	4136
	4137
	4138
	4139
	4140
	4141
	4142
	4143
	4144
	4145
	4146
	4147
	4148
	4149
	4150
	4151

trunk/src/wp-login.php

r49078	r49109
1372	1372	} elseif ( WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED === $action ) {
1373	1373	$errors->add( 'enter_recovery_mode', __( 'Recovery Mode Initialized. Please log in to continue.' ), 'message' );
	1374
	1375
	1376
	1377
	1378
	1379
	1380
	1381
	1382
	1383
	1384
	1385
	1386
1374	1387	}
1375	1388	}

trunk/src/wp-settings.php

-                      r49103
+                      r49109
 require ABSPATH . WPINC . '/nav-menu-template.php';
 require ABSPATH . WPINC . '/admin-bar.php';
 require ABSPATH . WPINC . '/rest-api.php';
 require ABSPATH . WPINC . '/rest-api/class-wp-rest-server.php';
 …
 require ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-plugins-controller.php';
 require ABSPATH . WPINC . '/rest-api/endpoints/class-wp-rest-block-directory-controller.php';
 require ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-meta-fields.php';
 require ABSPATH . WPINC . '/rest-api/fields/class-wp-rest-comment-meta-fields.php';

trunk/tests/phpunit/tests/auth.php

r48937	r49109
7	7	class Tests_Auth extends WP_UnitTestCase {
8	8	protected $user;
	9
	10
	11
	12
9	13	protected static $_user;
10	14	protected static $user_id;
…	…
34	38	$this->user = clone self::$_user;
35	39	wp_set_current_user( self::$user_id );
	40
	41
	42
	43
	44
	45
	46
36	47	}
37	48
…	…
415	426	}
416	427
	428
	429
	430
	431
	432
	433
	434
	435
	436
	437
	438
	439
	440
	441
	442
	443
	444
	445
	446
	447
	448
	449
	450
	451
	452
	453
	454
	455
	456
	457
	458
	459
	460
	461
	462
	463
	464
	465
	466
	467
	468
	469
	470
	471
	472
	473
	474
	475
	476
	477
	478
	479
	480
	481
	482
	483
	484
	485
	486
	487
	488
	489
	490
	491
	492
	493
	494
	495
	496
	497
	498
	499
	500
	501
	502
	503
	504
	505
	506
	507
	508
	509
	510
	511
	512
	513
	514
	515
	516
	517
	518
	519
	520
	521
	522
	523
	524
	525
	526
	527
	528
	529
	530
	531
	532
	533
	534
	535
	536
	537
	538
	539
	540
	541
	542
	543
	544
	545
	546
	547
	548
	549
	550
	551
	552
	553
	554
	555
	556
	557
	558
	559
	560
	561
	562
	563
	564
	565
	566
	567
	568
	569
	570
	571
	572
	573
	574
	575
	576
	577
	578
	579
	580
	581
	582
	583
	584
	585
	586
	587
	588
	589
	590
	591
	592
	593
	594
	595
	596
	597
	598
	599
	600
	601
	602
	603
	604
	605
	606
417	607	}

trunk/tests/phpunit/tests/rest-api/rest-schema-setup.php

-                      r48937
+                      r49109
             '/wp/v2/users/(?P<id>[\\d]+)',
             '/wp/v2/users/me',
             '/wp/v2/comments',
             '/wp/v2/comments/(?P<id>[\\d]+)',
 …
         );
         $this->assertSame( $expected_routes, $routes );
+        $this->assertSame( $expected_routes, $routes );
+    }

trunk/tests/qunit/fixtures/wp-api-generated.js

-                      r49103
+                      r49109
                 "self": "http://example.org/index.php?rest_route=/wp/v2/users/me"
+            }
         },
         "/wp/v2/comments": {

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core