add action which returns modified value

I want to modify submited password in wp_logon wp_authenticate action.
When authenticating, I want to grab submited password, modify it, and pass back to wp_logon

So here is an action
do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));

Read More

I’m adding my action like this (as @kaiser suggested):

add_action("wp_authenticate", "myfunctionhere");

function myfunctionhere($credentials) {
return $credentials['user_password'] = 'foo';
}

The thing is that it does not return to wp_signon.
And more, $credentials in myfunctionhere value is string(3) "aka" (username)

The thing I’m doing here, I want to modify http://wordpress.org/plugins/login-encryption/ plugin to work with current wordpress.

and this is the original function which was hooked on wp_authenticate

function add_decryption_function() {
    global $user_pass;
    if ($_REQUEST['encryption_code']) {

        // Obtenemos la clave DES usando nuestra clave privada RSA
        $key = new RSA(get_option('le_rsa_modulus'), get_option('le_rsa_public_key'), get_option('le_rsa_private_key'));
        $code = $key->decrypt($_REQUEST['encryption_code']); 

        // Obtenemos la clave usando la clave DES
        $password = des ($code, hexToString($_REQUEST['pwd']), 0, 0, null, null);
        preg_match("/^([sw]*)/", $password, $res);
        $user_pass = $res[1];
        $_REQUEST['encryption_code'] = "";
    }

}

global $user_pass is NULL of course

I’m testing native wp-login.php authentification, no other plugins.

Related posts

2 comments

  1. The things you can change in there are:

    • $secure_cookie = apply_filters('secure_signon_cookie', $secure_cookie, $credentials); Cookie
    • The $credentials for the user_login and user_password1)

    Example

    add_action( 'wp_authenticate', 'wpse119273UserCredentials' );
    function wpse119273UserCredentials( $credentials )
    {
        // Make sure to secure that value
        $credentials['user_password'] = 'foo';
    }
    

    To generate a secure password, take a look at the function wp_generate_password() and its internals. Or better: Make it even more secure.

    1) As @brasofilo noted in the comment (I’ve overseen that). @brasofilo – Copy/Paste my answer to take it, it’s your credits.

  2. It didn’t work in any reasonable hack.

    The only way it could work was hacking wp_logon core function itself with global variable, which was undisairable.

    SO I went with another solution.

    I removed authentication function and made my own

    remove_action('authenticate', 'wp_authenticate_username_password', 20);
    add_filter('authenticate', 'decrypt_and_authenticate', 10, 3);
    
    function decrypt_and_authenticate($user, $username, $password) {
        // firs check if password needs to be decrypted
        if ($_REQUEST['encryption_code']) {
    
            // Obtenemos la clave DES usando nuestra clave privada RSA
            $key = new RSA(get_option('le_rsa_modulus'), get_option('le_rsa_public_key'), get_option('le_rsa_private_key'));
            $code = $key->decrypt($_REQUEST['encryption_code']); 
    
            // Obtenemos la clave usando la clave DES
            $pass = des ($code, hexToString($password), 0, 0, null, null);
            preg_match("/^([sw]*)/", $pass, $res);
            $password = $res[1];
            $_REQUEST['encryption_code'] = "";
        }
    
        if ( is_a($user, 'WP_User') ) { return $user; }
    
        if ( empty($username) || empty($password) ) {
            $error = new WP_Error();
    
            if ( empty($username) )
                $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
    
            if ( empty($password) )
                $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
    
            return $error;
        }
    
        $user = get_user_by('login', $username);
    
        if ( !$user )
            return new WP_Error( 'invalid_username', sprintf( __( '<strong>ERROR</strong>: Invalid username. <a href="%s" title="Password Lost and Found">Lost your password</a>?' ), wp_lostpassword_url() ) );
    
        if ( is_multisite() ) {
            // Is user marked as spam?
            if ( 1 == $user->spam )
                return new WP_Error( 'spammer_account', __( '<strong>ERROR</strong>: Your account has been marked as a spammer.' ) );
    
            // Is a user's blog marked as spam?
            if ( !is_super_admin( $user->ID ) && isset( $user->primary_blog ) ) {
                $details = get_blog_details( $user->primary_blog );
                if ( is_object( $details ) && $details->spam == 1 )
                    return new WP_Error( 'blog_suspended', __( 'Site Suspended.' ) );
            }
        }
    
        $user = apply_filters('wp_authenticate_user', $user, $password);
        if ( is_wp_error($user) )
            return $user;
    
        if ( !wp_check_password($password, $user->user_pass, $user->ID) )
            return new WP_Error( 'incorrect_password', sprintf( __( '<strong>ERROR</strong>: The password you entered for the username <strong>%1$s</strong> is incorrect. <a href="%2$s" title="Password Lost and Found">Lost your password</a>?' ),
            $username, wp_lostpassword_url() ) );
    
        return $user;
    }
    

Comments are closed.