Commit Graph

15 Commits

Author SHA1 Message Date
whyisjake 8cf894710b App Passwords: Extract Basic Auth check into a reusable filterable function.
In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end.

This commit extracts the Basic Auth check into a reusable function, wp_is_site_protected_by_basic_auth(), which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature.

In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a WWW-Authenticate header to make this detection more robust out of the box.

This brings the changes from [50006] to the 5.6 branch.

Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs.

Fixes #52066.

Built from https://develop.svn.wordpress.org/branches/5.6@50044


git-svn-id: http://core.svn.wordpress.org/branches/5.6@49745 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-28 00:28:58 +00:00
Sergey Biryukov 06cd27f2e8 App Passwords: Use correct translation function for a heading on Authorize Application screen.
Props akramipro.
Merges [50003] to the 5.6 branch.
Fixes #52351.
Built from https://develop.svn.wordpress.org/branches/5.6@50004


git-svn-id: http://core.svn.wordpress.org/branches/5.6@49705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-23 13:14:56 +00:00
Sergey Biryukov 9076f6bf5b App Passwords: Correct authorize app action names and signatures.
When App Passwords was introduced, the `wp_authorize_application_password_form` and `wp_application_passwords_approve_app_request_success` hooks were mistakenly duplicated and incorrectly documented. This commit corrects the hook names and ensures the correct parameters are passed.

Props johnbillion, engahmeds3ed.
Merges [49920] to the 5.6 branch.
Fixes #52013.
Built from https://develop.svn.wordpress.org/branches/5.6@49998


git-svn-id: http://core.svn.wordpress.org/branches/5.6@49699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-21 12:35:55 +00:00
Helen Hou-Sandí 1fc7b75913 App Passwords: Prevent conflicts when Basic Auth is already used by the site.
Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request.

Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist.

Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication.

Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs.
Reviewed by TimothyBlynJacobs, helen.
Merges [49752] to the 5.6 branch.
Fixes #51939.

Built from https://develop.svn.wordpress.org/branches/5.6@49754


git-svn-id: http://core.svn.wordpress.org/branches/5.6@49477 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-04 21:48:03 +00:00
TimothyBlynJacobs d9b35c8e98 App Passwords: Unify availability language.
Previously App Passwords used a mix of "enabled" and "available". We've now standardized on using "available".

Additionally, we now use a 501 status code when indicating that App Passwords is not available.

Props SergeyBiryukov, ocean90, TimothyBlynJacobs.
Fixes #51513.

Built from https://develop.svn.wordpress.org/trunk@49617


git-svn-id: http://core.svn.wordpress.org/trunk@49355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-16 22:42:04 +00:00
Sergey Biryukov 3a1265e188 I18N: Add trailing punctuation to some translator comments.
Follow-up to [49549].

See #51580.
Built from https://develop.svn.wordpress.org/trunk@49562


git-svn-id: http://core.svn.wordpress.org/trunk@49300 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-11 10:41:07 +00:00
TimothyBlynJacobs 74969e7fbe App Passwords: Further accessibility improvements.
- Add a label to the readonly password input.
- Handle focus loss after revoking app passwords.
- Handle focus loss after dismissing notices.
- Mark app name as `aria-required`.
- Use `aria-label` for detailed revoke button text instead of `title`.
- Use `-1` for `tabindex` instead of `0`.

Props alexstine, afercia, sabernhardt, audrasjb, joedolson, TimothyBlynJacobs.
Fixes #51580.

Built from https://develop.svn.wordpress.org/trunk@49549


git-svn-id: http://core.svn.wordpress.org/trunk@49287 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-09 18:05:08 +00:00
TimothyBlynJacobs f6d39d1c51 App Passwords: Improve accessibility.
- Make form inputs stacked instead of inline.
- Provide a visible label for the app name.
- Add screen reader text to dismiss button.
- Make "Revoke" button label more descriptive.
- Use aria-disabled instead of disabled to avoid focus loss.
- Display password in a readonly input to assist copy and paste.
- Remove large sections of italic text.
- Use `.form-wrap` and `.form-field` to give consistent form styling.
- Improve labeling and placeholder text.

Props alexstine, georgestephanis, afercia, TimothyBlynJacobs.
Fixes #51580.

Built from https://develop.svn.wordpress.org/trunk@49294


git-svn-id: http://core.svn.wordpress.org/trunk@49056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-24 03:34:06 +00:00
TimothyBlynJacobs e992757e5b App Passwords: Include site_url in the success redirect payload.
Props georgestephanis.
Fixes #51602.

Built from https://develop.svn.wordpress.org/trunk@49291


git-svn-id: http://core.svn.wordpress.org/trunk@49053 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-24 00:07:08 +00:00
Sergey Biryukov 298cd04a63 Coding Standards: Update some alignment in `wp-admin/authorize-application.php` for consistency.
Save blogs count to a variable for reusing.

Follow-up to [49270].

See #51489.
Built from https://develop.svn.wordpress.org/trunk@49282


git-svn-id: http://core.svn.wordpress.org/trunk@49042 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-23 01:19:06 +00:00
TimothyBlynJacobs ce34d0ab00 App Passwords: Support an app_id to uniquely identify instances of an app.
Apps may now optionally include an `app_id` parameter when directing the user to the Authorize Application screen. This allows for instances of an application to be identified and potentially revoked or blocked.

Props TimothyBlynJacobs, georgestephanis.
Fixes #51583.

Built from https://develop.svn.wordpress.org/trunk@49276


git-svn-id: http://core.svn.wordpress.org/trunk@49038 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-22 15:06:09 +00:00
TimothyBlynJacobs fe8bb3ea58 App Passwords: Fix success=false not being appended to fallback reject url.
Props TimothyBlynJacobs, georgestephanis.
Fixes #51581.

Built from https://develop.svn.wordpress.org/trunk@49272


git-svn-id: http://core.svn.wordpress.org/trunk@49034 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-22 02:44:05 +00:00
TimothyBlynJacobs 85c49351af App Passwords: Explain that apps can access to all sites in a network.
Props georgestephanis, spacedmonkey, johnjamesjacoby, SergeyBiryukov, marybaum.
Fixes #51489.

Built from https://develop.svn.wordpress.org/trunk@49270


git-svn-id: http://core.svn.wordpress.org/trunk@49032 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-22 02:36:11 +00:00
Sergey Biryukov 5affd982a0 I18N: Add missing placeholders in some translator comments.
Follow-up to [49109].

See #42790.
Built from https://develop.svn.wordpress.org/trunk@49110


git-svn-id: http://core.svn.wordpress.org/trunk@48872 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-09 01:06:03 +00:00
TimothyBlynJacobs d5ebe12f11 REST API: Introduce Application Passwords for API authentication.
In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API.

This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers.

Application Passwords uses Basic Authentication, and by default is only available over an SSL connection.

Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns.
Fixes #42790.

Built from https://develop.svn.wordpress.org/trunk@49109


git-svn-id: http://core.svn.wordpress.org/trunk@48871 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-08 22:14:06 +00:00