Is there a way for a WordPress plugin to authenticate a user for the current request?
My plan is to authenticate users via a HTTP header containing username and password. Then this information should be used to handle the current request as if this user would be logged in. However no session cookie or anything should be set, so that the authentication is only valid for the current request.
(I know of the security implications, they are taken care of)
The mechanism should work for normal pages, that render HTML and not be limitted to the JSON API.
Background
My WordPress installation is not accessible from the internet, but reverse proxied from an application server. I configured some pages in WordPress to only be available for certain WordPress users.
Now I want to use the permissions used in WordPress with its users to determine what content can be accessed from the application server. The users in WordPress basically resemble the usergroups of the application server. That way I can use a full blown permission system in WordPress without needing to replicate the user database from the application server in the WordPress instance.
Is there a way for a WordPress plugin to authenticate a user for the current request?
My plan is to authenticate users via a HTTP header containing username and password. Then this information should be used to handle the current request as if this user would be logged in. However no session cookie or anything should be set, so that the authentication is only valid for the current request.
(I know of the security implications, they are taken care of)
The mechanism should work for normal pages, that render HTML and not be limitted to the JSON API.
Background
My WordPress installation is not accessible from the internet, but reverse proxied from an application server. I configured some pages in WordPress to only be available for certain WordPress users.
Now I want to use the permissions used in WordPress with its users to determine what content can be accessed from the application server. The users in WordPress basically resemble the usergroups of the application server. That way I can use a full blown permission system in WordPress without needing to replicate the user database from the application server in the WordPress instance.
Share asked Feb 22, 2019 at 10:46 Gregor MülleggerGregor Müllegger 1133 bronze badges1 Answer
Reset to default 2Yes, you can hook determine_current_user. This is how WordPress calls the existing code that processes authentication cookies:
add_filter( 'determine_current_user', 'wp_validate_auth_cookie' );
add_filter( 'determine_current_user', 'wp_validate_logged_in_cookie', 20 );
e.g. see the implementations of those in wp-includes/pluggable.php. Your filter should return the user ID of the user you want to authenticate as once you've processed the headers.
That said I assume your application server has done the authentication, so you don't need to actually validate the password here: the username should be enough, provided there's no way for an external user to forge the authenticate-to-WordPress header (and get that through your reverse proxy).