salman/igny8
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7631a77822d08c8d455f1ddbb7e21a2cd320c2af
igny8/igny8-wp-plugin/docs/AUTHENTICATION-AUDIT.md
alorig 1a3b71ffd5 wp plugin
2025-12-01 11:02:51 +05:00

5.0 KiB
Raw Blame History

Authentication System Audit - IGNY8 WordPress Plugin

Date: 2025-01-XX
Status: Fixed

Issue Summary

The WordPress plugin was showing "Failed to connect to IGNY8 API: Not authenticated" error when attempting to connect, even when valid Site ID and API Key were provided.

Root Cause

The WordPress plugin's Igny8API::post() method was checking for authentication (is_authenticated()) before making the API request. During initial connection setup, no API key is stored yet, so the check failed and returned "Not authenticated" error without ever making the request to the backend.

Authentication Flow

Expected Flow

  1. User enters Site ID and API Key in WordPress plugin settings
  2. Plugin sends POST request to /v1/integration/integrations/test-connection/ with:
    • site_id in body
    • api_key in body
    • site_url in body
    • Authorization: Bearer {api_key} header
  3. Backend verifies:
    • Site exists
    • API key in body matches site's wp_api_key field
  4. If valid, connection succeeds and API key is stored in WordPress

Previous Flow (Broken)

  1. User enters Site ID and API Key
  2. Plugin creates Igny8API instance (no API key stored yet)
  3. Plugin calls $api->post() which checks is_authenticated()
  4. Check fails → returns "Not authenticated" error immediately
  5. Request never reaches backend

Fixes Applied

1. WordPress Plugin - API Class (includes/class-igny8-api.php)

Change: Modified post() method to allow unauthenticated requests to test-connection endpoint when API key is provided in request body.

// Special case: test-connection endpoint allows API key in request body
// So we don't require pre-authentication for this endpoint
$is_test_connection = (strpos($endpoint, 'test-connection') !== false);
$has_api_key_in_data = !empty($data['api_key']);
$was_authenticated = $this->is_authenticated();

// If not authenticated, check if this is a test-connection with API key in data
if (!$was_authenticated) {
    if ($is_test_connection && $has_api_key_in_data) {
        // Temporarily set the API key for this request
        $temp_api_key = $this->access_token;
        $this->access_token = $data['api_key'];
    } else {
        return array('success' => false, 'error' => 'Not authenticated', 'http_status' => 401);
    }
}

Result: Plugin can now make test-connection requests even without pre-stored API key.

2. WordPress Plugin - Admin Class (admin/class-admin.php)

Change: Cleaned up handle_connection() method to remove unnecessary workarounds.

Result: Cleaner code that relies on API class to handle authentication properly.

3. Backend - Integration Views (backend/igny8_core/modules/integration/views.py)

Change: Improved error messages to provide more helpful feedback:

  • If API key not configured on site: "API key not configured for this site. Please generate an API key in the IGNY8 app and ensure it is saved to the site."
  • If API key doesn't match: "Invalid API key. The provided API key does not match the one stored for this site."

Result: Users get clearer error messages when authentication fails.

Backend Authentication Details

Test-Connection Endpoint

  • URL: POST /api/v1/integration/integrations/test-connection/
  • Permission: AllowAny (no authentication required via DRF auth classes)
  • Authentication Logic:
    1. Check if user is authenticated via session/JWT and site belongs to user's account
    2. If not, check if API key in request body matches site's wp_api_key field
    3. If neither, return 403 error

API Key Authentication Class

  • Class: APIKeyAuthentication in backend/igny8_core/api/authentication.py
  • Method: Validates API key from Authorization: Bearer {api_key} header
  • Usage: Used for authenticated API requests after initial connection

Testing Checklist

  • Plugin can connect with valid Site ID and API Key
  • Plugin shows appropriate error for invalid Site ID
  • Plugin shows appropriate error for invalid API Key
  • Plugin shows appropriate error when API key not configured on site
  • API key is stored securely after successful connection
  • Subsequent API requests use stored API key for authentication

Security Considerations

  1. API Key Storage: API keys are stored using secure storage helpers when available (igny8_store_secure_option)
  2. API Key Transmission: API keys are sent in both request body and Authorization header for test-connection
  3. Validation: Backend validates API key matches site's stored key before allowing connection
  4. Error Messages: Error messages don't leak sensitive information about API key format or site existence

Related Files

  • igy8-wp-plugin/includes/class-igny8-api.php - API client class
  • igy8-wp-plugin/admin/class-admin.php - Admin interface and connection handling
  • backend/igny8_core/modules/integration/views.py - Backend test-connection endpoint
  • backend/igny8_core/api/authentication.py - Backend authentication classes
Reference in New Issue View Git Blame Copy Permalink