Support » Plugin: HTTP Authentication » HTTP Authentication doesn't work with othe auth plugins

  • Hello,

    there is problem with the way how plugin handle filter hook via:

    add_filter(‘authenticate’, array($this, ‘authenticate’), 10, 3);

    Lets suppose, that other auth plugins using similar hooks to authenticate by different means. I personally observer this problem with LDAP Auth.

    Suppose that you have hooks like this (and please do not ask me why all plugins authors choose 10 as filter priority, I do not know 🙂

    add_filter(‘authenticate’, array($this, ‘ldap_auth’), 10, 3);
    add_filter(‘authenticate’, array($this, ‘authenticate’), 10, 3);
    add_filter( ‘authenticate’, ‘wp_authenticate_username_password’, 20, 3 );
    add_filter( ‘authenticate’, ‘wp_authenticate_spam_check’, 99 );

    Base on docs:
    https://codex.wordpress.org/Plugin_API/Filter_Reference/authenticate
    there are 3 parameters of the hooked function ($user, $username, $password)

    $user (null or WP_User or WP_Error) (required) null indicates no process has authenticated the user yet. A WP_Error object indicates another process has failed the authentication. A WP_User object indicates another process has authenticated the user.

    Lets see how HTTP Auth use this variables:

    function authenticate($user, $username, $password) {
                    $user = $this->check_remote_user();

    HA! there is a problem on the first line! Suppose that LDAP Auth plugin hooked before HTTP Auth and successfully authenticated user. But HTTP Auth without checking value of $user overwrite it by returned value from checking http user env variable. If it is not set, whole authentication will fail, even if the user was successfully authenticate by the previous plugin!.

    What should be done instead in each! auth plugin is to check, if the previous authenticate filter did not set $user variable to wp_user object, for example:

    function authenticate($user, $username, $password) {
                    if (! empty($user) && ! is_wp_error($user)) {
                        return $user;
                    }
    
                    $user = $this->check_remote_user();

    Otherwise each subsequent plugin will simply overwrite $user by it’s results.

    Could you please include proposed check into the code, I am too lazy to do backporting. :-)))

    Kind regards
    Litin

    https://wordpress.org/plugins/http-authentication/

Viewing 1 replies (of 1 total)
  • Hello,

    during testing I created bit better patch, so here it is:

    --- /tmp/http-authentication/http-authentication.php	2012-06-25 00:19:08.000000000 +0200
    +++ http-authentication.php	2015-10-15 17:57:31.632147339 +0200
    @@ -147,6 +147,10 @@
     	 * If allowed, fall back to WordPress password authentication.
     	 */
     	function authenticate($user, $username, $password) {
    +                if (isset($user) && $user->ID) {
    +                    return $user;
    +                }
    +
     		$user = $this->check_remote_user();
    
     		if (! is_wp_error($user)) {
    @@ -181,7 +185,7 @@
     			}
     		}
    
    -		if (! $username) {
    +		if (! $username && ! $this->allow_wp_auth()) {
     			return new WP_Error('empty_username', '<strong>ERROR</strong>: No user found in server variables.');
     		}

    It also suppress warning if fallback login is allowed.

    BTW: I really love my randomly selected icon! 🙂

    BR
    Litin

Viewing 1 replies (of 1 total)
  • The topic ‘HTTP Authentication doesn't work with othe auth plugins’ is closed to new replies.