After searching form wordpress documentation and google, i haven't find any proper way to achieve my goal : able to login to wordpress from custom third party application built with nodeJs.
The steps is check if couple username / password is administrator and process tasks on my external app.
Anyone has already used the REST API of wordpress to auth user? WITHOUT INSTALLING ANY PLUGIN , i just want to get response from server if my couple username/ password is true and is administrator, i know i can asks the database to check but i want to pass throught the built-in wp rest api.
Thank you.
The simple answer is no, and here is why
While cookie authentication is the only authentication mechanism
available natively within WordPress, plugins may be added to support
alternative modes of authentication that will work from remote
applications. Some example plugins are OAuth 1.0a Server, Application
Passwords, and JSON Web Tokens.
Source: Wordpress Official Handbook
However there is a painful and insecure way of doing it with plain HTTP authentication which is not recommended.
Recommended way of doing this securely is to get WordPress JWT or oAuth Server extension and deal with standard authentication process which is more convenient and secure, WordPress already lists them which are referenced in the quote. Hope this helps!
Related
I would like to program a Rest API to be used by a wordpress plugin. The Rest API should only work if the wordpress user also has certain rights. I would like to know how I can protect the Rest API so that it is not used without permission and only works when a Wordpress user is logged in with permission. What is the best way to implement this conceptually? Do you have any ideas?
Thanks.
I don't know what are Wordpress plugin capabilities from an authentication perspective but usually REST APIs do respect HTTP standards so the same authentication schemes (Basic, OAuth, ApiKey, etc...). It also depends on where would the REST API run such as remote server...
So.. I've read countless articles, but still can't wrap my mind on which to use; if a simple JSON Web Token is enough..
I have a Wordpress website and a mobile application of said website.
I can login in my website using email and password and I can also login on my mobile application using email and password.
The mobile application communicates with the website through the Wordpress REST API. It (the mobile app) sends the user email and password to the API, and the API returns a JWT if both are valid.
Then, I simply store the JWT in the user's device.
My main doubts are:
For a mobile app with not much sensitive user data, is that acceptable/safe enough?
For a mobile app with sensitive user data, is that acceptable/safe enough?
Or should I use OAuth2 in both cases (which is harder to implement and will take time, but it's safer (I think..))?
Thank you and apologies if duplicated.
This is more of a security compliance decision you might have to take.
As a first thing, you should think like a product owner or ask a product owner about which one to use by explaining to them, what are the advantages of OAuth 2.0 over simple JWT.
You might have to consider the following things,
what is the size of the userbase?
how sensitive is the data you are going to store?
What is the user experience you wanted to give to your users?
Also, JWT doesn't mean it is not safe enough.
One more extra thing you could do to make it more secure is adding a expiry time for your JWT with a refresh token mechanism that way even if JWT is exposed it ll be expired later sometime.
JWT is a secure solution and is often used for mobile applications.
If you choose OAuth, you have several options for authentication, because there are several grant types:
Authorization Code grant type, which is the most popular, the advantage of this is that it uses the WordPress login interface
User Credentials grant type, which has a direct trust relationship with the application, which provides the user credentials, this is often used with mobile applications
You have the option of JWT Access Tokens at the OAuth server, which provides even more security for you.
We have created an OAuth 2.0 plugin for WordPress: https://lana.codes/product/lana-passport/
You can try it with the demo, and there is also detailed documentation for it.
I personally use the OAuth plugin to be able to log in to my WordPress websites using the Single Sign On button, which uses my primary WordPress website for authentication. OAuth is more commonly used for Single Sign On solutions.
I am not sure about the technical term for what I am looking. However, I have done this in Laravel using middleware. I am trying to achieve same in WordPress RESTApi.
I am planning to make a site as a service using WordaPress rest api. That I will use for cross platform. Since anyone can access WordPress api it is too dangerous.
I want to block it for public and only who pass the access token (not JWT or oAuth) I wan to allow only them to access API. This how I can limit the access.
So if I make android app and pass the access token, it will have access but anyone who want to make app from my api they want be able to.
I hope I have explained it properly to understand. You can see my middleware code that might help to explain more.
use wordpress jwt plugin that adds authentication for wordpress api https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/
I've used the WooCommerce REST API for a number of years and I now need to try and upload some media files to WordPress so we can reference these when adding Product Images to existing Products, as the WooCommerce REST API doesn't allow for uploading image files directly. I have no experience with any WordPress REST API implementations as yet.
I'm pretty confused at this stage whether I need to use a WordPress plugin to allow my remote application (using cURL) to be able to upload files to the Media endpoint? I saw something about not using basic authentication but I can't see any settings within WordPress itself to create API keys like you do for WooCommerce.
Do I need to use a plugin to enable REST API access to allow remote uploading of media files? From what I've read the REST API is not in the WordPress core (I'm running WordPress 4.9.2) but I can't see where I setup authentication for the API requests?
There are different authentication schemes and for remote applications / integrations, you will generally need a plugin to authenticate.
The default idea is one logs into WordPress (e.g. wp-login.php) and that authorizes that user for any REST API functionality that might require it. An example use-case where this is suitable is a plugin that adds a page in the admin dashboard and its back/forth with the server is implemented via JS + REST API. No additional plugins or anything of the sort is required, especially now that the REST API is part of the core.
For integrations, currently decent options include an OAuth plugin, JWT, and the Application Passwords plugin.
Since you're using CURL and loading data ad-hoc, the Application Password plugin could be a pretty straightforward choice that's easy to manage. Once the plugin is installed + activated, given a user, you can edit their profile and add one or more Application Passwords (and disable them). The idea is you use a different password for each application where you want to authenticate as that user.
To use an Application Password, base64-encode "USERNAME:APPLICATION_PASSWORD" and then incorporate the resulting value in an Authorization header along with any requests.
Suppose you create an Application Password for username and the plugin generates "WXYZ WXYZ WXYZ WXYZ WXYZ WXYZ". At a shell prompt you could generate the required base64-encoded format:
echo -n "username:WXYZ WXYZ WXYZ WXYZ WXYZ WXYZ" | base64
For the sake of example, suppose the base64 output is: "AAAAAAAAABBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDD=". You could then use this value in the Authorization header of any requests:
curl --header "Authorization: Basic AAAAAAAAABBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDD=" -X POST -d "title=Editing a Post Title with REST API" https://example.com.test/wp-json/wp/v2/posts/<ID>
It is important to use SSL/TLS as the authorization header can be sniffed out by an attacker if it were transmitted via plaintext.
Plugin link:
https://wordpress.org/plugins/application-passwords/
So according to wordpress they say there are 4 ways to authenticate.
Cookies auth
Basic auth
oauth
json web tokens
Unfortunately all of these methods require you to either edit your functions.php file or download a plugin. There's currently no way around that.
I've found the fastest way to just quickly get this running is to use this plugin. Or if you don't actually want to install the plugin just put their code into your theme's functions.php file and basic auth should be ready to use. Maybe not a great long term solution but it'll get you up and running.
For multiple applications, I want to build a centralized account solution. The core consists of some ASP.NET Core web applications. But I also want to include third-party applications like WordPress, GitLab, or a XAMPP/HipChat server. My goal: The user creates ONE account, which can be used in all of those applications. So an LDAP server seems the best way for this since many applications have support for this protocol. This also gives flexibility for other applications, which may be added later.
The problem here is, that the users should be able to authenticate using common social sites - Especially Facebook. It's state of the art and would increase the conversation rate, cause it's easier for the users.
Is it possible to integrate social login provider like Facebook to LDAP servers like ApacheDS?
As I see the topic, Facebook generates some kind of authentication token, which can be used from the application to verify the identity of the user. In my custom web apps, this is no problem. But for e.g. a XAMPP server, this seems not to work: LDAP requires username/password. But I don't have this, since there is only a Facebook token available. The LDAP server could store this in an attribute. However, this would require to check this token instead of a password on an LDAP bind.
On the other side, when I drop the LDAP server and use some framework like ASP.NET Core identity instead, it's not a big deal. The problem here: I'm not able to use this login for third-party applications. This would require the users to have an additional account for e.g. XAMPP, WordPress, and so on, which results in big chaos and is thereby not suitable for me.
By dropping social support, it works. This seems also not to be a good idea since those logins are state of the art and I'm targeting younger users, which expect an SSO solution with Facebook or similar providers.
Facebook (and other social login sites) use a protocol named OAuth to authenticate. Probably the easiest solution would be to implement an OAuth server yourself that uses your LDAP as backend and then add that beneath the Facebook login as the second way of login.
That will not add users logging in via Facebook to your LDAP but as you usually only get an OAuth token back for login (not necessarily a username) which needs to be verified against Facebook (or whoever provided that token) it doesn't work to use it as "password replacement".