I'm trying to develop an auto login system, and I'm having problems with NONCE.
The code I'm using:
if ( 'REGULAR_USER' == $payload->role ) {
$user_login = $payload->preferred_username;
$user = get_user_by('email', $user_login);
$user_id = $user->ID;
clean_user_cache( $user_id);
wp_clear_auth_cookie();
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login, $user);
update_user_caches( $user );
}
The variables I get from a JWT token. Everything apparently works. Login is successful.
Problems are triggered when the user tries to do some action that checks nonces.
Explaining better: the application is based on Tutor LMS. The user who automatically logs in to the site cannot, for example, finish the class. That's because at the end of classes, the Tutor triggers a function called checking_nonce(). When the check fails, the function returns: "Nonce not matched. Action failed!"
Here's the code itself that checks inside the Tutor LMS
public function checking_nonce( $request_method = null ) {
! $request_method ? $request_method = $_SERVER['REQUEST_METHOD'] : 0;
$data = strtolower( $request_method ) === 'post' ? $_POST : $_GET;
$nonce_value = sanitize_text_field( tutor_utils()->array_get( tutor()->nonce, $data, null ) );
$matched = $nonce_value && wp_verify_nonce( $nonce_value, tutor()->nonce_action );
if ( ! $matched ) {
wp_send_json_error( array( 'message' => __( 'Nonce not matched. Action failed!', 'tutor' ) ) );
exit;
}
}
A second test was done (to check role permissions). I registered the user as an administrator, did the auto login, and the problem remains.
Important detail: if that same user logs in through wp-admin and tries to finish a class, the error does not happen and everything works correctly.
Are there any different directives that need to be added to not have these issues with nonce validation?
Related
I downloaded, installed and activated the plugin "JWT Authentication for the WP REST API".
And I see how I can obtain JWT access token when sending credentials from the client.
But I don't see how to use the plugin with the existing WordPress REST API.
For example, if I follow by the link like /wp-json/wp/v2/posts or /wp-json/wp/v2/posts/1, I still fetch the resource without any restricting the access, so the access is still public.
So how to restrict the access making it private with the plugin?
You can use the rest_authentication_errors hook filter to restrict the REST access coupled with is_user_logged_in() and user_can().
<?php
add_filter( 'rest_authentication_errors', function( $result ) {
if ( true === $result || is_wp_error( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() && ! user_can( get_current_user_id(), 'export' ) ) {
return new WP_Error(
'rest_not_logged_in',
__( 'Silence is golden.' ),
array( 'status' => 401 )
);
}
return $result;
} );
I'm coming across an issue when trying to register a second user account once someone registers as a customer via WooCommerce. I have added the following woocommerce_created_customer hook:
add_action('woocommerce_created_customer', function($customer_id)
{
if(isset($_POST['second_user_first_name']) && isset($_POST['second_user_last_name']))
{
$createSecondUserId = wp_create_user(strtolower($_POST['second_user_first_name'].'-'.$_POST['second_user_last_name']).'-'.$customer_id, wp_generate_password(), 'test#test.com');
if(is_wp_error($createSecondUserId))
{
$errors = $createSecondUserId->errors;
print_r($errors);
die();
}
}
});
However I get the following error when submitting a new WooCommerce registration:
Array ( [existing_user_login] => Array ( [0] => Sorry, that username already exists! ) )
It's strange as I'm setting a random username within the wp_create_user function, so the usernames should not clash. Has anyone got any ideas?
You can use username_exists() to determines that the given username exists.
add_action( 'woocommerce_created_customer', function($customer_id){
if( isset( $_POST['second_user_first_name'] ) && isset( $_POST['second_user_last_name'] ) ) {
if( !username_exists( strtolower( $_POST['second_user_first_name'].'-'.$_POST['second_user_last_name'] ).'-'.$customer_id ) ){
$createSecondUserId = wp_create_user( strtolower( $_POST['second_user_first_name'].'-'.$_POST['second_user_last_name'] ).'-'.$customer_id, wp_generate_password(), 'test#test.com' );
if(is_wp_error($createSecondUserId)){
$errors = $createSecondUserId->errors;
print_r($errors);
die();
}
}
}
});
If the username already exists you can create a new one by adding a progressive numeric suffix. In this way you will be sure that the username of the second account will always be unique.
Note that if you run multiple tests with your current code you need to
make sure you remove the user with the email address test#test.com
otherwise you will get an error: [existing_user_email] => Sorry, that email address is already used!.
add_action('woocommerce_created_customer', function( $customer_id ) {
if ( isset($_POST['second_user_first_name']) && isset($_POST['second_user_last_name']) ) {
// create the username based on the form data
$username = strtolower( $_POST['second_user_first_name'] . '-' . $_POST['second_user_last_name'] ) . '-' . $customer_id;
// if the username already exists it creates a unique one
if ( username_exists($username) ) {
$i = 0;
while ( username_exists($username) ) {
$username = $username . '-' . ++$i;
}
}
// create the second user
$createSecondUserId = wp_create_user( $username, wp_generate_password(), 'test#test.com' );
}
});
The code has been tested and works. Add it to your active theme's functions.php.
How can I disable the password change option for specific user in Wordpress?
I have a user where I set a new password each week for multiple users. But some tried to change the password for this user. I don't want that - but only for this specific user profile. All the other users should be able toi change their password.
I have tried different plugins but none of them work.
Thanks a lot if you can help on this!
Add this in your function.php file
class Password_Reset_Removed
{
function __construct()
{
add_filter( 'show_password_fields', array( $this, 'disable' ) );
add_filter( 'allow_password_reset', array( $this, 'disable' ) );
}
function disable()
{
if ( is_admin() ) {
$userdata = wp_get_current_user();
$user = new WP_User($userdata->ID);
if ( !empty( $user->roles ) && is_array( $user->roles ) && $user->roles[0] == 'administrator' )
return true;
}
return false;
}
}
$pass_reset_removed = new Password_Reset_Removed();
We have just removed the fields to change password from the back-end of the WordPress. Now, some users will also try to reset the password using the Lost your password? form from the log-in page.
In order to prevent them from doing that, we will remove lost password link and disable the lost password form by adding below code
function remove_lost_your_password($text)
{
return str_replace( array('Lost your password?', 'Lost your password'), '', trim($text, '?') );
}
add_filter( 'gettext', 'remove_lost_your_password' );
function disable_reset_lost_password()
{
return false;
}
add_filter( 'allow_password_reset', 'disable_reset_lost_password');
Note - you can update userid - as per your requirements
I am using add_action( 'after_setup_theme', 'custom_login' ); hook in one of my website for auto redirect user to his dashboard page.
Here is my code :---
function custom_login($username, $password='') {
$creds = array();
$creds['user_login'] = $username;
$creds['user_password'] = $password;
$creds['remember'] = true;
$user = wp_signon( $creds, false );
if ( is_wp_error($user) ){
echo $user->get_error_message();
}
}
// run it before the headers and cookies are sent
add_action( 'after_setup_theme', 'custom_login' );
Its working fine on old version, But now I have upgrade wordpress version and its creating problem with nonce.
Are you sure you want to do this?
Everytime this error display on the screen when I do anything like update plugin, theme and permalinks.
When I comment this code then website working fine except auto redirect functionality.
Here is my website url :- https://www.linearrecruitment.co.uk/
Please help me where I do mistake.
That's a normal behaviour - nonce is a token used by Wordpress to check the validity of the form in order to prevent CSRF attacks.
A valid login form in Wordpress should have an hidden input field generated with wp_nonce_field:
wp_nonce_field('my_login_form');
Then in the login function the token is checked with the wp_verify_nonce function:
if (!isset($_POST['my_login_form']) || !wp_verify_nonce($_POST['_wpnonce'], 'my_login_form')) {
die('Invalid form');
}
What you're trying to do (auto login) is done wrong as add_action doesn't send any parameter for the after_setup_theme hook, so your username is probably empty. I don't know how this could possibly work before, maybe it managed to log in somehow with an empty username.
I suggest you to declare some globals vars for your username and password, as it seems to be static inputs:
global $username, $password;
$username = 'my_login';
$password = 'my_password';
And then on the beginning of your function import those globals with:
global $username, $password;
So what about the nonce?
On the last versions of Wordpress, the check_admin_referer have changed a bit, from:
function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
if ( -1 == $action )
_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
$adminurl = strtolower(admin_url());
$referer = strtolower(wp_get_referer());
$result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) {
wp_nonce_ays($action);
die();
}
do_action( 'check_admin_referer', $action, $result );
return $result;
}
To :
function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
if ( -1 == $action )
_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
$adminurl = strtolower(admin_url());
$referer = strtolower(wp_get_referer());
$result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
do_action( 'check_admin_referer', $action, $result );
if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
wp_nonce_ays( $action );
die();
}
return $result;
}
As you can see they moved the check_admin_referer hook - now we can change the value of $result before the wp_nonce_ays function (the one that display the message you try to get rid of) as been called.
That mean we could add the following hook in the theme functions.php in order to force the nonce validation:
add_action( 'check_admin_referer', array('custom_check_admin_referer' ) );
function custom_check_admin_referer() {
return 1;
}
That should work around your problem, but you must be aware that this could possibly be a security issue - you maybe want to do more test in that function before returning 1.
This code checks if a user is logging in for the first time, that is after registration. I want to redirect him to a custom page if so. Otherwise, redirect him to the homepage or admin page.
function mylogin_redirect() {
global $user_ID;
if( $user_ID ) {
$user_info = get_userdata( $user_ID );
// If user_registered date/time is less than 48hrs from now
// Message will show for 48hrs after registration
if ( strtotime( $user_info->user_registered ) > ( time() - 172800 ) ) {
header("Location: http://example.com/custompage");
} elseif( current_user_can( 'manage_options' )) {
header("Location: http://example.com/wp-admin/");
} else {
header("Location: http://example.com/");
}
}
}
add_action('wp_head', 'mylogin_redirect');
But it doesn't work? My guess is it doesn't get hooked into wp_head...
I tried the following using login_redirect filter:
function mylogin_redirect($redirect_to, $url_redirect_to = '', $user = null) {
global $user_ID;
if( $user_ID ) {
$user_info = get_userdata( $user_ID );
// If user_registered date/time is less than 48hrs from now
// Message will show for 48hrs after registration
if ( strtotime( $user_info->user_registered ) > ( time() - 172800 ) ) {
return get_bloginfo('url') . "/custompage/";
} elseif( current_user_can( 'manage_options' )) {
return admin_url();
} else {
return get_bloginfo('url');
}
}
}
add_filter('login_redirect', 'mylogin_redirect');
Though it logs me in, it doesn't get me anywhere but to http://example.com/wp-login.php instead with a blank page.
UPDATE:
Ok, I don't know what's happening. Using the filter hook, I can get to the intended destination only after second login. Well not really second login but on the second click of the login button. I did it like so: enter credentials -> login -> (wrong page) -> hit back button -> enter credentials again -> login -> (correct page). Weird.
You need to adjust your filter call like so;
// filter name, callback, priority, accepted args
add_filter('login_redirect', 'mylogin_redirect', 10, 3);
Redirecting users on first login in WordPress: Cookie-based solution & User meta table based solution