node.js 中的 Wordpress 身份验证 [英] Wordpress authentication in node.js

问题描述

允许用户使用其用户帐户从 Wordpress 页面使用 node.js 应用的最佳方式是什么?

What is the best way to allow a user to use a node.js app using their user account from a Wordpress page?

我曾尝试在 Redis 中存储会话信息，但我对 PHP 不是很熟悉，并且遇到了不存储会话的死胡同.我用过这个指南.

I have tried storing session information in Redis, but I am not very familiar with PHP and have run into a dead end where the session isn't being stored. I have used this guide.

我也尝试过使用 node-phpass 但它没有很好的记录.我已成功连接到 Wordpress 数据库，但我使用 node-phpass 生成的密码哈希与 wp_users 表中的哈希不匹配.

I have also tried using node-phpass but it is not very well documented. I have successfully connected to the Wordpress database, but the password hashes I generate with node-phpass do not match the hashes in the wp_users table.

这是我用来测试 node-phpass 的:

This is what I'm using to test node-phpass:

var mysql      = require('mysql');
var connection = mysql.createConnection({
  host     : 'localhost',
  user     : 'wordpress',
  password : 'jPWrwvGbYXMADd8F',
  database : 'wordpress',
});

connection.query('SELECT * FROM wp_users', function(err, rows) {
    if (err) { 
        console.log("Database error: " + err);
    } else {
         for (var i = 0; i < rows.length; i++){
            console.log("Rows[" + i + "] : " + rows[i].user_login + " " + passwordHash.checkPassword('secret',rows[i].user_pass));
         }
    }
});

除了分享会话之外，还有其他更好的方法来做到这一点吗?OAuth?

Aside from sharing the session, are there any other better ways to do this? OAuth?

推荐答案

我不太明白您是否希望用户主要在您的 node.js 应用程序上进行身份验证，然后为 WordPress 创建 cookie，或者相反，但是一旦您了解了 WordPress 是如何做到的，您就能够做到这两点.

I didn't quite understand if you want to the user authenticate primarily on your node.js application and then creates the cookie for WordPress, or the opposite, but once you understand how WordPress are doing it, you'll be able to accomplish both.

首先，WordPress 使用大量散列和盐来保护其 cookie，因此您需要知道这些散列和盐的位置，以便能够为您的 nodejs 应用程序上的那些定义相同的值.

First of all, WordPress use lots of hashes and salts to security its cookies, so you need to know where these hashes and salts are to be able to define the same values for those on you nodejs application.

在 wp-config.php 上你会找到我们正在寻找的哈希和盐的常量，我认为你只需要将 的常量值传输到你的 nodejs 应用程序LOGGED_IN_KEY、LOGGED_IN_SALT、NONCE_KEY 和 NONCE_SALT.您可以更好地查看文件 wp-includes/default-constants.php，其中 WordPress 保持其默认常量值，注意 if(defined(..)) 因为如果常量是在此文件之前的其他地方定义(可能在 wp-config.php 上)该值将来自而不是来自 wp-includes/default-constants.php文件.

On wp-config.php you will find the constants of the hashes and salts we're looking for, I think you just need to transport to your nodejs application the constant values for LOGGED_IN_KEY, LOGGED_IN_SALT, NONCE_KEY and NONCE_SALT. You might give a better look on the file wp-includes/default-constants.php where WordPress keep its default constant values, pay attention to the if(defined(..)) because if the constant is defined in somewhere else prior to this file (probably on the wp-config.php) the value will be from that not from the wp-includes/default-constants.php file.

现在，您需要了解 WordPress 如何创建其 cookie.这是登录 cookie 的示例:

Now, you need to understand how WordPress is creating its cookies. This is an example of logged in cookie:

Cookie Name: wordpress_logged_in_2801795354f6f1c2d2ab3b48033a8257
Cookie Value: admin|1392386298|647852d61caf4cfdea975d54ecb09ca8
Cookie Value: %user_login%|%cookie_expire_time%|%hashed_sliced_user_hashed_password%

你需要让你的 nodejs 应用程序理解这个 cookie，能够像 WordPress 一样破解它.

You need to make your nodejs application understand this cookie, being able to break it just like WordPress.

在 WordPress 上创建身份验证 cookie 的函数位于 wp-includes/pluggable.php

The functions to create authentication cookies on WordPress resides on wp-includes/pluggable.php

$logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
//...
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);

请注意，常量 LOGGED_IN_COOKIE 是 wp-includes/default-constants.php 上的默认设置，在您拥有 COOKIEHASH 常量，您需要将其值传输到您的 nodejs 应用程序，以便能够读取和验证 cookie 名称，COOKIEHASH 只是使用 md5 散列的网站 URL.

Note that the constant LOGGED_IN_COOKIE is default set on wp-includes/default-constants.php, on the same file you have the COOKIEHASH constant, you need to transport the value of that to your nodejs application to be able to read and validate the cookie name too, the COOKIEHASH is just the website URL hashed with md5.

if ( !defined( 'COOKIEHASH' ) ) {
    $siteurl = get_site_option( 'siteurl' );
    if ( $siteurl )
        define( 'COOKIEHASH', md5( $siteurl ) );
    else
        define( 'COOKIEHASH', '' );
}
//...
define('LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH);

如果你不想传输所有这些，你可以在 wp-config.php 上设置 LOGGED_IN_COOKIE 常量，并使用你想要的 WordPress 登录 cookie 名称和肖像这个常量到你的 nodejs，像这样:

if you don't want to transport all that, you can just set on wp-config.php the LOGGED_IN_COOKIE constant with the logged in cookie name that you want for WordPress and portrait just this constant to your nodejs, like this:

//WordPress wp-config.php
define('LOGGED_IN_COOKIE', 'logged_in_'.'%privateHashKey%');
//NODEJS
var LOGGED_IN_COOKIE = 'logged_in_'+'%privateHashKey%';

最后，如果您想在那里创建 cookie，您需要将 wp_generate_auth_cookie、wp_hash 和 hash_hmac 函数描绘到您的 nodejs 应用程序中，前两个函数驻留在文件wp-inclues/pluggable.phphash_hmac驻留在wp-includes/compat.php`.

And finally you'll need to portrait the the functions wp_generate_auth_cookie, wp_hash and hash_hmacto your nodejs application if you want to create the cookie there, the first two functions reside on the filewp-inclues/pluggable.phpthehash_hmacresides onwp-includes/compat.php`.

if ( !function_exists('wp_generate_auth_cookie') ) :
//...
function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
    $user = get_userdata($user_id);

    $pass_frag = substr($user->user_pass, 8, 4);

    $key = wp_hash($user->user_login . $pass_frag . '|' . $expiration, $scheme);
    $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);

    $cookie = $user->user_login . '|' . $expiration . '|' . $hash;

    return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
}
endif;

一旦您了解了 wp_generate_auth_cookie 函数的作用，您还可以解码 cookie 并在您的 nodejs 应用程序上验证 WordPress 用户.

Once you understand what wp_generate_auth_cookie function is doing, you'll also be able to decode the cookie and authenticate the WordPress user on your nodejs application.

请注意，WordPress 对登录的 cookie 值所做的只是将用户的散列密码切片在您的数据库中，与用户登录名和 cookie 的过期时间(unix 时间)合并，然后进行散列全部一起.然后他使用用户登录名、cookie 的过期时间和他刚刚创建的哈希创建 cookie 值，通过前两个值，他可以使用用户的哈希密码验证令牌哈希".

Note that what WordPress is doing for the the logged in cookie value, is simply slicing the hashed password for the user on your database, merging with the user login name and the expiration time (unix time) for the cookie, and hashing all together. Then he creates the cookie value with user login name, the expiration time for the cookie and the hash that he just created, with the first two values he can verify the "token hash" with the hashed password from the user.

您可能想知道要在 WordPress 上注销用户，您需要在注销 url 上为用户传递 nonce 密钥，因此如果您想通过 nodejs 应用程序从 WordPress 注销用户，您可能需要传输nonce 键函数.

You might want to know that to logout an user on WordPress you need to pass the nonce key for the user on the logout url, so if you want to logout an user from WordPress by your nodejs application, you might want to transport the nonce key functions.

如果您的应用程序将在子域中，您可能需要在 wp-config.php 上声明，否则 WordPress 将只使用 cookie 上的完整域，而 cookie 将不可用用于子域.

If your application will be in a subdomain, you might want to declare on wp-config.php, or WordPress will just use the full domain on the cookie, and the cookie will not be available for subdomains.

define('COOKIE_DOMAIN', '.domain.com');

希望这能给你更好的指导.祝你好运.

Hope this give you better directions. Good luck.

这篇关于node.js 中的 Wordpress 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！