Custom login URL bug

  • Resolved aporter

    (@aporter)


    7 years, 4 months ago

    Hi, there seems to be a problem with how the plugin handles custom login URL’s.

    From what I can tell if you set your custom URL to /login for example then any request made to your site with /login in the URL will get redirected to your login page, this includes REST requests (the problem)

    e.g example.com/login, example.com/not_my_login/login, example.com/wp-json/login all redirect to the login page

    This means that if someone sets their login page to a pattern that matches a REST endpoint then it breaks the REST request as instead of the call to example.com/wp-json/login doing/returning what it should, the plugin will intercept the request and send back the login page.

    I’m using Version 4.8.2 to test this on, hopefully this is enough information to reproduce?

    Best Wishes,

    Ashley

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author gioni

    (@gioni)

    Hi, Ashley!

    Thanks for pointing out. First of all, it’s not a bug. It might produce some unexpected result, but it is not a bug. This way of handling Custom login URL has been implemented two years ago when REST API was not a part of WP. The way works very well on a multisite WP and subfolder installations. That’s the main reason of taking the last part of the URL.

    I agree this, “not completely compatible with some REST API configurations” way of parsing URL should be redesigned. And it will be soon.

    @gioni A simple improvement to prevent accidentally intercepting REST requests would be to check on REST_REQUEST, i.e. add this in the appropriate place:

    if (defined('REST_REQUEST') && REST_REQUEST) return:

    Plugin Author gioni

    (@gioni)

    In case of Cerber that will not work because REST_REQUEST is not yet defined when Cereber parses a request. Here is another way. Not the best, but can be used.

    function cerber_is_rest_url(){
	if (false !== strpos($_SERVER['REQUEST_URI'], rest_get_url_prefix()) || false !== strpos($_SERVER['REQUEST_URI'], '?rest_route=')){
		if (0 === strpos(get_home_url().urldecode($_SERVER['REQUEST_URI']),get_rest_url())) {
			return true;
		}
	}
	return false;
}
    Plugin Author gioni

    (@gioni)

    Fixed in the current development release and will be uploaded to www.remarpro.com soon: https://wpcerber.com/development-version/

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Custom login URL bug’ is closed to new replies.