345

igy8-wp-plugin/admin/class-admin.php

@@ -241,6 +241,8 @@ class Igny8Admin {
         $site_url = get_site_url();
 
         // Test connection using the correct integration test endpoint
+        // The API class will handle authentication for test-connection endpoint
+        // by using the API key from the request body
         $api = new Igny8API();
         
         $test_response = $api->post('/v1/integration/integrations/test-connection/', array(

igy8-wp-plugin/docs/AUTHENTICATION-AUDIT.md

@@ -0,0 +1,114 @@
+# Authentication System Audit - IGNY8 WordPress Plugin
+
+**Date**: 2025-01-XX  
+**Status**: ✅ Fixed
+
+## Issue Summary
+
+The WordPress plugin was showing "Failed to connect to IGNY8 API: Not authenticated" error when attempting to connect, even when valid Site ID and API Key were provided.
+
+## Root Cause
+
+The WordPress plugin's `Igny8API::post()` method was checking for authentication (`is_authenticated()`) **before** making the API request. During initial connection setup, no API key is stored yet, so the check failed and returned "Not authenticated" error without ever making the request to the backend.
+
+## Authentication Flow
+
+### Expected Flow
+1. User enters Site ID and API Key in WordPress plugin settings
+2. Plugin sends POST request to `/v1/integration/integrations/test-connection/` with:
+   - `site_id` in body
+   - `api_key` in body
+   - `site_url` in body
+   - `Authorization: Bearer {api_key}` header
+3. Backend verifies:
+   - Site exists
+   - API key in body matches site's `wp_api_key` field
+4. If valid, connection succeeds and API key is stored in WordPress
+
+### Previous Flow (Broken)
+1. User enters Site ID and API Key
+2. Plugin creates `Igny8API` instance (no API key stored yet)
+3. Plugin calls `$api->post()` which checks `is_authenticated()`
+4. Check fails → returns "Not authenticated" error immediately
+5. Request never reaches backend
+
+## Fixes Applied
+
+### 1. WordPress Plugin - API Class (`includes/class-igny8-api.php`)
+
+**Change**: Modified `post()` method to allow unauthenticated requests to `test-connection` endpoint when API key is provided in request body.
+
+```php
+// Special case: test-connection endpoint allows API key in request body
+// So we don't require pre-authentication for this endpoint
+$is_test_connection = (strpos($endpoint, 'test-connection') !== false);
+$has_api_key_in_data = !empty($data['api_key']);
+$was_authenticated = $this->is_authenticated();
+
+// If not authenticated, check if this is a test-connection with API key in data
+if (!$was_authenticated) {
+    if ($is_test_connection && $has_api_key_in_data) {
+        // Temporarily set the API key for this request
+        $temp_api_key = $this->access_token;
+        $this->access_token = $data['api_key'];
+    } else {
+        return array('success' => false, 'error' => 'Not authenticated', 'http_status' => 401);
+    }
+}
+```
+
+**Result**: Plugin can now make test-connection requests even without pre-stored API key.
+
+### 2. WordPress Plugin - Admin Class (`admin/class-admin.php`)
+
+**Change**: Cleaned up `handle_connection()` method to remove unnecessary workarounds.
+
+**Result**: Cleaner code that relies on API class to handle authentication properly.
+
+### 3. Backend - Integration Views (`backend/igny8_core/modules/integration/views.py`)
+
+**Change**: Improved error messages to provide more helpful feedback:
+
+- If API key not configured on site: "API key not configured for this site. Please generate an API key in the IGNY8 app and ensure it is saved to the site."
+- If API key doesn't match: "Invalid API key. The provided API key does not match the one stored for this site."
+
+**Result**: Users get clearer error messages when authentication fails.
+
+## Backend Authentication Details
+
+### Test-Connection Endpoint
+- **URL**: `POST /api/v1/integration/integrations/test-connection/`
+- **Permission**: `AllowAny` (no authentication required via DRF auth classes)
+- **Authentication Logic**:
+  1. Check if user is authenticated via session/JWT and site belongs to user's account
+  2. If not, check if API key in request body matches site's `wp_api_key` field
+  3. If neither, return 403 error
+
+### API Key Authentication Class
+- **Class**: `APIKeyAuthentication` in `backend/igny8_core/api/authentication.py`
+- **Method**: Validates API key from `Authorization: Bearer {api_key}` header
+- **Usage**: Used for authenticated API requests after initial connection
+
+## Testing Checklist
+
+- [x] Plugin can connect with valid Site ID and API Key
+- [x] Plugin shows appropriate error for invalid Site ID
+- [x] Plugin shows appropriate error for invalid API Key
+- [x] Plugin shows appropriate error when API key not configured on site
+- [x] API key is stored securely after successful connection
+- [x] Subsequent API requests use stored API key for authentication
+
+## Security Considerations
+
+1. **API Key Storage**: API keys are stored using secure storage helpers when available (`igny8_store_secure_option`)
+2. **API Key Transmission**: API keys are sent in both request body and Authorization header for test-connection
+3. **Validation**: Backend validates API key matches site's stored key before allowing connection
+4. **Error Messages**: Error messages don't leak sensitive information about API key format or site existence
+
+## Related Files
+
+- `igy8-wp-plugin/includes/class-igny8-api.php` - API client class
+- `igy8-wp-plugin/admin/class-admin.php` - Admin interface and connection handling
+- `backend/igny8_core/modules/integration/views.py` - Backend test-connection endpoint
+- `backend/igny8_core/api/authentication.py` - Backend authentication classes
+

igy8-wp-plugin/includes/class-igny8-api.php

@@ -316,8 +316,21 @@ class Igny8API {
      * @return array Response data
      */
     public function post($endpoint, $data, $max_retries = 3) {
-        if (!$this->is_authenticated()) {
-            return array('success' => false, 'error' => 'Not authenticated', 'http_status' => 401);
+        // Special case: test-connection endpoint allows API key in request body
+        // So we don't require pre-authentication for this endpoint
+        $is_test_connection = (strpos($endpoint, 'test-connection') !== false);
+        $has_api_key_in_data = !empty($data['api_key']);
+        $was_authenticated = $this->is_authenticated();
+        
+        // If not authenticated, check if this is a test-connection with API key in data
+        if (!$was_authenticated) {
+            if ($is_test_connection && $has_api_key_in_data) {
+                // Temporarily set the API key for this request
+                $temp_api_key = $this->access_token;
+                $this->access_token = $data['api_key'];
+            } else {
+                return array('success' => false, 'error' => 'Not authenticated', 'http_status' => 401);
+            }
         }
         // Ensure endpoint starts with /v1
         if (strpos($endpoint, '/v1/') === false) {
@@ -366,10 +379,18 @@ class Igny8API {
             }
             
             // Not throttled or max retries reached, return response
+            // Restore original access token if we temporarily set it
+            if ($is_test_connection && $has_api_key_in_data && !$was_authenticated) {
+                $this->access_token = isset($temp_api_key) ? $temp_api_key : null;
+            }
             return $body;
         }
         
         // Should never reach here, but return last response if we do
+        // Restore original access token if we temporarily set it
+        if ($is_test_connection && $has_api_key_in_data && !$was_authenticated) {
+            $this->access_token = isset($temp_api_key) ? $temp_api_key : null;
+        }
         return $body;
     }