Link to home
Start Free TrialLog in
Avatar of Ryan Bayne
Ryan BayneFlag for United Kingdom of Great Britain and Northern Ireland

asked on

WordPress Login Using Twitch Authentication Session

I have a plugin called TwitchPress and it has an extension called TwitchPress Login Extension. It's all open-source and it appears to work well for most people. We can login to WordPress using Twitch. Then when we make the WP installation more complex by adding more plugins and we see issues that have now taken around 30 hours to figure out without any real progress.

Experienced Issue

Add WPML (language plugin) and Shield (security plugin) and we see something I find strange happening. These plugins behave as if they don't recognize the users authenticated session even though the plugin uses WP core functions to authenticate the visitor. WPML asks the user to login when switching language but does not do so if we log in using the WP login form. The Shield plugin is also installed and that has security to prevent a hacker continuing to navigate through the admin side if they do manage to get into the admin in the first place. The shield plugin could be preventing easy access to the admin when switching language domains because it doesn't see the login as legit. The switch between languages becomes an opportunity to secure the blog.

Problem

One or both of these plugins do not recognize my authentication as genuine but how could that be and why would WP core itself allow access to the admin if something isn't quite right? I assume these plugins work well and the problem is in the steps I take to authenticate a visitor via the Twitch API.

Can anyone suggest additional measures for my checklist and theories to what I'm doing wrong?

Checklist

What are the key steps that are required in the latest version of WordPress when giving a user permission to log in?
  • Is it alright to use $_GET only login and no password?
  • Or is $_POST a must at some stage for some reason?
  • wp_set_current_user() is in use.
  • wp_set_auth_cookie() is in use.
  • do_action( 'wp_login' ) comes after the two setters.
Avatar of David Favor
David Favor
Flag of United States of America image

Likely you won't like hearing this...

If I was using code, like Twitch, which caused me to waste 30 hours of time with no progress, I'd deinstall it.

Consider what's more valuable, debugging some code like Twitch which should play well with other code, or dumping it.

If you really must use Twitch, then enable WP_DEBUG == true in your wp-config.php file + review your WP debug log. Clean up all the problems emitted, especially Fatals + likely all will be well.

Rule of thumb. Avoid spinning your wheels for 30 hours.

I private host 100s of high traffic WordPress sites.

I run them all with WP_DEBUG + SAVEQUERIES both enabled, so I can debug any site... any time...

Always start with your debug logs + Query Monitor output + you'll save many hours of time.
Avatar of Ryan Bayne

ASKER

Thank you for replying.

I have a lot of logging happening and it was increasing log entries that took up some of that time. My own library called BugNet for WordPress had to be improved to allow traces to be setup i.e. log entries that are related by a unique string and it works over multiple requests for the sake of logging a procedure that includes redirects or a UI procedure.

There are no errors which I suppose is the reason I'm here for the first time in a long time. The problem isn't the Twitch API in any way at all because a login happens. The entire issue is related to WordPress authentication and how it is not trusted by a security plugin at the point of a language plugin changing subdomains.

Initially, there were multiple redirects happening.

  1. Login plugin redirects to a page suitable for login error display.
  2. Login plugin redirects to final page on success.
  3. WPML redirects to the default language when visiting the domain with no language subdomain set.
  4. WPML redirects to a different language subdomain when user is returned from admin login process to the public side.
  5. Guard redirects to WP main login form if security isn't passed.

There is no quick way to figure all of that out and figure out exactly which line it's happening within each plugin to ensure it's not guesswork. That time includes re-writing some of the login procedure and testing various approaches.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.