MksDdn Reddy Auth

开发者	mksddn
更新时间	2026年6月11日 16:17
PHP版本:	7.4 及以上
WordPress版本:	7.0
版权:	GPLv2 or later
版权网址:	版权信息

下载

1.0.0 1.1.0

详情介绍:

MksDdn Reddy Auth provides OTP-based authentication with:

WordPress cookie session login for the frontend (shortcode, or REST with issue_session: true).
Optional Bearer token issuing for REST clients (issue_token: true; cookie not set by default on REST login).
Rate limiting and one-time OTP verification.
Optional site and REST API protection for unauthenticated visitors.
Optional allowed request sources (Origin/Referer) for plugin REST endpoints.

The plugin maps each Reddy ID to a WordPress user and can create an account automatically on first successful login.

安装:

Upload the plugin to the /wp-content/plugins/ directory.
Activate the plugin through the Plugins menu in WordPress.
Open Settings > Reddy Auth and configure bot token and security options.
Create a login page and add the shortcode [mksddn_reddy_login].
If site protection is enabled, select that page in the Login page setting (otherwise guests are redirected to wp-login.php fallback).

常见问题:

Where should I store the bot token?

Use the MKSDDN_REDDY_BOT_TOKEN constant in wp-config.php on production sites. The settings page field is a development fallback and should not replace secure server-side configuration in live environments.

Why am I stuck in a redirect loop?

This usually happens when Protect site content is enabled but no valid login page is selected. Create a page with [mksddn_reddy_login], choose it in Login page, and save settings.

Does this plugin replace /wp-login.php?

No. It adds a Reddy OTP login flow via shortcode and REST endpoints. Standard WordPress login may still be available unless you restrict it separately.

Are WordPress users created automatically?

Yes. On first successful OTP login the plugin creates a WordPress user mapped to the Reddy ID and stores the mapping in user meta.

How do REST clients authenticate?

Send issue_token: true in the login request, then pass the returned token in the Authorization: Bearer header. REST login does not set a WordPress cookie unless you also send issue_session: true. Use the login shortcode or issue_session: true when the browser needs access to Protect site content pages.

What is the difference between issue_token and issue_session?

issue_token returns a Bearer token for REST API clients. issue_session sets the WordPress auth cookie. Shortcode login always sets a cookie. REST login sets a cookie only when issue_session is true (default false). Headless integrations should use issue_token without issue_session so site content stays locked until an explicit cookie login.

What happens when an administrator deletes a Reddy user?

All plugin Bearer tokens for that WordPress user are revoked and WordPress session tokens are destroyed. The user must complete OTP login again. Deleting the WordPress account does not permanently block the Reddy ID; a successful OTP login can recreate the account.

Why do I get HTTP 429?

The plugin rate-limits OTP send and login attempts per Reddy ID and client IP. Wait for the limit window to expire or adjust limits in Settings > Reddy Auth.

What does Allowed request sources do?

It optionally checks Origin or Referer on plugin REST routes only. Empty list = no restriction (default). Non-empty list = browser apps must call from a listed URL. It does not replace OTP, rate limits, or Bearer auth—headers can be spoofed.

Why do I get HTTP 403 with "Request not allowed from this source"?

Allowed request sources is configured and the request has no matching Origin/Referer. Add your frontend URL to the list, send a matching Origin header from server clients, leave the list empty for backends, or use the mksddn_reddy_is_request_url_allowed filter.

Which data does the plugin store?

Settings in WordPress options, Reddy ID mapping in user meta, Bearer token hashes in a custom database table, and OTP/rate-limit state in transients. Raw OTP codes and raw tokens are not stored.

What happens on uninstall?

If uninstall cleanup runs, plugin-owned options, user meta, custom tables, and transients are removed according to uninstall.php.

更新日志:

1.1.0

One-click authorization: optional magic link + inline button delivered alongside the OTP code.
Login intent system: GET|POST /auth/intent-status and POST /auth/complete-intent endpoints for polling one-click flow.
Webhook endpoint POST /auth/button-callback for Reddy bot inline button callbacks (HMAC-verified).
Reddy ID whitelist: restrict authentication to a configured set of Reddy IDs.
Translation defaults were updated to avoid early textdomain loading notices on WordPress 6.7+; en_US and ru_RU catalogs included.
Auth failure observability: new mksddn_reddy_auth_failure action on every failed OTP, intent, or finalize step.
Transport observability: new mksddn_reddy_transport_failed and mksddn_reddy_transport_response actions.
New mksddn_reddy_send_payload filter to modify the Reddy bot request payload before delivery.
Settings page redesigned with tabbed layout. Breaking changes from 1.0.0:
REST error responses: the default message for generic failures changed from "Invalid credentials." to "Unable to process authentication request.". The code field is unchanged. Clients should rely on code, not message.
Rate-limit error message changed from the Reddy API text to "Too many requests. Try again later.".
Monolith content lock (monolith_lock_enabled) now redirects to wp-login.php when no login page is configured (previously redirected to home_url('/')). Sites with monolith lock on but no login page set will now land on WP login.
mksddn_reddy_otp_message filter: the default message passed as the first argument now depends on delivery mode. When delivery_mode is link_only, the message uses the magic link template (no {code}). Custom filter handlers should check the delivery context if they manipulate the message.

1.0.0

Do not require Bearer on HTTP OPTIONS when REST API content lock is enabled (CORS preflight for cross-origin SPAs).
Stable 1.0.0 release.

0.1.4

Admin settings for bot message texts: OTP template ({code}, {ttl}) and connection test message.
Filter mksddn_reddy_otp_message still overrides the final OTP text after the admin template is applied.
Filter mksddn_reddy_bot_test_message for customizing the connection test message.

0.1.3

REST login no longer sets a WordPress cookie by default. Optional issue_session parameter (default false); use issue_token for Bearer auth. Shortcode login still sets a cookie.
Protect site content uses cookie sessions only; Protect all REST API content requires Bearer tokens. Documented split between monolith and REST protection.
Revoke all Bearer tokens and destroy WordPress sessions when a WordPress user is deleted.
Bearer token validation requires an active _mksddn_reddy_id user meta mapping.
Site and REST content lock: WP staff with edit_posts (administrator, editor) bypass Reddy-only lock without OTP.
Filter mksddn_reddy_content_lock_bypass to customize lock bypass per user.
More reliable login page detection for monolith content lock (configured page, URL path, shortcode fallback).
REST content lock respects existing authentication errors before enforcing Reddy check.

0.1.2

Direct Reddy terms of use and privacy policy links in External services readme section.
Require cookie session or Bearer token authentication for POST /auth/logout REST endpoint.

0.1.1

External services disclosure in readme for Reddy bot API (OTP delivery).
Safer defaults: site and REST protection disabled until explicitly enabled in settings.
Monolith content lock skipped until a login page or shortcode page is configured.
Admin setup notice after activation pointing to Settings > Reddy Auth.
Uninstall cleanup removes plugin-owned transients (OTP and rate-limit state).
Optional Allowed request sources for plugin REST endpoints (Origin/Referer allowlist, HTTP 403 when mismatched).
Updated plugin metadata (GitHub URIs, license, WordPress and PHP requirements).
Tested up to WordPress 7.0.
Hardened REST middleware: sanitize request URI before route checks.
Clearer rate limit labels and field descriptions in settings.
Improved uninstall cleanup and WPCS compliance across core files.
Removed redundant textdomain loader (WordPress auto-loads plugin translations).

0.1.0

Initial MVP release.

MksDdn Reddy Auth

标签

下载

详情介绍:

安装:

常见问题:

更新日志: