Johnluke/eng 3302 critical error pressable basic authentication plugin and php

[loukie-pressable]

Summary by CodeRabbit

• New Features

  • Introduced a new plugin that enforces HTTP Basic Authentication across the site, requiring users to authenticate before accessing any WordPress page.
  • Added a logout mechanism for Basic Authentication sessions.
  • Supports bypassing authentication for super administrators and certain endpoints.

• Documentation

  • Added comprehensive documentation describing features, usage, installation, and FAQs.

• Chores

  • Updated plugin and documentation version numbers.

[coderabbitai]

Walkthrough

A new WordPress plugin, "Pressable Basic Authentication," has been introduced to enforce HTTP Basic Authentication across all site pages. Supporting documentation was added, and version numbers were incremented in existing plugin and readme files. No other functional or code logic changes were made to previously existing files.

Changes

File(s)	Change Summary
pressable-basic-authentication/pressable-basic-authentication.php	Added new plugin implementing HTTP Basic Authentication for WordPress with multiple utility methods.
pressable-basic-authentication/readme.txt	Added documentation describing plugin features, usage, and metadata.
pressable-basic-authentication.php, readme.txt	Updated plugin version numbers from 1.0.1 to 1.0.2 in headers.

Sequence Diagram(s)

sequenceDiagram
    participant Visitor
    participant WebServer
    participant WP_Core as WordPress Core
    participant BasicAuth as Pressable_Basic_Auth

    Visitor->>WebServer: Request page
    WebServer->>WP_Core: Pass request
    WP_Core->>BasicAuth: Init plugin
    BasicAuth->>BasicAuth: Check if request should skip auth
    alt Should authenticate
        BasicAuth->>Visitor: Request Basic Auth credentials (401)
        Visitor->>WebServer: Resend with credentials
        WebServer->>BasicAuth: Pass credentials
        BasicAuth->>WP_Core: Validate credentials
        alt Credentials valid
            BasicAuth->>WP_Core: Log in user
            WP_Core->>Visitor: Serve requested page
        else Credentials invalid
            BasicAuth->>Visitor: 401 Unauthorized
        end
    else Skip authentication
        WP_Core->>Visitor: Serve requested page
    end

Loading

Poem

A plugin hops in, quite secure and neat,
With Basic Auth walls, no intruder can cheat.
Version numbers rise, the docs are now clear,
Only the right bunnies may burrow in here!
🥕
— A happy, authenticated rabbit

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (3)

pressable-basic-authentication/pressable-basic-authentication.php (3)

9-9: Consider aligning plugin name with Pressable branding.

The plugin name "Hosting Basic Authentication" and text domain "hosting-basic-authentication" don't match the "Pressable" branding used throughout the code and documentation.

Also applies to: 13-13

---

60-62: Fix indentation to use tabs.

These lines use spaces instead of tabs, inconsistent with WordPress coding standards.

-        if ($this->should_skip_auth()) {
-            return;
-        }
+		if ( $this->should_skip_auth() ) {
+			return;
+		}

---

245-250: Add fallback for JavaScript redirect.

The JavaScript redirect might not execute if the browser immediately shows an auth dialog after the 401 response.

 		// Output a JavaScript-based redirect after the 401 response.
 		echo '<script>
 			setTimeout(function() {
 				window.location.href = "' . esc_url( home_url() ) . '";
 			}, 1000);
-		</script>';
+		</script>';
+		echo '<noscript><meta http-equiv="refresh" content="2;url=' . esc_url( home_url() ) . '"></noscript>';
+		echo '<p><a href="' . esc_url( home_url() ) . '">' . esc_html__( 'Click here if you are not redirected automatically.', 'hosting-basic-authentication' ) . '</a></p>';

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 67cea3c and c8a783e.

📒 Files selected for processing (4)

• pressable-basic-authentication.php (1 hunks)
• pressable-basic-authentication/pressable-basic-authentication.php (1 hunks)
• pressable-basic-authentication/readme.txt (1 hunks)
• readme.txt (1 hunks)

🧰 Additional context used

🪛 LanguageTool

pressable-basic-authentication/readme.txt

[grammar] ~43-~43: Ensure spelling is correct
Context: ...essary.​ == Screenshots ==​ * Initial release​

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🪛 PHPMD (2.15.0)

pressable-basic-authentication/pressable-basic-authentication.php

263-263: Avoid unused parameters such as '$redirect'. (Unused Code Rules)

(UnusedFormalParameter)

🔇 Additional comments (3)

pressable-basic-authentication.php (1)

11-11: Version update looks good.

The version bump from 1.0.1 to 1.0.2 is correctly applied.

readme.txt (1)

7-7: Stable tag update is consistent.

The stable tag correctly matches the plugin version 1.0.2.

pressable-basic-authentication/readme.txt (1)

1-43: Plugin documentation is well-structured.

The readme file provides comprehensive information about the plugin's features, usage, and installation.

[coderabbitai]

⚠️ Potential issue

Fix text domain inconsistency.

The text domain should match the one declared in the plugin header ('hosting-basic-authentication').

-		echo '<h1>' . esc_html__( 'Authentication Required', 'pressable-basic-auth' ) . '</h1>';
+		echo '<h1>' . esc_html__( 'Authentication Required', 'hosting-basic-authentication' ) . '</h1>';

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	echo '<h1>' . esc_html__( 'Authentication Required', 'pressable-basic-auth' ) . '</h1>';
	echo '<h1>' . esc_html__( 'Authentication Required', 'hosting-basic-authentication' ) . '</h1>';

🤖 Prompt for AI Agents

In pressable-basic-authentication/pressable-basic-authentication.php at line
180, the text domain used in esc_html__ is 'pressable-basic-auth' but it should
match the plugin header's text domain 'hosting-basic-authentication'. Update the
text domain string in esc_html__ to 'hosting-basic-authentication' to ensure
consistency.

[coderabbitai]

⚠️ Potential issue

Remove duplicate call to maybe_redirect_from_login_page().

This method is already hooked to login_init in the constructor (line 37). Calling it again here is redundant.

-		// Redirect from wp-login.php when already authenticated via Basic Auth
-		$this->maybe_redirect_from_login_page();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Redirect from wp-login.php when already authenticated via Basic Auth
	$this->maybe_redirect_from_login_page();

🤖 Prompt for AI Agents

In pressable-basic-authentication/pressable-basic-authentication.php around
lines 69 to 70, remove the duplicate call to the method
maybe_redirect_from_login_page() since it is already hooked to the login_init
action in the constructor at line 37, making this explicit call redundant.

[coderabbitai]

⚠️ Potential issue

Validate HTTP_HOST before using in get_blog_details.

Using $_SERVER['HTTP_HOST'] directly without validation could lead to host header injection attacks.

 				// If we can determine the current blog, go to its home instead
 				if ( isset( $_SERVER['HTTP_HOST'] ) ) {
-					$blog_details = get_blog_details( array( 'domain' => $_SERVER['HTTP_HOST'] ) );
+					$host = sanitize_text_field( wp_unslash( $_SERVER['HTTP_HOST'] ) );
+					// Remove port if present
+					$host = preg_replace( '/:\d+$/', '', $host );
+					$blog_details = get_blog_details( array( 'domain' => $host ) );
 					if ( $blog_details ) {
 						$redirect_url = get_home_url( $blog_details->blog_id );
 					}
 				}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ( isset( $_SERVER['HTTP_HOST'] ) ) {
	$blog_details = get_blog_details( array( 'domain' => $_SERVER['HTTP_HOST'] ) );
	if ( $blog_details ) {
	$redirect_url = get_home_url( $blog_details->blog_id );
	}
	}
	// If we can determine the current blog, go to its home instead
	if ( isset( $_SERVER['HTTP_HOST'] ) ) {
	$host = sanitize_text_field( wp_unslash( $_SERVER['HTTP_HOST'] ) );
	// Remove port if present
	$host = preg_replace( '/:\d+$/', '', $host );
	$blog_details = get_blog_details( array( 'domain' => $host ) );
	if ( $blog_details ) {
	$redirect_url = get_home_url( $blog_details->blog_id );
	}
	}

🤖 Prompt for AI Agents

In pressable-basic-authentication/pressable-basic-authentication.php around
lines 286 to 291, $_SERVER['HTTP_HOST'] is used directly without validation,
which risks host header injection. Before passing it to get_blog_details,
validate that HTTP_HOST contains only expected characters (e.g., alphanumeric,
dots, and hyphens) and reject or sanitize any suspicious input. This ensures
safe usage and prevents injection attacks.

[coderabbitai]

🛠️ Refactor suggestion

Avoid direct modification of $_SERVER superglobal.

Directly modifying $_SERVER variables can lead to unexpected behavior and makes the code harder to test.

Consider storing extracted credentials in class properties instead:

+	private $extracted_user = null;
+	private $extracted_pass = null;

 	private function extract_basic_auth_credentials() {
 		if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) && ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
 			return;
 		}
 		// ... existing code ...
 		if ( 0 === stripos( $auth_header, 'basic ' ) ) {
 			$auth_encoded = substr( $auth_header, 6 );
 			$auth_decoded = base64_decode( $auth_encoded );
 			if ( $auth_decoded && strpos( $auth_decoded, ':' ) !== false ) {
-				list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode( ':', $auth_decoded, 2 );
+				list( $this->extracted_user, $this->extracted_pass ) = explode( ':', $auth_decoded, 2 );
 			}
 		}
 	}

Then update the authentication check to use these properties alongside the $_SERVER values.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode( ':', $auth_decoded, 2 );
	private $extracted_user = null;
	private $extracted_pass = null;
	private function extract_basic_auth_credentials() {
	if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) && ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
	return;
	}
	// ... existing code ...
	if ( 0 === stripos( $auth_header, 'basic ' ) ) {
	$auth_encoded = substr( $auth_header, 6 );
	$auth_decoded = base64_decode( $auth_encoded );
	if ( $auth_decoded && strpos( $auth_decoded, ':' ) !== false ) {
	list( $this->extracted_user, $this->extracted_pass ) = explode( ':', $auth_decoded, 2 );
	}
	}
	}

🤖 Prompt for AI Agents

In pressable-basic-authentication/pressable-basic-authentication.php at line
203, avoid directly modifying the $_SERVER superglobal by not assigning the
exploded credentials back to $_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW']. Instead, extract the username and password from
$auth_decoded and store them in dedicated class properties. Then update any
authentication logic to use these new properties while preserving the original
$_SERVER values.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Fix indentation and improve endpoint matching security.

1. The entire method uses spaces instead of tabs
2. Using strpos() for endpoint matching is insecure - it could match unintended paths

-    private function should_skip_auth() {
-        // List of endpoints to exclude from Basic Auth
-        $excluded_endpoints = array(
-            'xmlrpc.php',
-            'wp-json/jetpack',
-            'wp-json/wp/v2',
-            'wp-json/wp/v3'
-        );
-
-        // Get current request details
-        $request_uri = $_SERVER['REQUEST_URI'] ?? '';
-        $script_name = $_SERVER['SCRIPT_NAME'] ?? '';
-
-        // Check if this is a direct xmlrpc.php request
-        if (basename($script_name) === 'xmlrpc.php') {
-            return true;
-        }
-
-        // Check all excluded endpoints
-        foreach ($excluded_endpoints as $endpoint) {
-            if (strpos($request_uri, $endpoint) !== false) {
-                return true;
-            }
-        }
+	private function should_skip_auth() {
+		// List of endpoints to exclude from Basic Auth
+		$excluded_endpoints = array(
+			'xmlrpc.php',
+			'wp-json/jetpack',
+			'wp-json/wp/v2',
+			'wp-json/wp/v3'
+		);
+
+		// Get current request details
+		$request_uri = $_SERVER['REQUEST_URI'] ?? '';
+		$script_name = $_SERVER['SCRIPT_NAME'] ?? '';
+
+		// Check if this is a direct xmlrpc.php request
+		if ( basename( $script_name ) === 'xmlrpc.php' ) {
+			return true;
+		}
+
+		// Parse the request URI to get the path
+		$parsed_url = wp_parse_url( $request_uri );
+		$path = $parsed_url['path'] ?? '';
+
+		// Check all excluded endpoints
+		foreach ( $excluded_endpoints as $endpoint ) {
+			// Check if the path starts with or ends with the endpoint
+			if ( strpos( $path, '/' . $endpoint ) === 0 || 
+			     substr( $path, -strlen( $endpoint ) ) === $endpoint ) {
+				return true;
+			}
+		}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	private function should_skip_auth() {
	// List of endpoints to exclude from Basic Auth
	$excluded_endpoints = array(
	'xmlrpc.php',
	'wp-json/jetpack',
	'wp-json/wp/v2',
	'wp-json/wp/v3'
	);
	// Get current request details
	$request_uri = $_SERVER['REQUEST_URI'] ?? '';
	$script_name = $_SERVER['SCRIPT_NAME'] ?? '';
	// Check if this is a direct xmlrpc.php request
	if (basename($script_name) === 'xmlrpc.php') {
	return true;
	}
	// Check all excluded endpoints
	foreach ($excluded_endpoints as $endpoint) {
	if (strpos($request_uri, $endpoint) !== false) {
	return true;
	}
	}
	// Check WordPress constants
	if (defined('XMLRPC_REQUEST') && XMLRPC_REQUEST) {
	return true;
	}
	if (defined('REST_REQUEST') && REST_REQUEST) {
	return true;
	}
	return false;
	}
	private function should_skip_auth() {
	// List of endpoints to exclude from Basic Auth
	$excluded_endpoints = array(
	'xmlrpc.php',
	'wp-json/jetpack',
	'wp-json/wp/v2',
	'wp-json/wp/v3'
	);
	// Get current request details
	$request_uri = $_SERVER['REQUEST_URI'] ?? '';
	$script_name = $_SERVER['SCRIPT_NAME'] ?? '';
	// Check if this is a direct xmlrpc.php request
	if ( basename( $script_name ) === 'xmlrpc.php' ) {
	return true;
	}
	// Parse the request URI to get the path
	$parsed_url = wp_parse_url( $request_uri );
	$path = $parsed_url['path'] ?? '';
	// Check all excluded endpoints
	foreach ( $excluded_endpoints as $endpoint ) {
	// Check if the path starts with or ends with the endpoint
	if ( strpos( $path, '/' . $endpoint ) === 0
	|| substr( $path, -strlen( $endpoint ) ) === $endpoint
	) {
	return true;
	}
	}
	// Check WordPress constants
	if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
	return true;
	}
	if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
	return true;
	}
	return false;
	}

🤖 Prompt for AI Agents

In pressable-basic-authentication/pressable-basic-authentication.php lines 137
to 172, fix the indentation by replacing spaces with tabs to match the project's
coding style. Replace the insecure strpos() checks for endpoint matching with a
more precise method such as using strict equality or regex to ensure only exact
or properly prefixed endpoints are matched, preventing unintended matches.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Add nonce validation for logout action.

The logout action triggered via GET parameter should be protected against CSRF attacks.

Consider implementing nonce validation:

 		// Handle logout request.
-		if ( isset( $_GET['basic-auth-logout'] ) ) {
+		if ( isset( $_GET['basic-auth-logout'] ) && isset( $_GET['_wpnonce'] ) && 
+		     wp_verify_nonce( $_GET['_wpnonce'], 'basic-auth-logout' ) ) {
 			$this->handle_basic_auth_logout();
 		}

And update the modify_logout_url method to include the nonce:

 	public function modify_logout_url( $logout_url, $redirect ) {
-		return add_query_arg( 'basic-auth-logout', '1', $logout_url );
+		$url = add_query_arg( 'basic-auth-logout', '1', $logout_url );
+		return wp_nonce_url( $url, 'basic-auth-logout' );
 	}

---

🏁 Script executed:

#!/bin/bash
# Locate all occurrences of the logout parameter and related methods
rg -n "basic-auth-logout" .
rg -n "function modify_logout_url" .
rg -n "wp_nonce_url" .
rg -n "wp_verify_nonce" .

Length of output: 802

---

Add nonce protection to the basic-auth logout action

To harden the logout endpoint against CSRF, we need to emit and verify a nonce:

• In pressable-basic-authentication/pressable-basic-authentication.php (line 65), update the GET check to verify the nonce before calling the handler
• In modify_logout_url (line 263), wrap the URL in a nonce

Proposed diff:

--- a/pressable-basic-authentication/pressable-basic-authentication.php
+++ b/pressable-basic-authentication/pressable-basic-authentication.php
@@ -62,7 +62,10 @@ class Pressable_Basic_Authentication {
 		// Handle logout request.
-		if ( isset( $_GET['basic-auth-logout'] ) ) {
+		if (
+			isset( $_GET['basic-auth-logout'], $_GET['_wpnonce'] )
+			&& wp_verify_nonce( $_GET['_wpnonce'], 'basic-auth-logout' )
+		) {
 			$this->handle_basic_auth_logout();
 		}
 
@@ -260,7 +263,10 @@ class Pressable_Basic_Authentication {
 	public function modify_logout_url( $logout_url, $redirect ) {
-		return add_query_arg( 'basic-auth-logout', '1', $logout_url );
+		// Add our flag and CSRF nonce to the logout URL.
+		$url = add_query_arg( 'basic-auth-logout', '1', $logout_url );
+		return wp_nonce_url( $url, 'basic-auth-logout' );
 	}
 }

🤖 Prompt for AI Agents

In pressable-basic-authentication/pressable-basic-authentication.php around
lines 65 to 67, add nonce verification to the basic-auth logout GET request by
checking the nonce before calling handle_basic_auth_logout. Then, in the
modify_logout_url function around line 263, update the logout URL to include a
nonce parameter generated with wp_nonce_url or a similar function. This will
protect the logout action from CSRF attacks by ensuring the request is valid.