Alexandre Froger

It seems you are using a third party plugin redefining wp_hash_password, very likely https://github.com/roots/wp-password-bcrypt ; in this case, it is normal, or at least it was before this pull request https://github.com/roots/wp-password-bcrypt/pull/34

I also noticed the filter applied on line 293 of the same file seems to have an error – the name of the scond parameter does not seem right:

$endpoint = apply_filters( 'mwai_openai_endpoint', 'https://api.openai.com/v1', $this->env );

Should be:

$endpoint = apply_filters( 'mwai_openai_endpoint', 'https://api.openai.com/v1', $this->envType );

Could you include a fix for that as well in next update?

Sorry – I did not mean to sound dry, and I’m glad you found a solution.
I left this here for whoever might read the thread, as an indication ??

Indeed, as stated on the page:

WARNING: Make sure these settings are the same for all the websites to synchronise.

For me? Yes. But at this point I would need more hard technical facts to troubleshoot further, so YMMV.

Addressed: https://www.ads-software.com/plugins/wp-remote-users-sync/#login%20%26%20logout%20are%20not%20working

Hi @bentracy and thanks for the research!

Actually, WPRUS already redefines the pluggable function wp_hash_password and introduces its own hook to get the original value un-hashed:

if ( ! function_exists( 'wp_hash_password' ) ) {

	function wp_hash_password( $password ) {
		global $wp_hasher;

		if ( empty( $wp_hasher ) ) {
			require_once ABSPATH . WPINC . '/class-phpass.php';

			$wp_hasher = new PasswordHash( 8, true ); // @codingStandardsIgnoreLine
		}

		do_action( 'wprus_password', $password );

		return $wp_hasher->HashPassword( trim( $password ) );
	}
}

See the action called: do_action( 'wprus_password', $password ); ; this action is then used by WPRUS in class-wprus-api-password.php on line 15, grabs the password, and keeps it in memory until any of the update core hook is called, then grabs it and adds it to the payload to send to the remote site.

You can verify that another plugin does not already override wp_hash_password by using the following code in a test-wprus-pwd.php file you would place in your plugin folder, and activate the plugin “Test WPRUS pwd”:

<?php
/*
Plugin Name: Test WPRUS pwd
Plugin URI: https://froger.me
Description: Test WPRUS password has is called properly
Version: 1.0
Author: Alexandre Froger
Author URI: https://froger.me/
*/

if ( ! defined( 'ABSPATH' ) ) {
	exit; // Exit if accessed directly
}

add_action(
	'wprus_password',
	function ( $password ) {

		if ( ! empty( $password ) ) {
			error_log( 'WPRUS TEST - the plaintext password can be accessed and its length is ' . strlen( $password ) ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
		}
	},
	10,
	1
);

This small plugin outputs a log entry with information about the password length, which is a way to see if it’s been hashed or not without outputting it in the server logs.

If the plugin does not output anything in the logs, it means the wp_hash_password WPRUS critically relies on has been overwritten elsewhere, and therefore the issue is not with GF User Reg.

I have tested the scenario you describe with GF & GF User Reg Add-On, my little test above included, all with success – logs are showing, the payload on the receiving site includes the line [user_pass] => ** HIDDEN **, and the password works on the remote site.

• This reply was modified 1 year, 3 months ago by Alexandre Froger. Reason: typo

It’s addressed in the plugin desc. & FAQ.

Edited: Please refer to the sticky post.

As for the second question, this is achievable via filters & actions. Please refer to the dev documentation, and if needed, hire the services of a developer.

• This reply was modified 1 year, 3 months ago by Alexandre Froger. Reason: wrong content

I have now tested with the provided export, and here is the details of the steps undertaken.

The following actions are enabled on both websites: login, logout, update, password.
The form is embedded in a test page, and linked to a User Registration Feed with update user action, with the password field set to “Wachtwoord wijzigen”.

I then tested the form on the test page, with a bogus test password, and a hard-coded log trace in the codebase of my test environment to output the raw password in server logs, by adding php_log( $pass ); on line 56 of class-wprus-api-password.php, and php_log( $data ); on line 196 of class-wprus-api-update.php.
This is not a safe practice for production websites, and was only done for test purposes. If a developer reads this and wants to troubleshoot this way, PLEASE DO NOT do this outside of a safe test environment or anything other than test, bogus data.

Here are the conclusions:

• The server logs show the password in clear all along the update process, up to the request being sent to the remote website.
• Upon reload of the admin area, the WPRUS logs show a trace with 2 token renewals, a logout, a login, and an update. This is because upon password reset with GF, the user is logged out and re-logged in to reset the session.
• On the remote website, the WPRUS logs show a trace of logout attempt (my user was already logged out there), 2 token renewals and their associated success messages, a login, and an update action with its associated data payload ; the logs mirror the source website, and the payload contains the string [user_pass] => ** HIDDEN **, indicating the password was transferred over.
• The user email address receives a password change notification for the source website
• After logout, both the source and the remote websites require the new password

I really hope there will be some information in there that will help you troubleshoot on your end ; from my end, with this test and unless a bug report is filed with code & replication procedure, WPRUS is confirmed compatible with GF + User Reg add-on.

• This reply was modified 1 year, 3 months ago by Alexandre Froger.

One way could be to go to /wp-admin/admin.php?page=gf_export&subview=export_form and export the form you have issues with, then put it here in a code block (typing /code) ; something like this:

{"0":{"fields":[{"type":"password","id":1,"formId":1,"label":"Password","adminLabel":"","isRequired":false,"size":"large","errorMessage":"","visibility":"visible","inputs":[{"id":"1","label":"Enter Password","name":""},{"id":"1.2","label":"Confirm Password","name":""}],"displayOnly":true,"description":"","allowsPrepopulate":false,"inputMask":false,"inputMaskValue":"","inputMaskIsCustom":false,"maxLength":"","inputType":"","labelPlacement":"","descriptionPlacement":"","subLabelPlacement":"","placeholder":"","cssClass":"","inputName":"","noDuplicates":false,"defaultValue":"","enableAutocomplete":false,"autocompleteAttribute":"","choices":"","conditionalLogic":"","productField":"","layoutGridColumnSpan":"","passwordStrengthEnabled":"","passwordVisibilityEnabled":"","enableEnhancedUI":0,"layoutGroupId":"d28f8c61","multipleFiles":false,"maxFiles":"","calculationFormula":"","calculationRounding":"","enableCalculation":"","disableQuantity":false,"displayAllCategories":false,"useRichTextEditor":false,"fields":""}],"button":{"type":"text","text":"","imageUrl":"","width":"auto","location":"bottom","layoutGridColumnSpan":12},"title":"testt","description":"est","version":"2.7.3","id":1,"markupVersion":2,"nextFieldId":3,"useCurrentUserAsAuthor":true,"postContentTemplateEnabled":false,"postTitleTemplateEnabled":false,"postTitleTemplate":"","postContentTemplate":"","lastPageButton":null,"pagination":null,"firstPageCssClass":null,"confirmations":[{"id":"65687a0403f88","name":"Default Confirmation","isDefault":true,"type":"message","message":"Thanks for contacting us! We will get in touch with you shortly.","url":"","pageId":"","queryString":""}],"notifications":[{"id":"65687a0403d71","isActive":true,"to":"{admin_email}","name":"Admin Notification","event":"form_submission","toType":"email","subject":"New submission from {form_title}","message":"{all_fields}"}]},"version":"2.7.3"}

Please make sure not to include any data you may want to keep private.
With the export, I would be able to import it in my test environment and troubleshoot.

• This reply was modified 1 year, 3 months ago by Alexandre Froger.

Please check v2.0.3 (just deployed) – compatibility with the Password action has been greatly improved (tested with GF + User Reg add-on, but also for other 3rd party).

Hello @andreu,

With version 2.0.1, when requesting a new password, I receive the email with a link to a URL like:

https://domain.tld/my-account/lost-password/?key=someKye&id=9

When clicking on this URL, I land on a page with a URL like:

https://domain.tld/my-account/lost-password/?show-reset-form=true&action

I then reset the password without issue, and am redirected to:

https://domain.tld/my-account/?password-reset=true

I can then login, and I am login on all connected sites. After password reset, the passwords are out of sync (the new password on the website when the reset occurred is different from the others – which is unrelated to the current topic), but aside from that, there is no difficulty with expired links ; the issue seem to be elsewhere.

Plugins & Theme installed (all latest version at the time of writing) on the site where the password reset occurs:

• WP Remote Users Sync (actions on both sides: Login, Logout, Update, Password)
• WooCommerce
• Cloudflare
• Classic Editor
• WP Crontrol
• Storefront

Please provide a complete procedure to reproduce the issue, with as few plugins as you can.

addressed in 1.3.16

If there is front end update of a user profile, it is done by a third party (plugin or theme). It is up to the third party to call the correct hooks to notify other plugins of the update. Please contact the author of the theme or plugin responsible for the chose front end.