-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
App Passwords: Don't prevent non-unique App Password names. #7391
Conversation
In [50030] we enforced that Application Passwords have unique names. This was done with the assumption that applications would not connect to a user multiple times. However, in practice we've seen applications run into issues with the unique name constraint. Depending on the app, they may not know if they've been authorized before, or they may intentionally allow connecting multiple times. To prevent friction, App developers need to make their App Name unique, and in doing so often include things like the current date & time, which is already included in the App Passwords list table. This commit removes this requirement to simplify usage of the Authorize Application flow. Props mark-k, Boniu91. Fixes #54213.
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN:
To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me and does what it says on the pack.
My one question is whether second and subsequent duplicates should use App PW (2)
, App PW (3)
, etc so the UI provides a way to differentiate between applications?
As the date of registration is available, I don't think it's a necessity so happy if you'd prefer to put this in as is.
Thanks for the review! Yeah my thinking is that the date does that differentiation. It'll also remain correct even if a user revokes an application password, where the numbering might end up getting confusing? |
Works for me, I'll leave you to do the commit honours. Thanks. |
Merged in r59084. |
In [50030] we enforced that Application Passwords have unique names. This was done with the assumption that applications would not connect to a user multiple times. However, in practice we've seen applications run into issues with the unique name constraint. Depending on the app, they may not know if they've been authorized before, or they may intentionally allow connecting multiple times. To prevent friction, App developers need to make their App Name unique, and in doing so often include things like the current date & time, which is already included in the App Passwords list table.
This commit removes this requirement to simplify usage of the Authorize Application flow.
Props mark-k, Boniu91.
Fixes #54213.
Trac ticket: https://core.trac.wordpress.org/ticket/54213
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.