wordpress / application-passwords Goto Github PK

Verbiage needs to be reviewed/added/changed for end-user clarification.

On it tonight.

Would be cool to see a brief design description high up in the readme. This is a good start in the Description section:

With Application Passwords you are able to authenticate a user without providing that user's password directly, instead you will use a base64 encoded string of their username and a new application password.

Can we add to that with a description of how clients use this for auth?

I generate password, I try the curl call, I get 401.

Hi, this plugin does exactly what I need for my purpose, let users download some settings to a mobile app (which the app keeps until the user decides to reset them). But I know that entering this type of passwords is going spoil the fun and eventually kill it :)
I know that security should never be underestimated, but is there a way to make the created passwords a little less complicated?

Build a way for apps to link to your site, and generate an application password that is then redirected back.

Are the spaces actually part of the passwords? If not the chunking needs to be done using spans and padding.

The period is part of the structure and gets in the way of the copy and paste.

I found that I cannot create application passwords when my site is in PHP 7, I opened up developer's tools, go into console, and it shows error 500. Then I switched back to PHP 5.6, the plugin is working normally. Which PHP module is used by this plugin and why it can't work in PHP 7?

I installed this plugin in a SSL installed worpdress. i am getting followng response.

{
"code": "rest_no_route",
"message": "No route was found matching the URL and request method",
"data": {
"status": 404
}
}

can you help me on this

Hello Development-Team,

I'd like to see the feature, where i can set a user defined password generator, as the 5 4-byte chunks are neither secure, nor memorizable.
As tastes go, everyone has one, so i'd prefer to define my own password generator callback, that just returns the password.

Currently there is no confirmation dialog for revoking a password. This can lead to accidental password revoking. This is especially bad for the revoking all application passwords button. At a minimum this should have a confirmation dialog.

Is there a way to create a password and get the secret response programmatically? This would be very useful for plugin developers who want to automate the process or have the interaction happen in a different UI [like a theme].

i.e.:
$secret = createNewAppPassword($someAppName, $someUserID);

I didn't look through the code... maybe this can already be done.

I was reviewing this plugin last night and I realized that there were no unit tests within this plugin. I think we should create a couple of them to at least show these use cases.

• Ping a public REST API endpoint - PASS
• Ping a private REST API endpoint - FAIL
• List passwords - PASS
• Revoke passwords - PASS
• Create passwords with a password - FAIL

Let me know if you have anymore. I am going to start creating these and send you a PR soon.

I'll report this to the iThemes team, as well, but there's a naming conflict between the two plugins.

It appears that both your plugin and iThemes Security Pro define classes named Application_Passwords, so you can't have both plugins active at the same time. I haven't checked to see if the free version of iThemes Security conflicts with this plugin or not. Thanks.

Thanks a lot for this project. Please document the commands available for wp-cli.

Get a warning when looking at the details of the plugin that it has not been tested with WP 5.1.1.

Currently all new passwords are prepended to the passwords table upon creation, but when the table is viewed after a user refreshes the page the newest passwords appear at the bottom.

I believe this is an inconsistency within the UX and I propose two solutions:

1. Append a newly created password instead of prepending it to keep with the password order consistency
2. Order the passwords from newest to oldest to keep with the consistency of where new passwords are added to the table

@georgestephanis let me know your thoughts :)

I have a user with a custom user role I would like to give an application password, but when creating a new password on the profile screen I get an "Access Denied" error message returned when I check the developer console. (Although the form simply stays grayed-out, with no response)

Is there a particular user capability that is required to add a password?
Is it possible to allow Subscribers or other users to create an application password?

I'm unable to post an article to a test server, and cannot figure out why.

I installed this plugin and it shows:

Username      osadmin
...
Your new password for omnistream: tSp0 nelJ bZQt 39zC

Name          Created                  Last   Used   Last IP   Revoke
omnistream    February 9, 2016 ...

This works:
$ curl http://aaatalks.carolinas.aaa.com/wp-json/wp/v2/posts/268

This does not:

$ echo -n "osadmin:tSp0 nelJ bZQt 39zC" | base64
b3NhZG1pbjp0U3AwIG5lbEogYlpRdCAzOXpD
$ curl --header "Authorization: Basic b3NhZG1pbjp0U3AwIG5lbEogYlpRdCAzOXpD" -X POST -d "title=New Title" http://aaatalks.carolinas.aaa.com/wp-json/wp/v2/posts
{"code":"rest_cannot_create","message":"Sorry, you are not allowed to create new posts.","data":{"status":401}
$ 

If I try without the spaces:

$ echo -n "osadmin:tSp0nelJbZQt39zC" | base64
b3NhZG1pbjp0U3AwbmVsSmJaUXQzOXpD
$ curl --header "Authorization: Basic b3NhZG1pbjp0U3AwbmVsSmJaUXQzOXpD" -X POST -d "title=New Title" http://aaatalks.carolinas.aaa.com/wp-json/wp/v2/posts
{"code":"rest_cannot_create","message":"Sorry, you are not allowed to create new posts.","data":{"status":401}}
$ 

What am I doing wrong?

I've changed the password since posting this (for security reasons) but would happy to send it to you out of band if you need it.

Currently it is possible to create multiple passwords with the same name. Should we either:

1. Check if the password name has already been taken before adding it. If so then we can show an error message.
2. Show the ID of each password next to the name so that there is a way to distinguish each password from each other. I know that the passwords are stored as a simple array within the user meta so there will be IDs like 0 and also the IDs will be dynamic.
3. Do nothing :)

Let me know your thoughts.

Is there a way to generate application password for user via PHP function?

Looks like some of the strings aren't translatable. I'll get around to this at some point this weekend if nobody else does it first. If you want to do it, feel free.

After some tests, and a lot of complaints from users I confirmed this to be a real issue.

When making a REST request (like from POSTMAN) with the application password, it instantly changes the users hashed password forcing them to be logged out (from the web /wp-admin) and needing a reset password.

Looks like we're starting to add various files now. Time for some restructuring.

Thinking:

application-passwords.php
readme.txt
readme.md
assets/screenshot-1.png
assets/screenshot-2.png
includes/classes/class.application-passwords.php
includes/classes/class.application-passwords-list-table.php
includes/css/application-passwords.css
includes/js/application-passwords.js

We might as well get ahead of this before it becomes more work than it's worth.

What's everyone think? If there aren't any objections, I'll get started.

can i call the functions of creating password from frontend ?
if possible to get shortcode, we can put it in fronted user profile to let user generate password, because we lock login to (/wp-admin) for users out of administrators

Hi,

Nice work! I came across a small, little bug.

In readme.md, you have the following code:

curl --header "Authorization: Basic ACCESS_TOKEN" -X POST -d "title=New Title" http://LOCALHOST/wp-json/wp/v2/posts/POST_ID}

The code should be:

curl --header "Authorization: Basic ACCESS_TOKEN" -X POST -d "title=New Title" http://LOCALHOST/wp-json/wp/v2/posts/POST_ID

Remove the right curly brace! :)

So I have the common error message in my wordpress admin panel "Due to a potential server misconfiguration, it seems that HTTP Basic Authorization may not work for the REST API on this site: Authorization headers are not being sent to WordPress by the web server. You can learn more about this problem, and a possible solution, on our GitHub Wiki."

However, I've already changed my .htaccess files accordingly, and I still see the message in my admin panel. What steps do I take next?

Hi All,

I am currently using WordPress v4.9.5 (as stated on the ‘At a glance’ section of the dashboard in the admin panel) hosted on wpengine.com.

Given the above version, I understand that the REST API’s starting from v4.7 onwards are available out of the box and no additional plugins are required. With this, I proceeded to install the Application Passwords plugin to try out the basic authentication. I was able to install the plugin successfully.

I have a user ‘ApiUser’ in WordPress with ‘Admin’ role for which I generated a password that looked like:

eref HgfY HKJH iuot REEt <-(fake password)

I used an online tool to Base64Encode the username and newly generated password as follows:
Base64Encoding of ‘ApiUser:erefHgfYHKJHiuotREEt’ results in ‘QXBpVXNlcjplcmVmSGdmWUhLSkhpdW90UkVFdA==’

Using ‘Postman’ I set the Headers as follows:
content-type:application/json
authorization: basic QXBpVXNlcjplcmVmSGdmWUhLSkhpdW90UkVFdA==

and made a simple GET request to:
https://mywebsite.wpengine.com/wp-json/wp/v2/users
https://mywebsite.wpengine.com/wp-json/wp/v2/pages

The response I get is 401 Unauthorized

I was wondering if I am on the right track or if there was something that I was missing out on. Basically I am trying to access site content via the API’s

Current version of plugin, current version of WordPress, the buttons for revoking one or all application passwords on the user profile page don't do anything.

I’m adding a new Application Password, but upon clicking ‘Add New’, the button is disabled and there is no further action. There are no JavaScript errors in the console.

How can I debug this to help figure out where it might be going wrong?

It would be really nice to be able to use this plugin by downloading it as an dependancy through Composer and including it in a theme.

Currently when I try the latter the plugin doesn't seem to work fully. UI shows up, but i.e. adding keys won't work (just a reload). This is due to the Javascript not being able to load. Since the source is hard coded to the plugins directory, also see https://github.com/georgestephanis/application-passwords/blob/master/class.application-passwords.php#L398.

I have created an app password, and following the plugin instructions, created the base64 encoded string, but I am getting a 401 Unauthorized when trying to make a POST request.

I have edited my .htaccess file to have RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}], but still not working. Here is a sample of my request:

$http.post('http://mysite.com/wp-json/wp/v2/orders', {
        headers: {'Authorization': 'Basic PW_HERE'}
      },
      {
        'title':$scope.userName,
        'status':'publish',
        'fields': {
            'customer_name': $scope.userName,
            'customer_email_address': $scope.userEmail,
            'customer_phone_number': $scope.userPhone,
            'customer_zipcode': $scope.userZip
        }
      });

@georgestephanis I was looking through your pull request code and learned all kinds of things, Thanks for that..
But, it also created a question.
Is there benefit to doing nonce the way you did in
https://github.com/georgestephanis/application-passwords/pull/39/files#diff-a67f6a9179c10f23f65eba957c929506R25
Line 25 of the auth-app.js

Over the typical form nonce and passing the nonce with the data?

If I am reading the code correctly its making an ajax request to check the nonce before posting the data. Correct?

Adding the project to https://packagist.org would improve Composer support since Composer will use the Packagist to find this package. Also this would mean safe upgrading (or not upgrading) to new releases.

You only need to tag a version and submit and publish application-passwords at Packagist. :)

I don't know what has changed between 4.5 and 4.6, but the application password I have set up for an administrator does not seem to even be attempted to be used. I get a 401 from trying to update a user via the REST API, and the application password does not show that it was used in the administrator's profile.

I'll see if I can figure it out and submit a PR for the fix. If someone else knows what's wrong and can provide a pointer, that would be great in speeding up the fix.

This is a great plugin otherwise!

Thanks!

Hello,

I've configured Two-Factor with great success at the first try, but I also need access for the WordPress Android App that I use in train to work on drafts. After digging a little I found that addon, installed it and generated the password. But it does not work, I keep getting authentication errors on my phone.
My Setup :
WordPress 4.9.10
PHP 7.0.33 (yes I know, upgrade is in testing process)

No errors in dedicated php_error log nor nginx's access or error log are to be seen. I've tried using it with and without spaces as it's shown et creation, I've retried to type it multiple times to prevent input mistakes (digital onscreen keyboards have really small keys for my fingers).

Digging a little, I've tried testing with curl. The REST API does work, but not XMLRPC that the Android app uses :

$ curl --user "seboss666:4spXXXXXXXXXXXB" -X POST -d "title=New Title" https://blog.seboss666.info/wp-json/wp/v2/posts/5900
{"id":5900,"date":"2019-08-20T17:40:57","date_gmt":"2019-08-20T15:40:57","guid":{"rendered":"https:\/\/blog.seboss666.info\/?p=5900","raw":"https:\/\/blog.seboss666.info\/?p=5900"},"modified":"2019-08-20T17:40:57","modified_gmt":"2019-08-20T15:40:57","password":"","slug":"","status":"draft","type":"post","link":"https:\/\/blog.seboss666.info\/?p=5900","title":{"raw":"New Title","rendered":"New Title"},"content":...}}

$ curl -H 'Content-Type: text/xml' -d '<methodCall><methodName>wp.getUsers</methodName><params><param><value>1</value></param><param><value>seboss666</value></param><param><value>4spXXXXXXXXXXXB</value></param></params></methodCall>' https://blog.seboss666.info/xmlrpc.php
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <fault>
    <value>
      <struct>
        <member>
          <name>faultCode</name>
          <value><int>403</int></value>
        </member>
        <member>
          <name>faultString</name>
          <value><string>Identifiant ou mot de passe incorrect.</string></value>
        </member>
      </struct>
    </value>
  </fault>
</methodResponse>

As it was still working the morning just before I set up the Two-Factor addon, I'm pretty sure it's not one of my manipulations that "disabled" XMLRPC. Can you help me find where can be the problem ?

Thanks.

Hi there,
I have always an Authentication Error with my WP-Blog. I thought it could be the same error as Issue #25 but below you can see the Output of my header. So this could not be the problem. (XXX is the base64 encoded username:password).
Any other ideas to try out?

curl -v --header "Authorization: Basic XXX" -X POST -d "title=New Title" http://www.hyphy.de/wp-json-v2/wp/v2/posts/3526

• Trying 81.169.145.159...
• Connected to www.hyphy.de (81.169.145.159) port 80 (#0)

  POST /wp-json-v2/wp/v2/posts/3526 HTTP/1.1
  Host: www.hyphy.de
  User-Agent: curl/7.43.0
  Accept: /
  Authorization: Basic XXX
  Content-Length: 15
  Content-Type: application/x-www-form-urlencoded

• upload completely sent off: 15 out of 15 bytes
  < HTTP/1.1 401 Unauthorized
  < Date: Tue, 03 May 2016 10:13:17 GMT
  < Server: Apache/2.2.31 (Unix)
  < X-Powered-By: PHP/5.5.34
  < X-Content-Type-Options: nosniff
  < Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
  < Access-Control-Allow-Headers: Authorization
  < Transfer-Encoding: chunked
  < Content-Type: application/json; charset=UTF-8
  <
• Connection #0 to host www.hyphy.de left intact
  {"code":"rest_cannot_edit","message":"Sorry, you are not allowed to update this post.","data":{"status":401}}

Looking at this example from Google, there are a couple takeaways I think would help us:

1. By having a dropdown, we're educating users as to WHAT this will be used for. iPhone, iPad, Rest API, Jetpack ;) That will help them understand the purpose.
2. Having the [REVOKE] button on that line, always visible, is good for security. It's easier to tell someone 'Go to the profile page, scroll down to App Passwords, press REVOKE for the item you want to kill in fire.' I think this is one location where the WP Tables interface is not right. Pretty much all we'll ever want to do is revoke access.

Using the authentication I'm getting a 502 on the /wp-json/wp/v2/users/ endpoint. The endpoint works perfectly when not using authentication.

So, 2 questions.

1. Any insight on this 502?
2. Is it possible to require authentication for ALL endpoints? Even GET, I want all information private.

When I try to add a key or revoke one, I get the following console errors:

DELETE https://mysite.com/wp-json/2fa/v1/application-passwords/1/c94e996d441c 403 () load-scripts.php?c=0&load[]=jquery-core,jquery-migrate,utils,zxcvbn-async,underscore,wp-util,backbo…:5

POST https://mysite.com/wp-json/2fa/v1/application-passwords/1/add 403 () load-scripts.php?c=0&load[]=jquery-core,jquery-migrate,utils,zxcvbn-async,underscore,wp-util,backbo…:5

Hello -
I like this extension as it is a reasonable way to add secret-based authentication to wp rest-api. So good work! :)

My goal is to build out some custom endpoints as described on developer.wordpress.org. The issue I am facing is that I cannot seem to find a clear way have my custom routes use application-passwords based authentication.

The readme didn't have anything that seemed to answer my question directly, so I went into the code a bit. Since I want to implement a permissions check, I think I need to use a permission_callback. However, I am not sure what plugin code the permissions_callback should ideally call. If there is a simpler way to do all of this, please let me know. Here is what I scraped together:

function application_password_auth_validation(){
  //Get HTTP request headers 
  $auth = apache_request_headers();
  //Get only Authorization header
  $basicAuth = $auth['Authorization'];
  //Based on functions used in https://github.com/georgestephanis/application-passwords/blob/master/class.application-passwords.php
  $user = Application_Passwords::authenticate( $basicAuth, $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] );
  if ( $user instanceof WP_User ) {
    //get the id use return $user->ID;
    return true;
  } else {
    return false;
  }
}

This can then be used to add Auth when defining custom routes as such

add_action( 'rest_api_init', function () {
  register_rest_route( 'myplugin/v1', '/authorWithAuth/(?P<id>\d+)', array(
    'methods' => 'GET',
    'callback' => 'my_awesome_func',
    'permission_callback' => 'application_password_auth_validation',
    ) );
  } );

Let me know what you think would be the best way to address,
Thank you for all your work!

Should the REST API using Application Password auth be able to create new Application Passwords?

I'm torn, because if so, applications could create more routes in, but at the same point, what's to prevent them from just sharing the existing application password or oAuth tokens and having the same problem?

I think we can add a simple Readme.md within the root directory of this plugin to help new users understand what it does and how to use this plugin. I will be creating a mockup of this document and a respective PR soon.

I generate password, I try the curl call, I get 401.

{
"code": "rest_cannot_create",
"message": "Sorry, you are not allowed to create posts as this user.",
"data": {
"status": 401
}
}

Is it possible to automate the process?

• Install the plugin
• Code that creates and app
• Gets the passwords and uses it in the cURL requests.

It's pretty subtle compared to the table and could be more obvious. It might be worth presenting it in a modal accompanied by help text ("spaces don't matter, etc").

Some servers ignore/block/remove the "Authorization" header from requests. See WP-API/Basic-Auth#1, which I know is a different plugin, but it also sends the important authentication data in the SAME header as this one: the authorization header.
So if we were to use application passwords in a production system, it wouldn't work for many users because the Authorization header is ignored/blocked/removed from requests for some servers. Ugh.

SO, is it feasible to also send the application password in the request body or querystring? (I specified "also" because I heard some servers ignore request bodies on DELETE requests, so in that case it might be nice to also have the header as a fallback)

I think we should add a plugin action link to give users an easy way to navigate to their passwords.

Hi!
I installed wordpress 4.7 & Application Passwords plugin( has added a Application Passwords for a admin user)

I can create or update or retrieve posts with rest api (in wordpress 4.7 core)

But if I change a post's status to private, I can't retrieve the post with Application Passwords

Is this rest api limit or Application Passwords limit?

Could some body know & help me ,Thanks a lot!

... and not much to see on the screen.

I want to play with wordpress rest interface and gave application-passwords a try. I did a fairly simple wordpress install on a test vm (steps in ansible: main.yml.txt ) . As a first step after my first login I activate the plugin in Wordpress. There nearly no writes to the database:

73 Query     UPDATE `wp_options` SET `option_value` = 'a:1:{i:0;s:47:\"application-passwords/application-passwords.php\";}' WHERE `option_name` = 'active_plugins'
74 Query     UPDATE `wp_options` SET `option_value` = '1456163248' WHERE `option_name` = '_transient_timeout_plugin_slugs'

When I edit my user, I see a paragraph "Application Passwords". When I fill in the "New application password field" and press "Add New", the text field turns disabled. But no writes to the database. And nothing more to see:

After a reload, the text field is empty again.