Application passwords and WP hooks

  • Resolved therealgilles

    (@chamois_blanc)


    4 years, 1 month ago

    I am encountering an issue where The Events Calendar plugin is forcing user authentication during its initialization. The stack trace is as follows:

    => wp_validate_application_password() / .../wp-includes/class-wp-hook.php, line 287
=> apply_filters() / .../wp-includes/plugin.php, line 212
=> apply_filters() / .../wp-includes/user.php, line 3005
=> _wp_get_current_user() / .../wp-includes/pluggable.php, line 70
=> wp_get_current_user() / .../wp-includes/pluggable.php, line 2198
=> wp_create_nonce() / .../wp-content/plugins/the-events-calendar/common/src/Tribe/Admin/Help_Page.php, line 55
=> register_assets() / .../wp-content/plugins/the-events-calendar/common/src/Tribe/Main.php, line 264
=> load_assets() / .../wp-includes/class-wp-hook.php, line 287
=> apply_filters() / .../wp-includes/class-wp-hook.php, line 311
=> do_action() / .../wp-includes/plugin.php, line 484
=> do_action() / .../wp-content/plugins/the-events-calendar/common/src/Tribe/Main.php, line 107
=> plugins_loaded() / .../wp-includes/class-wp-hook.php, line 287
=> apply_filters() / .../wp-includes/class-wp-hook.php, line 311
=> do_action() / .../wp-includes/plugin.php, line 484
=> do_action() / .../wp-settings.php, line 420
=> require_once() / .../wp-config.php, line 133
=> require_once() / .../wp-load.php, line 37
=> require_once() / .../wp-blog-header.php, line 13
=> require() / .../index.php, line 17

    The register_assets() function calls wp_create_nonce(), which calls wp_get_current_user(), which triggers user authentication. Because this is happening at plugin init time, functions.php has not been loaded and therefore filters like rest_url_prefix are not in place yet. So it does not seem like REST_REQUEST can be properly set.

    My question is whether The Events Calendar plugin is doing something wrong, or if there is something else that I am missing here.

    Thanks for any insight and advice.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter therealgilles

    (@chamois_blanc)

    I found out how the REST API handles the (premature) user authentication issue in wp-includes/rest-api/class-wp-rest-server.php:

    
  public function serve_request( $path = null ) {
    /* @var WP_User|null $current_user */
    global $current_user;

    if ( $current_user instanceof WP_User && ! $current_user->exists() ) {
      /*
       * If there is no current user authenticated via other means, clear
       * the cached lack of user, so that an authenticate check can set it
       * properly.
       *
       * This is done because for authentications such as Application
       * Passwords, we don't want it to be accepted unless the current HTTP
       * request is a REST API request, which can't always be identified early
       * enough in evaluation.
       */
      $current_user = null;
    }
    Plugin Author Kaspars

    (@kasparsd)

    @chamois_blanc This plugin has been merged into WP core https://make.www.ads-software.com/core/2020/11/05/application-passwords-integration-guide/ — can you please check if you can disable the plugin?

    Thread Starter therealgilles

    (@chamois_blanc)

    Hi @kasparsd, thank you for your response. I am not using the plugin anymore. I was wondering how you had handled proper authentication in case a plugin triggers it before everything is setup for a REST API access. The answer I was looking for was the code above, i.e. resetting $current_user to null once everything is set up.

    I am using wp-graphql and encountered the authentication issue. I was wondering how it was handled with the REST API and found my answer. I added very similar code to wp-graphql to fix the issue and it’s all working now.

    Still not sure whether it’s a good idea for The Events Calendar plugin to trigger user authentication before the after_setup_theme hook has fired.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Application passwords and WP hooks’ is closed to new replies.