WordPress.org

Ready to get started?Download WordPress

Forums

JSON REST API (WP API)
[resolved] Authentication hacks (3 posts)

  1. dunar21
    Member
    Posted 7 months ago #

    In wp-json-server.php ,line 98, method check_authentication; You create a hook that allows custom authentication, however you do not allow for a fail safe from that hook. The method only checks to see if a successful login is returned. If not, it goes on to check the basic authentication. I don't know if I'm off here, but if some felt that basic authentication was unsafe and did not want it to be available at all, they cannot currently prevent access attempts of this nature. Failure of login only allows for test of basic auth. You may want to consider checking for null or some other fail value to return false and discontinue execution of the remainder of the method.

    http://wordpress.org/plugins/json-rest-api/

  2. dunar21
    Member
    Posted 7 months ago #

    It is possible authentication will not work for those running php as CGI/SuExec

    I found a good resource that provides a fix for this (or a workaround anyway):
    http://www.besthostratings.com/articles/http-auth-php-cgi.html

    In order to implement this with the API, first adjust your .htaccess file by adding

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
    </IfModule>

    then utilize the authentication filter to provide http authentication values (NOTE: This example is using base 64 decode which means that the authentication values were sent with base 64 encoding *base64_encode("username:password")*):

    function fixTheCheckAuth(){
    list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

    }
    add_filter('json_check_authentication', 'fixTheCheckAuth');

    /8============================================8/
    The above actually did not work for me. This did however, it is a method from a responder in the resource above (http://www.besthostratings.com/articles/http-auth-php-cgi.html)

    S├ębastien Marinier Said,
    May 07, 2009 @ 10:57

    With Apache 2.2 and PHP 5(cgi mode), i've used

    SetEnvIfNoCase Authorization "Basic ([a-z0-9=]+)" REMOTE_AUTHORIZATION=$1

    This gives me $_SERVER["REDIRECT_REMOTE_AUTHORIZATION"] as a global var.
    I don't know if "REDIRECT_" prefix is due to my configuration/environment. You may try without it.

    After, you can use the following code, before user both PHP_AUTH_* vars in a traditionnal way:

    if (isset($_SERVER["REDIRECT_REMOTE_AUTHORIZATION"]) && $_SERVER["REDIRECT_REMOTE_AUTHORIZATION"]!=''){
    $d = base64_decode($_SERVER["REDIRECT_REMOTE_AUTHORIZATION"]);
    list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', $d); }

  3. Ryan McCue
    Member
    Plugin Author

    Posted 5 months ago #

    Basic Authentication is being moved to a plugin in the future; see #37

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.