Opened 5 years ago
Closed 4 years ago
#5239 closed enhancement (fixed)
Bring BuddyPress.org & bbPress.org login forms over to login.wordpress.org
Reported by: | dd32 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | Login & Authentication | Keywords: | |
Cc: |
Description
Currently bbPress and BuddyPress have their own login forms, although they share the WordPress.org user tables.
Since we have a "SSO" login system through login.wordpress.org, it'd be nice to leverage that and provide a consistent user experience on all properties.
This will also have the benefit that we'll be able to enforce all login restrictions and brute-force protections on a singular login form.
WordCamp also shares the user tables, and has it's own login forms, which should also be migrated over.
Change History (20)
This ticket was mentioned in Slack in #meta by tellyworth. View the logs.
5 years ago
#6
@
5 years ago
Everything seems to be working here, which is great :)
Known Limitations/Bugs:
- Logging out on bbPress.org and BuddyPress.org only logs you out on those hosts, not totally out of WordPress.org (and vice versa). That's a limitation of the fact that logging out right now only clears cookies, and doesn't invalidate a session.
- If you're already logged into WordPress.org, it just redirects you back.. That can be a bit weird at first. Could consider a splash screen before redirecting back perhaps.
- If you're a privileged user that can access
wp-admin
on those hosts, logging out from wp-admin currently redirects you back to wp-admin, which then redirects you back to be logged in.. so it seems to do nothing (But it does). There's so few users withwp-admin
access and since redirects shouldn't land you there.. I've left it.
#7
follow-up:
↓ 8
@
4 years ago
It is failing for me.
I cannot log into BuddyPress.org. or bbpress.org
Steps:
- log out of wordpress.org
- go to bbpress.org
- hit the login link
- it takes me to wordpress.org
- I log in
- it does not redirect me back to bbpress.org
- I am still not logged into bbpress.org
Ditto for buddypress.org
#8
in reply to:
↑ 7
@
4 years ago
Replying to shanebp:
It is failing for me.
...
- it does not redirect me back to bbpress.org
Where does it redirect you to?
Did you get your password wrong on the first attempt? Did you get the Math Captcha block upon login?
Can you clear your cookies on bbpress.org and try again? (If you do this, can you make a copy of them first so that there might be some information that can be used for figuring it out)
#9
follow-up:
↓ 10
@
4 years ago
Where does it redirect you to?
After logging in, it stays on wordpress.org
Did you get your password wrong on the first attempt?
No
Did you get the Math Captcha block upon login?
No
Can you clear your cookies on bbpress.org and try again?
Tried that without success
The issue is browser specific.
And only since the changes you made re this ticket.
I can log in and out with no issues in Chrome and Firefox.
But the issue occurs when I try to login using the Brave browser.
Prior to this ticket, there were no login issues with Brave.
And I tried deleting all the wordpress & buddypress & bbpress cookies in Brave.
#10
in reply to:
↑ 9
@
4 years ago
Replying to shanebp:
The issue is browser specific.
But the issue occurs when I try to login using the Brave browser.
Thanks! That helps a lot, it turns out that Brave doesn't send HTTP Refers cross-site, which is used heavily by WordPress for redirects.
I've probably assumed that the referer would be present, but infact, we'll have to pass it as a query parameter for the source to be respected.
I'll install Brave today and get a fix applied.
This ticket was mentioned in Slack in #meta by jjj. View the logs.
4 years ago
This ticket was mentioned in Slack in #buddypress by jjj. View the logs.
4 years ago
#16
follow-up:
↓ 19
@
4 years ago
Recent changes related to this effort are causing odd behavior on BuddyPress.org and bbPress.org.
Most severely, when trying to visit buddypress.org/support
as a logged-out user, you will be redirected back to wordpress.org
, essentially making the BuddyPress.org forums impossible to reach. bbPress.org's forums do not appear to be affected by this problem (perhaps because their url is /forums
, but I'm not certain?)
Once manually logged into WordPress.org of your own determination, the BuddyPress forums are accessible again.
But then... clicking "Log Out" successfully clears the BuddyPress.org cookies and redirects back to the current page, but the WordPress.org cookies do not get cleared. Clicking "Log In" will immediately log you in without ever seeing a login screen, presumably because the WordPress.org cookie exists and the redirect is functioning as intended.
Ultimately, this results in a limbo sign-in state that users cannot fully free themselves from.
#18
@
4 years ago
I also just saw/read @dd32's comments, which makes everything I just discovered on my own known issues. 😓
I'm pretty sure the last time someone tried to do this (maybe me? maybe pre Meta team/trac?) all of this same stuff was attempted and reverted because of the same cookie related redirect shuffle.
#19
in reply to:
↑ 16
@
4 years ago
Replying to johnjamesjacoby:
Most severely, when trying to visit
buddypress.org/support
as a logged-out user, you will be redirected back towordpress.org
, essentially making the BuddyPress.org forums impossible to reach. bbPress.org's forums do not appear to be affected by this problem (perhaps because their url is/forums
, but I'm not certain?)
I can't reproduce that, the redirects only kick in on attempt to login. Can you capture any debug information about that?
Could it be related to an auto-login browser extension?
But then... clicking "Log Out" successfully clears the BuddyPress.org cookies and redirects back to the current page, but the WordPress.org cookies do not get cleared.
Figuring out a way to have a logout on one site reflected over all of them would be nice, but right now we're a little stuck as we're not using server-side sessions, it's not currently possible to invalidate a dotorg auth cookie without actually deleting it.
Clicking "Log In" will immediately log you in without ever seeing a login screen, presumably because the WordPress.org cookie exists and the redirect is functioning as intended.
Yep, Having some kind of oAuth-like (but not oAuth..) "Continue as $logged in user" would make sense here IMHO, it would make it clear as to what is happening.
Ultimately, this results in a limbo sign-in state that users cannot fully free themselves from.
Kind of, but not completely. It's no worse than the previous state (IMHO), where the login status on BuddyPress.org, bbPress.org and WordPress.org would all be independent of each other, the only change here is that the WordPress.org login state can be "promoted" to the other sites
In 9941: