Wordpress auth library for Codeigniter (or other framework) - wordpress

I'm looking to build a library for Codeigniter that communicates with the Wordpress database to provide functions such as login, logout and register. Logging in through the Codeigniter app should not make a difference compared to logging in through the Wordpress site. So I can switch between the two of them without having to login twice.
I'm not looking to "integrate Wordpress with Codeigniter" and whatever else people are asking about. I just want to use the Wordpress DB to authenticate users and then create the right cookies etc.
If anybody knows of any projects already existing that would be helpful to me as I embark on this I would like to hear about them.

This is an example of the integration that seems to need. It is not CI, but it is only a couple of functions and can serve as a starting point.
EDITED
Revisiting the issue, it seems to me that you ask as it is cumbersome because you have to rewrite things that WP does very well.
Either way, the names of the cookies consist of a prefix and a compile id of the site, it's just a md5 of the URL of the blog. Are defined in the file "wp-includes/default-constants.php".
The one you're interested in could be used like this:
//$wp_url like this: http://domain.com, Exactly as written in the configuration
$cookie= "wordpress_logged_in_".md5($wp_url);
The contents of this cookie will be something like: admin|7C1314493656|7Cdd41a2cd52acbaaf68868c850f094f9f
$cookie_content= explode("|",$this->input->cookie($cookie,true));
if(count($cookie_content)>0){
$user_name= $cookie_content[0];
}else{
//No user identified, do something...
}
Bonus Pack
While studying the WP code was writing a small library that does just that, using the WP login and access levels directly in CI. Available in bitbucket GPL2 licensed (as WP): CiWp-Auth.

WordPress uses MD5 to encrypt their password so you can just query the wp_users table with the username and the password after you MD5 it. The query would look something like this:
$credentials = array(
'user_login' => $this->input->post('username'),
'user_pass' => md5($this->input->post('password'))
);
$this->db->where($credentials);
$user = $this->db->get('wp_users');
That should return the user account info you are looking for in the $user var, then you can work with it just like any other authentication method.

Related

Update WordPress Theme / Plugin from Private GitHub Repo

Background
I am working on a custom theme for my WordPress site which I would like to manage from a private GitHub repo. (This theme will never be pushed into the WordPress market place) The general idea would be that I use the repo to manage the code and then once I tag a new version, the tag would trigger an update for the WordPress theme.
I have this pattern working using the following as a template:
https://github.com/krafit/wp-gitlab-updater
(Yes, I know the repo is for Gitlab and not GitHub)
Since my repo is private, I will need to generate a user token to allow the theme to be updated. And because the user token is capable of accessing all my private repos, the idea of sharing the user token with another plugin is discomforting from a security standpoint. (Meaning, I'm uncomfortable using a plugin like: https://github.com/afragen/git-updater)
Question
The problem is that GitHub has deprecated the use of access_token as a query string parameter, so all tokens must be sent over as an Authorization header.
How do I add an authorization header to the request WordPress sends to download the artifact?
What I've Tried
When I check for new tags I use the code:
protected function fetch_tags_from_repo( $git_url, $repo, $access_token ) {
$request_url = "$git_url/repos/$repo/tags?access_token=$access_token";
$args = [
"headers" => [
"Accept" => "application/vnd.github.v3+json",
"Authorization" => "token " . $access_token
]
];
$request = wp_safe_remote_get( $request_url, $args );
return $request;
}
This works without any issues. However...
During the pre_set_site_transient_update_themes hook I return an object that looks like:
$transient->response[ $theme['name'] ]['theme'] = $theme['name'];
$transient->response[ $theme['name'] ]['new_version'] = $latest_version;
$transient->response[ $theme['name'] ]['package'] = $theme_package;
The problem is, I have no way of adding an Authorization header to the transient response object. Therefore, when WP later tries to download the artifact, it fails.
Note: The $theme_package string is a URL which looks like:
$theme_package = "$git_url/repos/$repo/zipball/refs/tags/$latest_version";
Any support appreciated, thank you!
Honestly, this problem has been exhausting and enough is enough...
Answer
Eject from GitHub and use Gitlab because they still support access_token as a header. They have unlimited free private repos <5gb storage.
If you are planning to distribute the private repo with a license I recommend you not to expose your access credentials in the script.
Instead you should use the GitHub PHP API together with a SSH Key that you setup in your repo settings or a GitHub App with access permission granted on your repo.
Here is a solid SDK to start from:
https://github.com/KnpLabs/php-github-api
Alternatively as you suggested it in your answer, a third party service could be used to manage the credentials on your behalf.
Gitlab is a nice generic and low cost option but if you are looking for something dedicated to Wordpress development I recommend WP Package Editor (WP2E)
Among other things the service uses a registered GitHub App to pull the latest version from public / private GitHub repositories:
https://github.com/marketplace/wp-package-editor
This is quoted from the documentation regarding how it is implemented with GitHub:
For a script to be successfully imported to the library of repositories and later be synchronized as an installer dependency there are 4 conditions :
The GitHub App must be connected to a WP2E account
The “read-only” access to the repository must be granted to the WP2E GitHub App
The script must be a valid WP theme or plugin
The repository must have at least one “release” on GitHub
Note: In order to synchronize with the GitHub account/repo the GitHub App should be integrated via the saas panel ( not directly via the GitHub Marketplace )

Brute force attack / user enumeration

Since last week I keep getting alerts about failed login attempts on my wordpress site.
The first couple of days the attacker used wrong username and subsequently was locked out after 3 attempts. I use the sucuri free and wp-security plugins. The later one has a login lockdown function.
My surprise came when after a couple of days the attacker found and used my username. I immediately changed it to a new username thinking that I would be safe. I also used most of the hardening options on both plugins. I specifically checked that the string
?author=n, does not provide any results on my website.
Regardless, today I got 3 more alerts that someone tried to login with this new username, which means I am locked out of my own site for 24 hours.
This leaves me wondering:
a) how is it possible for someone to find my username?
b) is there any other plugin like cerber security that prevents these exploits?
c) is there any rule I can add to htaccess? (although I believe that sucuri and wp-security have added several rules)
many thanks!
listing users
A user can list your usernames using :
yoursite.com?author=1
Where the ID is a user_id.
You can prevent it by detecting the author page, and redirect it with this for example (put in your theme function.php):
// Disable access to author page
function remove_author_pages_page() {
global $wp_query;
if ( is_author() ) {
$wp_query->set_404();
status_header(404);
wp_redirect(get_option('home'));
}
}
add_action( 'template_redirect', 'remove_author_pages_page' );
Find username from wp-admin
A attacker can find username by tring to login on wp-admin
If a attacker enter a good username, even with a wrong password, wordpress error message changes so attacker knows that the username exist
You can add this code to your function.php to prevent wp-admin wrong login error messages giving any pieces of information.
code:
function no_wordpress_errors() {
return '<strong>Error</strong>: check your logins';
}
add_filter( 'login_errors', 'no_wordpress_errors' );
prevent wp-admin bruteforce
This is a solution I really like:
It use the wp-fail2ban plugin
Your server needs the fail2ban package installed and configured
This package allows you to ban (from iptables) IP that fails to many time to connect SSH, or brute-force a port
the wp-fail2ban plugin gives you a custom fail2ban jail to add to your fail2ban jails (wp plugin have a complete documentation about it)
with both installed, fail2ban will ban IP that fails too much on WP-admin (on the IPtable level, so PHP is not even reached. Attacker, in the end, won't use much server resources as the server will block his IP. He cannot even reach PHP)
Some other plugin (like Wordfence) also provides some security, but as it reaches PHP attacker use much more resources. But it needs less technical knowledge to implement.

Are there new facebook restriction for Rfacebook package?

I want to get some data from Facebook, so I wanted to create application to get token for 60 days like I did few months ago. Then everything worked well, I just followed steps from the tutorial like this:
http://thinktostart.com/analyzing-facebook-with-r/
So It was enough to create "empty" application, write in R with proper id and secret
fb_oauth <- fbOAuth(app_id="123456789", app_secret="1A2B3C4D",extended_permissions = TRUE)
fill website page as http://localhost:1410/ and autenthication was complete and I was able to make get some data from facebook. It seems that it is not so easy anymore.
When I try to follow exactly the same steps it seems that now I have to fill in my application (with some description, photos...) and "send" it to submission.
Do you have similar problem or I just miss something? I just want to use information from facebook for my own use, not for business or something. Is there any (other) way to get a token for R which allows me to get some information from Facebook without filling application. I don't think that filling it with some fake data will pass facebook verification.
I just want to use information from facebook for my own use
Then you don’t need to submit it for review.
See https://developers.facebook.com/docs/apps/faq#roles – it explains that you can ask any user that has a “role” in the app (meaning admin, developer or tester) for any permission without prior review.
For one, this is of course implemented this way, so that people can actually test the functionality they are developing properly. And it is also an “official loophole” for apps such as yours, that are for “private use” only, and not meant to be used by the general public in the first place.
(And this has nothing whatsoever with the Rfacebook package – it is the same for all apps, no matter what framework/SDK they might be using.)
UPDATE
As #CBroe said earlier, you do not need an approved app, you just need to add the users of the app as admin in the app's role menu in Facebook Developers.
Follow these steps and you will get your permanent FB token:
Create new application at https://developers.facebook.com/apps/ with basic setup
Fill in the app name in lower case and without the words Facebook or FB for display name and namespace, category set to Business
In "Settings/Basic" I added a new "Website" platform with the URL of http://localhost:1410/ and localhost as the "App Domain"
In the "Settings/Advanced" tab I added http://localhost:1410/ as the Valid OAuth redirect URIs
Then, run this code:
library(httr)
app <- oauth_app('facebook', appid, appsecret)
Sys.setenv("HTTR_SERVER_PORT" = "1410/")
tkn <- oauth2.0_token(
oauth_endpoints('facebook'), app, scope = c('ads_management', 'read_insights'),
type = 'application/x-www-form-urlencoded', cache = FALSE)
save(tkn, file = "~/Documents/RFiles/fb_token") # save the token for future use
Make sure you put 'read_insights' in scope, otherwise you are not telling Facebook what kind of permissions you want the app to take.
Finally you can use the token:
library(Rfacebook)
load("~/Documents/RFiles/fb_token")

Facebook php SDK getUser returns 0 apart from my laptop and the app developer

I've looked over hundreds of answers for similar issues to this but can't find anything that seems to help.
I'm running the latest version of the PHP SDK and a login to facebook button which has a generated link from getLoginUrl().
Running on my development laptop and logged in as the application developer it passes me back to the redirect url (Both the callback url when calling getLoginUrl() and the URL set in my application settings are exactly the same) I then do a getUser call which will function in these circumstances.
If i try the same process using my Iphone on the same network, logged in as the same user on facebook getUser() returns 0.
It also does the same for any other user trying to login with facebook.
Sandbox mode is disabled.
my app domains seem to be set up correctly.
I'm really unsure of what to do next.
Many thanks for your responses guys - Turns out the issue was i was sending the request from one page and redirecting back to another. This seems to upset facebook (I'm guessing it will only re-direct back to the page it was called from).
That solved the problem anyway - but many thanks for your responses.
First make sure you are maintaining sessions in your scripts with:
session_start();
at the top of your php file.
Next use something like this to test if you have a fb user and if not, redirect them to the oauth, which will just renew their token if they've already authorized by it's expired.
require_once('facebook/fb.inc');
session_start();
if (!$fbUser) {
$loginUrl = $facebook->getLoginUrl(
array(
'scope' => 'email,publish_stream,user_location',
'redirect_uri' => 'http://scubadivinglog.org/php/fblink.php'
)
);
echo "<script type='text/javascript'>top.location.href = '$loginUrl';</script>";
exit;
}
Hope this helps. Let us know and if not post the code you are using.

Drupal: customizing user registration workflow for communicating with another webapp

I'm new to Drupal6 and spent long time searching how to implement the following feature without success: I use Drupal as front-end/doc board for a web-app. I want to mirror all user account creation, update and deletion on this web-app, i.e. send user name and password.
I started coding a little module implementing hook_user (http://api.drupal.org/api/function/hook_user/6), but I am still wondering on several question concerning this hook:
1) I can't find a doc concerning the $account fields, and thus don't know how to retrieve the user name and password.
2) The insert operation informs that "The user account is being added". Is that triggered when the user query an account or when his/her pending account creation has been approved?
3) User management on the 'slave' webapp is done through a URL interface. I only know the header("Location: http://webapp/users/add?user=martin&pwd=bla") PHP primitive, but I fear this will make a redirection, instead of just hiting the target page and continue code flow. Any suggestion?
Maybe some of you already programmed such a module, or would have links for more documentation?
Thanks in advance,
Martin
Taking a step back and looking at the big picture, you have several options.
Use OpenID (there's a core Drupal module for it) for both sites
Use LDAP (there's a really good Drupal contrib module for it)
Look at other modules offer user login sharing with other apps (such as http://drupal.org/project/phpbb or http://drupal.org/project/moodle or many others) for inspiration
Have your web app use Drupal's user table. This is relatively easy as the username is there in plaintext and the password is just MD5'ed (so no salts or anything to muddy up the waters).
Basically, hook_user is wrong. What you need to do is use hook_form_alter to change the '#validate' parameter of the login form. That way, the validate is passed to your function in your module where you are getting $form_values['username'] and $form_values['password']. You pass that on to your URL via curl. If it returns correctly, return nothing. If it doesn't return, use form_set_error and it will deny the login.
Good luck!
In order to just retrieve a response from a page, you can use drupal_http_request()
And a general security note, make sure you're authenticating and validating the requests between applications. Passing passwords in plain text via GET parameters over HTTP also makes me a little queasy, but I don't know your application set up.
Here is the final piece of code that works. Note that the password is retrieved md5ified, so the slave webapp must be able to do so as well:
function mirror_registration_user($op, &$edit, &$account, $category = NULL) {
$cmd = 'http://www.example.com/register?name='.$account->name.'&pass='.$account->pass;
if($op == 'insert'){
$cmd .= '&op=insert';
drupal_http_request( $cmd );
}
else if($op == 'delete'){
$cmd .= '&op=delete';
drupal_http_request( $cmd );
}
else if($op == 'after_update'){ // 'update' is a "before update event"
$cmd .= '&op=update';
drupal_http_request( $cmd );
}
}
Remark: in our case, registration requires admin approval. In this case, there's an 'update' event. The 'insert' event is triggered as soon as the user queries an account.
Informations for other newbies:
When trying to debug the code, one can echo $cmd to have the content of $cmd writen on top left of the following page.
If you write crapy php code and get a blank page when using the hook, you may add to Drupal/index.php the following calls: error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('display_startup_errors', TRUE); that allow having debug info.

Resources