Filtering the environments and credentials in the WP Basic HTTP Authentication plugin

Following on from yesterdays post – Adding HTTP Authentication to a WordPress site, I’ve put together a couple examples of how WordPress filters can be used to change the credentials and environments that can be set for authentication.

A quick way to set variables for testing, or in an environment such as local development, where it may be difficult, impossible or simply impractical to set environment variables for use here is to add them to your wp-config.php file:

// Set the environment you're in
$_SERVER['environment' ] = 'testing';

// Set the usernames / passwords that are valid
// Note the format is username:password - multiple users can be added by comma separating (no spaces)
// In this example, "demo" is the username, "user" is the password
$_SERVER['http_authentication_credentials' ] = 'demo:user,other:user';

// Set the restricted environments, these should be comma separated (no spaces)
$_SERVER['http_authentication_environments' ] = 'testing,development';

This code example, also available on Github Gist, shows how to change the credentials to use the ones you set:

<?php
/**
 * Plugin Name: Filter WP Basic HTTP Authentication Credentials
 * Description: Filter WP Basic HTTP Authentication Credentials to use environment variables
 * Author: James Morrison
 * Version: 1.0.0
 * Author URI: https://www.jamesmorrison.me
 **/

// Filter the credentials
add_filter( 'wp_basic_auth_credentials',
	function( $credentials ) {

		// Ensure the expected server variable is available
		if ( ! isset( $_SERVER['http_authentication_credentials'] ) ) {
			return $credentials;
		}

		// $credentials should be an array, just in case it isn't, validate and create one if need be
		if ( ! is_array( $credentials ) ) {
			$credentials = [];
		}

		// Remove the example user
		// This is a key => value based array so we can simply unset the array key
		unset( $credentials['example_user'] );

		// Load credentials from the environment variable
		// Expected format is:
		// user_1:password_1,user_2:password_2
		$environment_credentials = sanitize_text_field( $_SERVER['http_authentication_credentials'] );

		// Break the string to an array of individual sets of usernames and passwords
		$credentials_array = explode( ',', $environment_credentials );

		// Loop through each set of credentials
		foreach ( $credentials_array as $username_password ) {

			// Break the user_1:password_1 to an array
			$username_password_array = explode( ':', $username_password );

			// Add the username and password to the $credentials array
			$credentials[ $username_password_array[0] ] = $username_password_array[1];

		}

		// Send back our credentials
		return $credentials;

	}, 1, 1
);

This code example, also available on Github Gist, shows how to change the restricted environments to use the ones you set:

<?php
/**
 * Plugin Name: Filter WP Basic HTTP Authentication Environments
 * Description: Filter WP Basic HTTP Authentication Environments to use environment variables
 * Author: James Morrison
 * Version: 1.0.0
 * Author URI: https://www.jamesmorrison.me
 **/

// Filter the environments
add_filter( 'wp_basic_auth_environments',
	function( $restricted_environments ) {

		// Ensure the expected server variable is available
		if ( ! isset( $_SERVER['http_authentication_environments'] ) ) {
			return $restricted_environments;
		}

		// This isn't a key => value based array; since we only have one value
		// The simple way to remove this would be to recreate the array
		$restricted_environments = [];

		// Load credentials from the environment variable
		// Expected format is comma separated (no spaces) like so:
		// staging,testing,development
		$environments = sanitize_text_field( $_SERVER['http_authentication_environments'] );

		// Break the string to an array of individual sets of usernames and passwords
		$environments_array = explode( ',', $environments );

		// Loop through each environment
		foreach ( $environments_array as $environment ) {

			// Add the environment to the $restricted_environments array
			$restricted_environments[] = esc_attr( $environment );

		}

		// Send back our restricted environments
		return $restricted_environments;

	}, 1, 1
);

Photo by Nathan Dumlao on Unsplash