WordPress.org

Making WordPress.org

Opened 3 months ago

Last modified 8 weeks ago

#5239 new enhancement

Bring BuddyPress.org & bbPress.org login forms over to login.wordpress.org

Reported by: dd32 Owned by:
Milestone: Priority: normal
Component: Login & Authentication Keywords:
Cc:

Description

Currently bbPress and BuddyPress have their own login forms, although they share the WordPress.org user tables.

Since we have a "SSO" login system through login.wordpress.org, it'd be nice to leverage that and provide a consistent user experience on all properties.
This will also have the benefit that we'll be able to enforce all login restrictions and brute-force protections on a singular login form.

WordCamp also shares the user tables, and has it's own login forms, which should also be migrated over.

Change History (19)

#1 @dd32
3 months ago

In 9941:

Login: Add remote-login functionality to the SSO login code.

This will allow for instances of WordPress in the WordPress.org network (and using it's user tables) to login via login.wordpress.org.

See #5239.

#2 @dd32
3 months ago

In 9942:

BuddyPress.org & bbPress.org: Use the WordPress wp_login_url() and wp_registration_url() functions rather than hard-coding login/registration links.

See #5239.

#3 @dd32
3 months ago

In 9943:

BuddyPress.org & bbPress.org: Add an empty login form template to remove the local logins.

This should probably include a paragraph with a login link. This is currently used on /login/ and at the end of forum threads when logged out.

See #5239.

#4 @dd32
3 months ago

In 9944:

Login: When a login is for a non-wordpress.org domain, include some basic text to make it clear that their WordPress.org account is intended to be used for the site.

See #5239.

This ticket was mentioned in Slack in #meta by tellyworth. View the logs.


2 months ago

#6 @dd32
2 months ago

Everything seems to be working here, which is great :)

Known Limitations/Bugs:

  • Logging out on bbPress.org and BuddyPress.org only logs you out on those hosts, not totally out of WordPress.org (and vice versa). That's a limitation of the fact that logging out right now only clears cookies, and doesn't invalidate a session.
  • If you're already logged into WordPress.org, it just redirects you back.. That can be a bit weird at first. Could consider a splash screen before redirecting back perhaps.
  • If you're a privileged user that can access wp-admin on those hosts, logging out from wp-admin currently redirects you back to wp-admin, which then redirects you back to be logged in.. so it seems to do nothing (But it does). There's so few users with wp-admin access and since redirects shouldn't land you there.. I've left it.
Last edited 2 months ago by dd32 (previous) (diff)

#7 follow-up: @shanebp
2 months ago

It is failing for me.
I cannot log into BuddyPress.org. or bbpress.org

Steps:

  • log out of wordpress.org
  • go to bbpress.org
  • hit the login link
  • it takes me to wordpress.org
  • I log in
  • it does not redirect me back to bbpress.org
  • I am still not logged into bbpress.org

Ditto for buddypress.org

#8 in reply to: ↑ 7 @dd32
2 months ago

Replying to shanebp:

It is failing for me.

...

  • it does not redirect me back to bbpress.org

Where does it redirect you to?
Did you get your password wrong on the first attempt? Did you get the Math Captcha block upon login?

Can you clear your cookies on bbpress.org and try again? (If you do this, can you make a copy of them first so that there might be some information that can be used for figuring it out)

#9 follow-up: @shanebp
2 months ago

Where does it redirect you to?

After logging in, it stays on wordpress.org

Did you get your password wrong on the first attempt?

No

Did you get the Math Captcha block upon login?

No

Can you clear your cookies on bbpress.org and try again?

Tried that without success

The issue is browser specific.
And only since the changes you made re this ticket.
I can log in and out with no issues in Chrome and Firefox.
But the issue occurs when I try to login using the Brave browser.
Prior to this ticket, there were no login issues with Brave.
And I tried deleting all the wordpress & buddypress & bbpress cookies in Brave.

#10 in reply to: ↑ 9 @dd32
2 months ago

Replying to shanebp:

The issue is browser specific.
But the issue occurs when I try to login using the Brave browser.

Thanks! That helps a lot, it turns out that Brave doesn't send HTTP Referers cross-site, which is used heavily by WordPress for redirects.
I've probably assumed that the referer would be present, but infact, we'll have to pass it as a query parameter for the source to be respected.

I'll install Brave today and get a fix applied.

Last edited 2 months ago by dd32 (previous) (diff)

#11 @dd32
2 months ago

In 9961:

SSO: When determining the login url, always include a redirect_to if the host is not under the wordpress.org domain.

This prevents login failures with browsers that don't send http referers cross-origin, such as the Brave browser.

See #5239.

#12 @shanebp
2 months ago

Thank you for this patch.

#13 @mercime
2 months ago

@dd32 Adding my thanks for this fix 😎

This ticket was mentioned in Slack in #meta by jjj. View the logs.


8 weeks ago

This ticket was mentioned in Slack in #buddypress by jjj. View the logs.


8 weeks ago

#16 follow-up: @johnjamesjacoby
8 weeks ago

Recent changes related to this effort are causing odd behavior on BuddyPress.org and bbPress.org.

Most severely, when trying to visit buddypress.org/support as a logged-out user, you will be redirected back to wordpress.org, essentially making the BuddyPress.org forums impossible to reach. bbPress.org's forums do not appear to be affected by this problem (perhaps because their url is /forums, but I'm not certain?)

Once manually logged into WordPress.org of your own determination, the BuddyPress forums are accessible again.

But then... clicking "Log Out" successfully clears the BuddyPress.org cookies and redirects back to the current page, but the WordPress.org cookies do not get cleared. Clicking "Log In" will immediately log you in without ever seeing a login screen, presumably because the WordPress.org cookie exists and the redirect is functioning as intended.

Ultimately, this results in a limbo sign-in state that users cannot fully free themselves from.

#17 @johnjamesjacoby
8 weeks ago

In 9970:

bbPress.org:

Use WordPress wp_login_url() in the Toolbar rather than hard-coding login links.

Missed a few spots in r9941.

See #5239.

#18 @johnjamesjacoby
8 weeks ago

I also just saw/read @dd32's comments, which makes everything I just discovered on my own known issues. 😓

I'm pretty sure the last time someone tried to do this (maybe me? maybe pre Meta team/trac?) all of this same stuff was attempted and reverted because of the same cookie related redirect shuffle.

#19 in reply to: ↑ 16 @dd32
8 weeks ago

Replying to johnjamesjacoby:

Most severely, when trying to visit buddypress.org/support as a logged-out user, you will be redirected back to wordpress.org, essentially making the BuddyPress.org forums impossible to reach. bbPress.org's forums do not appear to be affected by this problem (perhaps because their url is /forums, but I'm not certain?)

I can't reproduce that, the redirects only kick in on attempt to login. Can you capture any debug information about that?
Could it be related to an auto-login browser extension?

But then... clicking "Log Out" successfully clears the BuddyPress.org cookies and redirects back to the current page, but the WordPress.org cookies do not get cleared.

Figuring out a way to have a logout on one site reflected over all of them would be nice, but right now we're a little stuck as we're not using server-side sessions, it's not currently possible to invalidate a dotorg auth cookie without actually deleting it.

Clicking "Log In" will immediately log you in without ever seeing a login screen, presumably because the WordPress.org cookie exists and the redirect is functioning as intended.

Yep, Having some kind of oAuth-like (but not oAuth..) "Continue as $logged in user" would make sense here IMHO, it would make it clear as to what is happening.

Ultimately, this results in a limbo sign-in state that users cannot fully free themselves from.

Kind of, but not completely. It's no worse than the previous state (IMHO), where the login status on BuddyPress.org, bbPress.org and WordPress.org would all be independent of each other, the only change here is that the WordPress.org login state can be "promoted" to the other sites

Note: See TracTickets for help on using tickets.