App Passwords: Extract Basic Auth check into a reusable filterable function.

In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end.

This commit extracts the Basic Auth check into a reusable function, wp_is_site_protected_by_basic_auth(), which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature.

In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a WWW-Authenticate header to make this detection more robust out of the box.

This brings the changes from [50006] to the 5.6 branch.

Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs.

Fixes #52066.

Built from https://develop.svn.wordpress.org/branches/5.6@50044


git-svn-id: http://core.svn.wordpress.org/branches/5.6@49745 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/authorize-application.php

@@ -88,7 +88,7 @@ if ( is_wp_error( $is_valid ) ) {
 	);
 }
 
-if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
+if ( wp_is_site_protected_by_basic_auth( 'front' ) ) {
 	wp_die(
 		__( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ),
 		__( 'Cannot Authorize Application' ),

wp-admin/user-edit.php

@@ -739,7 +739,7 @@ endif;
 				}
 			}
 
-			if ( empty( $_SERVER['PHP_AUTH_USER'] ) && empty( $_SERVER['PHP_AUTH_PW'] ) ) {
+			if ( ! wp_is_site_protected_by_basic_auth( 'front' ) ) {
 				?>
 			<div class="create-application-password form-wrap">
 				<div class="form-field">

wp-includes/load.php

@@ -1685,3 +1685,46 @@ function wp_is_xml_request() {
 
 	return false;
 }
+
+/**
+ * Checks if this site is protected by HTTP Basic Auth.
+ *
+ * At the moment, this merely checks for the present of Basic Auth credentials. Therefore, calling this function
+ * with a context different from the current context may give inaccurate results. In a future release, this
+ * evaluation may be made more robust.
+ *
+ * Currently, this is only used by Application Passwords to prevent a conflict since it also utilizes Basic Auth.
+ *
+ * @since 5.6.1
+ *
+ * @global string $pagenow The current page.
+ *
+ * @param string $context The context to check for protection. Accepts 'login', 'admin', and 'front'. Defaults to the current context.
+ *
+ * @return bool
+ */
+function wp_is_site_protected_by_basic_auth( $context = '' ) {
+	global $pagenow;
+
+	if ( ! $context ) {
+		if ( 'wp-login.php' === $pagenow ) {
+			$context = 'login';
+		} elseif ( is_admin() ) {
+			$context = 'admin';
+		} else {
+			$context = 'front';
+		}
+	}
+
+	$is_protected = ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] );
+
+	/**
+	 * Filters whether a site is protected by HTTP Basic Auth.
+	 *
+	 * @since 5.6.1
+	 *
+	 * @param bool $is_protected Whether the site is protected by Basic Auth.
+	 * @param string $context    The context to check for protection. One of 'login', 'admin', or 'front'.
+	 */
+	return apply_filters( 'wp_is_site_protected_by_basic_auth', $is_protected, $context );
+}

wp-includes/version.php

@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.6.1-alpha-50043';
+$wp_version = '5.6.1-alpha-50044';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.