Skip to content

[Blueprints] Login step – handle passwordless autologin via a PHP mu-plugin #1789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 332 commits into from
Closed

[Blueprints] Login step – handle passwordless autologin via a PHP mu-plugin #1789

wants to merge 332 commits into from

Conversation

bgrgicak
Copy link
Collaborator

@bgrgicak bgrgicak commented Sep 20, 2024
edited by adamziel
Loading

Fixes #1706

Motivation for the change, related issues

Handles auto login, e.g. in the login Blueprint step, using a platform-provided mu-plugin. This enables using the login step across all Playground runtimes without any of the issues with the previous implementation.

Before this PR, the login worked by making HTTP requests to the /wp-login.php endpoint. That approach had significant downsides:

  • It only worked in web browsers
  • It didn't support custom login mechanisms
  • It required storing plaintext passwords in the Blueprint files
  • It broke after a content import if the admin password changed
  • It broke if WordPress displayed the Site Admin Email Verification Screen.

Implementation details

To fix it and make the login step more robust login now uses a login PHP file that logs in the user with their credentials.
The new script only requires a username, the password is now deprecated.

There are two ways to trigger the auto-login:

The PLAYGROUND_AUTO_LOGIN_AS_USER constant

Used by the login Blueprint step does.

When the PLAYGROUND_AUTO_LOGIN_AS_USER constant is defined, this mu-plugin
will automatically log the user in on their first visit. The username is
the value of the constant.

On subsequent visits, the playground_auto_login_happened cookie will be
detected and the user will not be logged in. This means the "logout" feature
will work as expected.

The playground_force_auto_login_as_user GET parameter

Used by the "login" button in various Playground runtimes.

When the playground_force_auto_login_as_user GET parameter is present,
this mu-plugin will automatically log in any logged out visitor. This will
happen every time they visit, not just on their first visit.

Testing Instructions (or ideally a Blueprint)

cc @brandonpayton – the /?playground_force_auto_login_as_user=admin triggers a redirect to add the trailing slash, as in /?playground_force_auto_login_as_user=admin/. Let's track that separately.

adamziel and others added 27 commits September 13, 2024 10:19
@adamziel
Preserve or remove the hash when navigating between sites
09e1205
@adamziel
Retain temporary sites state even if the user navigates away from them
59b1685
@adamziel
Handle edge cases: no site selected, no sites available
9eb59fa
@adamziel
Simplify EnsurePlaygroundSiteIsSelected to fix boot bugs
f301903
@adamziel
Disable options requiring a site client until the site is booted
cce879e
@adamziel
Change language from Site to Playground
4255bda
@bgrgicak
Merge branch 'trunk' into routing
9f0e676
@brandonpayton
Fix URL blueprint literal parsing to decode Base64 string
ce5ef1d
@brandonpayton
Use structuredClone() to deep clone blueprint
da9384e
@brandonpayton
Avoid top-level declarations that are only used to initialize other t…
fe2ce73 
…op-level declarations
@brandonpayton
Fix single char typo
519e50f
@brandonpayton
Remove stale comment
1c1ee48
@brandonpayton
Note possibilities for edit/fork existing site
a4f90f2
@brandonpayton
Clarify a bit about local FS availability detection
a8b62c8 
It confused me to see a type like:
true | 'not-available' | 'origin-mismatch'

All values are truthy so you have to know to compare
directly with true. And at that point, it's clearer to use
the string literal "available" instead.
@brandonpayton
Add locale list TODO
9df2f79
@brandonpayton
Add sync-local-files-button TODO
0d9af8a
@brandonpayton
Fix restore-from-zip ARIA label
180f6e0
@brandonpayton
Remove unused generateUniqueSiteName function
20647bd
@brandonpayton
Allow deletion of broken sites with loading errors
43d17cc
@brandonpayton
Fix saving temporary sites in Safari
f45d1c4 
Initially, we do this by writing one file at a time in Safari,
but we can try doing Safari writes in batches in a subsequent commit.
@brandonpayton
Allow a limited number of concurrent writes in Safari
d8d7225
@brandonpayton
Continue writing files as soon as possible in Safari
6197165
@brandonpayton
Redirect to the updated site instead of passing a stub
f9831a2
@brandonpayton
Restore bug-related TODO until we confirm it is resolved
b16eb95
@brandonpayton
Remove unused siteSlug prop from StartPlaygroundOptions
387337a
@brandonpayton
Restore supplemental types needed for FileSystemDirectoryHandle methods
092a895
@bgrgicak
Login using a custom script instead from the wp-login page
b881ece
@bgrgicak bgrgicak requested a review from a team September 20, 2024 05:16
@bgrgicak bgrgicak mentioned this pull request Sep 20, 2024
Closed
deployment_bot and others added 13 commits October 3, 2024 22:45
@adamziel adamziel force-pushed the trunk branch 3 times, most recently from 680cd19 to 2e376d2 Compare October 4, 2024 09:24
@bgrgicak
Copy link
Collaborator Author

bgrgicak commented Oct 4, 2024
edited
Loading

I got all the blueprint unit tests to pass locally, but I still need to figure out what's happening with the rest.

@bgrgicak bgrgicak changed the base branch from trunk to setup-sqlite-integration-without-creating-db-php October 7, 2024 13:23
@bgrgicak bgrgicak changed the base branch from setup-sqlite-integration-without-creating-db-php to trunk October 7, 2024 13:24
@bgrgicak bgrgicak mentioned this pull request Oct 7, 2024
Merged
@bgrgicak
Copy link
Collaborator Author

bgrgicak commented Oct 7, 2024

I'm closing this PR in favour of #1856.

Because of some recent force pushing to trunk and me merging trunk into this branch, it picked up 300 extra commits.

@bgrgicak bgrgicak closed this Oct 7, 2024
bgrgicak added a commit that referenced this pull request Oct 8, 2024
@bgrgicak
[Blueprints] Login step – handle passwordless autologin via a PHP mu-…
3f1e998 
…plugin (#1856)

**This PR was [originally implemented in this
branch](#1789

Fixes #1706

## Motivation for the change, related issues

Handles auto login, e.g. in the `login` Blueprint step, using a
platform-provided mu-plugin. This enables using the `login` step across
all Playground runtimes without any of the issues with the previous
implementation.

Before this PR, the `login` worked by making HTTP requests to the
`/wp-login.php` endpoint. That approach had significant downsides:

* It only worked in web browsers
* It didn't support custom login mechanisms
* It required storing plaintext passwords in the Blueprint files
* It broke after a content import if the admin password changed
* It broke if WordPress displayed the [Site Admin Email Verification
Screen](https://make.wordpress.org/core/2019/10/17/wordpress-5-3-admin-email-verification-screen/).

## Implementation details

To fix it and make the login step more robust login now uses a login PHP
file that logs in the user with their credentials.
The new script only requires a username, the password is now deprecated.

There are two ways to trigger the auto-login:

### The `PLAYGROUND_AUTO_LOGIN_AS_USER` constant

Used by the `login` Blueprint step does.

When the `PLAYGROUND_AUTO_LOGIN_AS_USER` constant is defined, this
mu-plugin
will automatically log the user in on their first visit. The username is
the value of the constant.

On subsequent visits, the `playground_auto_login_happened` cookie will
be
detected and the user will not be logged in. This means the "logout"
feature
will work as expected.

### The `playground_force_auto_login_as_user` GET parameter

Used by the "login" button in various Playground runtimes.

When the `playground_force_auto_login_as_user` GET parameter is present,
this mu-plugin will automatically log in any logged out visitor. This
will
happen every time they visit, not just on their first visit.
 
## Testing Instructions (or ideally a Blueprint)

- [Open this blueprint and confirm that login
works](http://127.0.0.1:5400/website-server/?import-site=http%3A%2F%2F127.0.0.1%3A5400%2Fwebsite-server%2Ftest-fixtures%2Fsite-with-unpatched-gutenberg.zip&login=yes&url=%2Fwp-admin%2Fpost-new.php)
- Open Playground, log out, then navigate to
`/?playground_force_auto_login_as_user=admin&` and confirm you were
logged in again.

cc @brandonpayton – the `/?playground_force_auto_login_as_user=admin`
triggers a redirect to add the trailing slash, as in
`/?playground_force_auto_login_as_user=admin/`. Let's track that
separately.
@adamziel adamziel mentioned this pull request Oct 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adamziel adamziel adamziel left review comments

@brandonpayton brandonpayton Awaiting requested review from brandonpayton

@akirk akirk Awaiting requested review from akirk

Assignees

@bgrgicak bgrgicak

Labels
[Package][@wp-playground] Blueprints [Type] Bug An existing feature does not function as intended
Projects
Playground Board
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Login step doesn't execute if placed before import step in blueprint.
5 participants
@bgrgicak @adamziel @brandonpayton @akirk @juanmaguitar