App Passwords: Extract Basic Auth check into a reusable filterable function.

In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end.

This commit extracts the Basic Auth check into a reusable function, `wp_is_site_protected_by_basic_auth()`, which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature.

In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a `WWW-Authenticate` header to make this detection more robust out of the box.

Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs.
Fixes #52066.

Built from https://develop.svn.wordpress.org/trunk@50006


git-svn-id: http://core.svn.wordpress.org/trunk@49707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
TimothyBlynJacobs 2021-01-24 02:57:59 +00:00
parent 20d961e622
commit 6a8a83ea09
4 changed files with 46 additions and 3 deletions

View File

@ -88,7 +88,7 @@ if ( is_wp_error( $is_valid ) ) {
);
}
if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
if ( wp_is_site_protected_by_basic_auth( 'front' ) ) {
wp_die(
__( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ),
__( 'Cannot Authorize Application' ),

View File

@ -739,7 +739,7 @@ endif;
}
}
if ( empty( $_SERVER['PHP_AUTH_USER'] ) && empty( $_SERVER['PHP_AUTH_PW'] ) ) {
if ( ! wp_is_site_protected_by_basic_auth( 'front' ) ) {
?>
<div class="create-application-password form-wrap">
<div class="form-field">

View File

@ -1685,3 +1685,46 @@ function wp_is_xml_request() {
return false;
}
/**
* Checks if this site is protected by HTTP Basic Auth.
*
* At the moment, this merely checks for the present of Basic Auth credentials. Therefore, calling this function
* with a context different from the current context may give inaccurate results. In a future release, this
* evaluation may be made more robust.
*
* Currently, this is only used by Application Passwords to prevent a conflict since it also utilizes Basic Auth.
*
* @since 5.6.1
*
* @global string $pagenow The current page.
*
* @param string $context The context to check for protection. Accepts 'login', 'admin', and 'front'. Defaults to the current context.
*
* @return bool
*/
function wp_is_site_protected_by_basic_auth( $context = '' ) {
global $pagenow;
if ( ! $context ) {
if ( 'wp-login.php' === $pagenow ) {
$context = 'login';
} elseif ( is_admin() ) {
$context = 'admin';
} else {
$context = 'front';
}
}
$is_protected = ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] );
/**
* Filters whether a site is protected by HTTP Basic Auth.
*
* @since 5.6.1
*
* @param bool $is_protected Whether the site is protected by Basic Auth.
* @param string $context The context to check for protection. One of 'login', 'admin', or 'front'.
*/
return apply_filters( 'wp_is_site_protected_by_basic_auth', $is_protected, $context );
}

View File

@ -13,7 +13,7 @@
*
* @global string $wp_version
*/
$wp_version = '5.7-alpha-50005';
$wp_version = '5.7-alpha-50006';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.