brianhenryie / bh-wp-autologin-urls Goto Github PK

Adds single-use passwords to WordPress emails' URLs for frictionless login. Adds magic email link to login screen.

License: GNU General Public License v2.0

PHP 76.75% Hack 0.01% CSS 0.28% JavaScript 1.69% HTML 16.04% TypeScript 4.52% Shell 0.72%

wordpress-plugin wordpress-plugin-boilerplate wp-mail authentication email magic-link-authentication passwordless-login

bh-wp-autologin-urls's Introduction

Magic Emails & Autologin URLs

Adds single-use passwords to WordPress emails' URLs for frictionless login, and magic-link emails for passwordless login.

Overview

This plugin hooks into the wp_mail filter to augment existing URLs with login codes so users are automatically logged in when visiting the site through email links.

It is in use for a charity whose annual requests for donations to non-tech-savvy users was resulting in users unable to remember their password. Now those users are instantly logged in.

It should also help solve the problem with WooCommerce abandoned cart emails where the user must be logged in to know who abandoned the cart.

Also useful for logging users back in when they get reply notifications for their comments, bbPress posts etc.

Example email sent via Comment Reply Email Notification plugin.

This plugin makes minor theme/user-facing changes on login forms. An additional "Email Magic Link" button is added which sends an email containing with an autologin URL to instantly log in users. This applies to wp-login.php and to WooCommerce login forms.

Installation & Configuration

Install Autologin URLs from the WordPress plugin directory.

There is no configuration needed. By default:

Codes expire after seven days
Emails to admins do not get autologin codes added
Some emails are filtered out by subject using regex

The settings page can be found in the admin UI under Settings/Autologin URLs, as a link on the Plugins page, or at /wp-admin/options-general.php?page=bh-wp-autologin-urls.

Operation

Hooked on wp_mail
Login code consists of user id and random alphanumeric password separated by ~
Stored in a WordPress database table, hashed so no relationship between each code and any user can be determined
Deleted after a single use

Links take the form: https://brianhenry.ie/?autologin=582~Yxu1UQG8IwJO

Logs to see the frequency of its usefulness are available at: wp-admin/admin.php?page=bh-wp-autologin-urls-logs

WooCommerce's "Customer Payment Page" link has been changed to include an autologin code and to copy to clipboard when clicked (to avoid logging out shop managers).

Integrations

MailPoet 3.x
The Newsletter Plugin
Klaviyo

When newsletters are sent with any of the above integrations, their own tracking URLs are used to determine the current user to log them in. If there is no local WordPress account, the user's email and name are set on the WooCommerce checkout.

Secure

The plugin conforms to all the suggestions in the StackExchange discussion, Implementing an autologin link in an email:

Cryptographically Secure PseudoRandom Number Generation (via wp_rand)
Stored as SHA-256 hash
Codes are single use
Codes automatically expire

Additionally, authentication via Autologin URLs is disabled for 24 hours for users whose accounts have had five failed login attempts through an autologin URL and for IPs which have attempted and failed five times.

Warning:

If you use any plugin to save copies of outgoing mail, those saved emails will contain autologin URLs.

Warning:

If a user forwards the email to their friend, the autologin links may still work. The autologin codes only expire if used to log the user in, i.e. if the user is already logged in, the code is never used/validated/expired, so continues to work until its expiry time. This behaviour was a performance choice (but could be revisited via AJAX and not affect page load time).

Performant

Additional database queries only occur when a URL with autologin= is visited
No database queries (beyond autoloaded settings) are performed if the autologin user is already logged in
A nightly cron job deletes expired autologin codes

API

Two filters are added to expose the main functionality to developers of other plugins (which don't use wp_mail()), e.g. for push notifications:

$url = apply_filters( 'add_autologin_to_url', $url, $user );

$message = apply_filters( 'add_autologin_to_message', $message, $user );

Filters to configure the expiry time, admin enabled setting and subject exclusion regex list are defined in the BrianHenryIE\WP_Autologin_URLs\WP_Includes\WP_Mail class.

API functions can be accessed through plugin's global:

/** @var BrianHenryIE\WP_Autologin_URLs\API\API $autologin_urls */
$autologin_urls = $GLOBALS['bh-wp-autologin-urls'];

CLI

NAME

wp autologin-urls get-url

DESCRIPTION

Append an autologin code to a URL.

SYNOPSIS

wp autologin-urls get-url <user> [<url>] [<expires_in>]

OPTIONS

  <user>
    User id, username/login, or email address.

[<url>]
The URL to append to.
---
default: /
---

[<expires_in>]
Number of seconds the code should be valid. Default WEEK_IN_SECONDS.

EXAMPLES

# Add an autologin code to the site root for brianhenryie which expires in one week.
$ wp autologin-urls get-url brianhenryie

# Add an autologin code to the URL /my-account for brianhenryie which expires in five minutes
$ wp autologin-urls get-url brianhenryie my-account 300

NAME

  wp autologin-urls send-magic-link

DESCRIPTION

  Send a magic login email to a user.

SYNOPSIS

  wp autologin-urls send-magic-link <user> <url> [<expires_in>]

OPTIONS

  <user>
    User id, username/login, or email address.

  <url>
    The URL the link in the email should go to.
    ---
    default: /
    ---

  [<expires_in>]
    Number of seconds the code should be valid.
    ---
    default: 900
    ---

EXAMPLES

  # Send a magic login link to user brianhenryie, if they exist.
  $ wp autologin-urls send-magic-link brianhenryie

TODO

Remove the autologin URL parameter in the browser location bar on success
Verify i18n is applied everywhere __()
Delete all passwords button in admin UI
Error messages on settings page validation failures
Client-side settings page validation
Test adding an autologin code to a URL which already has one overwrites the old one (and leaves only the one).
~~The Newsletter Plugin integration~~ – and any plugin that doesn't use wp_mail
~~Magic link button on wp-login.php~~
Use: $wp_hasher = new PasswordHash( 8, true ); $hashed = $wp_hasher->HashPassword( $password );
Add "send magic link" to wp-admin/user.php for admin use.
Add UI to expunge rate limit / add allow-list for IPs

Alternatives

Licence

GPLv2 or later.

bh-wp-autologin-urls's People

Contributors

Stargazers

Watchers

Forkers

kitkatcarson arsen77 theperfectwill aimardev sprucely-designed

bh-wp-autologin-urls's Issues

BH WP Autologin URLs + Dashly

Is there a way to transmit the user's login data to Dashly when user automaitcly login via bh-wp-autologin-urls plugin? so that the user doesn't have to manually input their name and email into the Dashly chatbot?

Documents can be found in Dashly.

https://help.dashly.io/article/33#:~:text=Sign%20up%20and%20Log%20in%20events
https://help.dashly.io/article/32

The Dashly Support Team Said:
We also need to set up merging by User ID - https://help.dashly.io/article/32, this way, if the user logs in using different browser, for example, you'll still get the data to merge to their usercard.

I'm curious if the "bh-wp-autologin-urls" plugin can send the login data on Dashly when someone logs in through an automatic link.

Is there any way to make Auto-Login Links never expire regardless of the elapsed time

Hi Brian,

First and foremost, thank you for developing the Autologin URLs plugin for WordPress. It has been a great tool for me so far.

However, I was hoping to inquire if there is a way to configure the plugin such that an Auto-Login Link never expires, regardless of the number of clicks or the elapsed time since its creation. I would appreciate it if you could let me know if this is possible and, if so, how to achieve it.

Thank you for your time and consideration.

Amit Biswas
CEO, AnimationVideo.co

Conflict with User Switching plugin

Bug Report

Yes, I reviewed the contribution guidelines.
Yes, more specifically, I reviewed the guidelines on how to write clear bug reports.

Testing this plugin on a site with the User Switching plugin installed throws the following error when visiting a link with the autologin enabled:

2024/02/18 06:14:04 [error] 39262#39262: *32635 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Error: Undefined constant "USER_SWITCHING_SECURE_COOKIE" in /www/public/wp-content/plugins/user-switching/user-switching.php:1356
Stack trace:
#0 /www/public/wp-content/plugins/user-switching/user-switching.php(1291): user_switching_get_auth_cookie()
#1 /www/public/wp-includes/class-wp-hook.php(326): user_switching_clear_olduser_cookie('testclient@spru...')
#2 /www/public/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters(NULL, Array)
#3 /www/public/wp-includes/plugin.php(517): WP_Hook->do_action(Array)
#4 /www/public/wp-content/plugins/bh-wp-autologin-urls/src/wp-includes/class-login.php(166): do_action('wp_login', 'testclient@spru...', Object(WP_User))
#5 /www/public/wp-includes/class-wp-hook.php(324): BrianHenryIE\WP_Autologin_URLs\WP_Includes\Login->process(155)
....

Refreshing the page once after receiving the error will then load the page with the user logged in. Auto-login works as expected without the User Switching plugin active.

Issue also raised on WP.org Support tab

Autoloink parameters added but feature doesn't work.

i try to use with storefront theme and i can see that query string to autologin is present on the eamil sent from wp_mail but doesn't work.

i try to send email also by custom contact form and get this link https://dacarmine.i-live.cloud/2020/04/06/hello-world/?autologin=xxxxxxxxx but login step isn't bypassed.

are there possible problem with my hosting shared server?

PHP Fatal Error on Single-Use Login URL Login Attempt

Hi Brian,

I’m frequently encountering a PHP Fatal error when attempting to log in as a user via a Single-use login URL.

Debug Logs at the following locations:

Below are the error messages in the logs:

WordPress core
File: /wp-includes/functions.php
Line: 5905
Logged at: Oct 7, 2023 - 01:22:58
(Logged 5 times)

Error (PHP Fatal):
Uncaught TypeError: Return value of BrianHenryIE\WP_Autologin_URLs\WP_Logger\API\API::get_backtrace() must be of the type array, but a string was returned.

Stack trace:
#0 /wp-content/plugins/bh-wp-autologin-urls/vendor-prefixed/brianhenryie/bh-wp-logger/src/php/class-php-error-handler.php(123): BrianHenryIE\WP_Autologin_URLs\WP_Logger\API\API->get_backtrace()
#1 [internal function]: BrianHenryIE\WP_Autologin_URLs\WP_Logger\PHP\PHP_Error_Handler->plugin_error_handler()
#2 /wp-includes/class-wpdb.php(2459): mysqli_query()
#3 /wp-includes/class-wpdb.php(2346): wpdb->_do_query()
#4 /wp-includes/class-wpdb.php(2686): wpdb->query()
#5 /home/833086.cloudwa in /wp-content/plugins/bh-wp-autologin-urls/vendor-prefixed/brianhenryie/bh-wp-logger/src/api/class-api.php on line 284

Plugin: Magic Emails & Autologin URLs
File: /wp-content/plugins/bh-wp-autologin-urls/vendor-prefixed/brianhenryie/bh-wp-logger/src/api/class-api.php

Composer action fixed

Hello,

Please forgive me for taking a while to action this. I have looked into why your Github Action was failing with a 404 error and it was because I had named the release tag "v1.0.0" rather than the documented "v1". I have made another release with the version number you are using (as this is consistent with how Github version their own releases), so if you re-run your build, you should see a successful build.

Thanks,
Greg.

Auto-login doesn't work on CloudFlare

Hi Brian,

Currently, we are utilizing the bh-wp-autologin plugin to enable auto login via a magic link. However, I have encountered a persistent problem: while the initial login via the magic link works seamlessly, subsequent actions such as visiting a new page or reloading the current page result in an automatic logout.

Any guidance or expertise you can provide to rectify this auto logout problem would be greatly appreciated.

Please let me know if there is any additional information or logs that would be helpful for you to diagnose and address this issue promptly.

Thank you for your attention to this matter

Best regards,

Amit Biswas
CEO, AnimationVideo.co

Uncaught Exception: Serialization of 'Closure' is not allowed in /wordpress/drop-ins/object-cache.php

Bug Report

Yes, I reviewed the contribution guidelines.
Yes, more specifically, I reviewed the guidelines on how to write clear bug reports.

When hosting on Pressable using their memcache object caching (presumably the same issue exists on other hosts with object caching but I cannot test that), and running PHP 8.1 or above, the following error is thrown when accessing wp-admin dashboard:

PHP Fatal error: Uncaught Exception: Serialization of 'Closure' is not allowed in /wordpress/drop-ins/object-cache.php:974 Stack trace: #0 /wordpress/drop-ins/object-cache.php(974): serialize(Array) 
#1 /wordpress/drop-ins/object-cache.php(617): WP_Object_Cache->get_data_size(Array) 
#2 /wordpress/drop-ins/object-cache.php(95): WP_Object_Cache->set('backtrace_8192l...', Array, 'bh-wp-logger', 86400) 
#3 /srv/htdocs/wp-content/plugins/bh-wp-autologin-urls/vendor-prefixed/brianhenryie/bh-wp-logger/src/api/class-api.php(305): wp_cache_set('backtrace_8192l...', Array, 'bh-wp-logger', 86400) 
#4 /srv/htdocs/wp-content/plugins/bh-wp-autologin-urls/vendor-prefixed/brianhenryie/bh-wp-logger/src/api/class-api.php(329): BrianHenryIE\WP_Autologin_URLs\WP_Logger\API\API->get_backtrace('8192ltrimpassin...', NULL) 
#5 /srv/htdocs/wp-content/plugins/bh-wp-autologin-urls/vendor-prefixed/brianhenryie/bh-wp-logger/src/php/class-php-error-handler.php(187): BrianHenryIE\WP_Autologin_URLs\WP_Logger\API\API->is_backtrace_contains_plugin('8192ltrimpassin...') 
#6 /srv/htdocs/wp-content/plugins/bh-wp-autologin-urls/vendor-prefixed/brianhenryie/bh-wp-logger/src/php/class-php-error-handler.php(99): BrianHenryIE\WP_Autologin_URLs\WP_Logger\PHP\PHP_Error_Handler->is_related_error(8192, 'ltrim(): Passin...', '/wordpress/core...', 4494) 
#7 [internal function]: BrianHenryIE\WP_Autologin_URLs\WP_Logger\PHP\PHP_Error_Handler->plugin_error_handler(8192, 'ltrim(): Passin...', '/wordpress/core...', 4494) 
#8 /wordpress/core/6.4.3/wp-includes/formatting.php(4494): ltrim(NULL) 
#9 /wordpress/core/6.4.3/wp-includes/formatting.php(4620): esc_url(NULL, NULL, 'db') 
#10 /wordpress/core/6.4.3/wp-includes/formatting.php(4602): sanitize_url(NULL, NULL) #11 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Authentication/Authentication.php(852): esc_url_raw(NULL) 
#12 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Util/Method_Proxy_Trait.php(25): Google\Site_Kit\Core\Authentication\Authentication->inline_js_base_data(Array) 
#13 /wordpress/core/6.4.3/wp-includes/class-wp-hook.php(324): Google\Site_Kit\Core\Authentication\Authentication->Google\Site_Kit\Core\Util\{closure}(Array) #14 /wordpress/core/6.4.3/wp-includes/plugin.php(205): WP_Hook->apply_filters(Array, Array) 
#15 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Assets/Assets.php(739): apply_filters('googlesitekit_i...', Array) #16 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Assets/Assets.php(356): Google\Site_Kit\Core\Assets\Assets->get_inline_base_data() 
#17 [internal function]: Google\Site_Kit\Core\Assets\Assets->Google\Site_Kit\Core\Assets\{closure}('googlesitekit-b...') 
#18 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Assets/Script_Data.php(51): call_user_func(Object(Closure), 'googlesitekit-b...') 
#19 [internal function]: Google\Site_Kit\Core\Assets\Script_Data->Google\Site_Kit\Core\Assets\{closure}('googlesitekit-b...') 
#20 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Assets/Asset.php(129): call_user_func(Object(Closure), 'googlesitekit-b...') 
#21 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Assets/Assets.php(1016): Google\Site_Kit\Core\Assets\Asset->before_print() 
#22 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Assets/Assets.php(1025): Google\Site_Kit\Core\Assets\Assets->run_before_print_callbacks(Object(WP_Scripts), Array) 
#23 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Assets/Assets.php(1025): Google\Site_Kit\Core\Assets\Assets->run_before_print_callbacks(Object(WP_Scripts), Array) 
#24 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Assets/Assets.php(1025): Google\Site_Kit\Core\Assets\Assets->run_before_print_callbacks(Object(WP_Scripts), Array) 
#25 /srv/htdocs/wp-content/plugins/google-site-kit/includes/Core/Assets/Assets.php(155): Google\Site_Kit\Core\Assets\Assets->run_before_print_callbacks(Object(WP_Scripts), Array) 
#26 /wordpress/core/6.4.3/wp-includes/class-wp-hook.php(324): Google\Site_Kit\Core\Assets\Assets->Google\Site_Kit\Core\Assets\{closure}('') 
#27 /wordpress/core/6.4.3/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters(NULL, Array) 
#28 /wordpress/core/6.4.3/wp-includes/plugin.php(517): WP_Hook->do_action(Array) 
#29 /wordpress/core/6.4.3/wp-admin/admin-header.php(146): do_action('admin_print_scr...') 
#30 /wordpress/core/6.4.3/wp-admin/admin.php(239): require_once('/wordpress/core...') 
#31 {main} thrown in /wordpress/drop-ins/object-cache.php on line 974

Switching to PHP 7.4 or deactivating the Magic Emails & Autologin URLs plugins resolves the issue.

brianhenryie / bh-wp-autologin-urls Goto Github PK

bh-wp-autologin-urls's Introduction

Magic Emails & Autologin URLs

Overview

Installation & Configuration

Operation

Integrations

Secure

Performant

API

CLI

TODO

Alternatives

Licence

bh-wp-autologin-urls's People

Contributors

Stargazers

Watchers

Forkers

bh-wp-autologin-urls's Issues

Bug Report

Bug Report

Recommend Projects

Recommend Topics

Recommend Org

Jobs