I’m writing a plugin that creates an API endpoint that validates username/password pairs.
I’m currently using wp_signon()
to check whether the username/password combo works. This works fine when the credentials fail because it returns an error object. But when the credentials are good, it automatcially signs in that user, so my endpoint returns a whole page.
The codex currently doesn’t even mention the fact that it automatically logs in the user. It also doesn’t appear to accept a parameter to suppress that functionality. For my purposes I simple boolean would be fine.
UPDATE:
I had to choose one single answer, but there was a lot of useful info several of the other answers which I’ll try to summarize briefly here…
-
There IS a function that does exactly what I was trying to do:
wp_authenticate($username, $password)
HOWEVER, it comes with one drawback. It will automatically set the login cookies which can create problems in a situation like mine. So be careful. This function is not currently in the codex. -
The best choice for what I’m doing is
wp_authenticate_username_password($user, $username, $password)
because it DOESN’T set the login cookies. This function is more documented, but the REALLY important detail that wasn’t in the codex is that you can passNULL
as the first parameter. This means you can effectively use it to do exactly likewp_authenticate()
without worrying about the cookies getting screwed up. Read the documentation so you don’t get confused by the response. It returns a either a WP_User object or a WP_Error (not a boolean!).
There is a function in the
user.php
of the core files calledwp_authenticate_username_password
that seems like what you’re looking for.If you want to avoid throwing in the
$user
object (you probably only have the username + password), then just thrownull
as 1st function argument in:You can then simply check the result with
is_wp_error( $check )
.Disclaimer: This answer should just show what’s going on behind the scenes and is not meant to be a real life example on how to do things.
Backtrace
wp_signon()
callswp_set_auth_cookie()
, which then callswp_generate_auth_cookie()
. The result will be used insidesetcookie()
as 2nd argument.(Non-performant) fun with filters
a.k.a. tricking WordPress the wrong way.
You could then just jump into the
'auth_cookie'
-filter insidewp_generate_auth_cookie()
and simply set it to null or something else than theSECURE_AUTH_COOKIE
orAUTH_COOKIE
value. This will then leave you with a senseless cookie, that can’t log in.Use,
get_user_by
and
get_userdata
Explanation
Notes
$username
should validate true by default otherwise a user object would not have been returned if the$username
supplied did not match one already existing in the database. Therefore the validation then hinges on the$password
variable which stores the form input supplied by the user.There might be a more efficient way for you to achieve this, either by shortening the existing code or by using other API functions.
UPDATE
Based upon the suggestion by fdsa you could in turn use
wp_authenticate_username_password
in this fashion,But even better than that,
Really the credit/marked answer ought to be given to fdsa for the most efficient method by way of (sadly) undocumented WP core function.
http://wpseek.com/wp_authenticate_username_password/
“Ta-da”:
wp_authenticate($username, $password)
It’s not in the codex at all, but you can look it up on wpseek.
It does exactly what it sounds like. Takes a username and plain text password and returns either a
WP_User
object or aWP_Error
… and it DOESN’T log anyone in.One note of caution! The following will ALWAYS return true (because the function returns an object either way):
You’ll probably want to do something like this:
I hope this helps someone.