Last active
July 31, 2018 16:37
-
-
Save dobesv/fd70974421b891b3f277 to your computer and use it in GitHub Desktop.
Login script for custom auth0 database to auth via WordPress XML-RPC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function login (email, password, callback) { | |
| var escapeXml = function escapeXml(unsafe) { | |
| return unsafe.replace(/[<>&'"]/g, function (c) { | |
| switch (c) { | |
| case '<': return '<'; | |
| case '>': return '>'; | |
| case '&': return '&'; | |
| case '\'': return '''; | |
| case '"': return '"'; | |
| } | |
| }); | |
| }; | |
| request.post({ | |
| url: 'https://yourdomain.com/xmlrpc.php', | |
| body: '<?xml version="1.0"?><methodCall>' + | |
| '<methodName>wp.getProfile</methodName>' + | |
| '<params>'+ | |
| '<param><value><i4>0</i4></value></param>' + | |
| '<param><value>'+escapeXml(email)+'</value></param>' + | |
| '<param><value>'+escapeXml(password)+'</value></param>' + | |
| '</params></methodCall>', | |
| encoding: 'utf8', | |
| method: 'POST', | |
| headers: { 'Content-Type' : 'application/xml' } | |
| //for more options check: | |
| //https://github.com/mikeal/request#requestoptions-callback | |
| }, function (err, response, body) { | |
| if (err) return callback(err); | |
| if (response.statusCode !== 200) return callback(); | |
| var user_id = body.match('<member><name>user_id</name><value><string>([^<]*)')[1]; | |
| var nickname = body.match('<member><name>nickname</name><value><string>([^<]*)')[1]; | |
| var email = body.match('<member><name>email</name><value><string>([^<]*)')[1]; | |
| callback(null, { | |
| user_id: user_id, | |
| nickname: nickname, | |
| email: email, | |
| email_verified: true | |
| }); | |
| }); | |
| } |
Author
Yes, that's right. It will refer back to WordPress for any username/password user it doesn't recognize.
Author
I just fixed a problem with the script where it wasn't returning a username and changed it to use some libraries to avoid possible encode/decode issues. New and improved!
Author
Also now I added the "getByEmail" script. You'll have to provide login information for an admin user.
Where does this script go in Auth0? Rules? Apps?
What does the getByEmail script do? Is it required?
If we are blocking Brute Force XMLRPC calls, is this going to work?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
you use this custom script to import your wordpress users to your Auth0 account, right?