It works but needs revision

  • necro_txilok

    (@necro_txilok)


    10 years, 3 months ago

    I think this plugin is very good as complement of json-api but I miss some funtionality very important to make the plugin works well.

    I’ve tested this plugin with json-api but I think that modify the plugin json-api as you propose in this threat https://wordpress.org/support/topic/error-you-need-to-login-with-a-user-that-has-edit_posts-capacity?replies=6

    Error: You need to login with a user that has ‘edit_posts’ capacity. is not a good solution because you are asking people to modify another plugin that works well itself.

    I’ve made my own solution by modifing this plugin with the next lines:

    1 – Add a new action after
    “add_filter(‘json_api_auth_controller_path’, ‘setAuthControllerPath’);” in json-api-auth.php:
    add_action('init', 'checkAuthCookie', 100);

    2 – Add a new function at the end:

    function checkAuthCookie($sDefaultPath) {
    global $json_api;

    if ($json_api->query->cookie) {
      $user_id = wp_validate_auth_cookie($json_api->query->cookie, 'logged_in');
      if ($user_id) {
        $user = get_userdata($user_id);

        wp_set_current_user($user->ID, $user->user_login);
      }
    }
}

    This modification set current user if we pass a valid auth cookie in the request enabling features of json-api for that user.

    I was checking the ‘clear_auth_cookie’ method too and it doesn’t work. The call ‘wp_generate_auth_cookie’ in this method generates a new cookie but the cookies generated before with “generate_auth_cookie” still working. I’ve tried to use the WordPress method ‘wp_clear_auth_cookie’ to clear all cookies, but the generated string still working again because the method from WordPress does not validate if the cookie exists, only if the string is valid.

    This could be a security problem because someone can steal the cookie string and authenticate as that user using this method. However this problem must be fixed in WordPress core.

    I hope this could help you to improve this plugin or another developers that need this functionality working at 100%.

Viewing 1 replies (of 1 total)
  • Plugin Author Ali Qureshi

    (@parorrey)

    10 years, 3 months ago

    Thanks for your proposed solution. I will make it part of the plugin.

    You are also correct about ‘wp_clear_auth_cookie’ method. I will remove this method. In the next update, I will enable the user to optionally set the time when creating cookie value using ‘generate_auth_cookie’. That will expire the cookie after that time.

    Cheers and Merry Christmas!

Viewing 1 replies (of 1 total)
  • The topic ‘It works but needs revision’ is closed to new replies.