dwindown/WooNooW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Use wp_authenticate + wp_set_auth_cookie + wp_set_current_user for proper session

Browse Source
This commit is contained in:
dwindown
2025-11-05 00:42:11 +07:00
parent 0f6696b361
commit ff29f95264
3 changed files with 20 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
admin-spa/src/App.tsx
View File

@@ -461,11 +461,12 @@ function AuthWrapper() {
); );
} }
if (window.WNW_CONFIG?.standaloneMode && !isAuthenticated) { if (window.WNW_CONFIG?.standaloneMode && !isAuthenticated && location.pathname !== '/login') {
// Redirect to WordPress login with return URL return <Navigate to="/login" replace />;
const returnUrl = encodeURIComponent(window.location.href); }
window.location.href = `/wp-login.php?redirect_to=${returnUrl}`;
return null; if (location.pathname === '/login' && isAuthenticated) {
return <Navigate to="/" replace />;
} }
return ( return (

84
admin/index.php
View File

@@ -1,84 +0,0 @@
<?php
/**
* WooNooW Standalone Admin Entry Point
*
* Minimal WordPress bootstrap - no theme, no plugins bloat.
* This file provides a clean, fast admin interface without wp_head/wp_footer.
*
* @package WooNooW
*/
// Load WordPress core only (no theme, no plugins)
define( 'WP_USE_THEMES', false );
define( 'WOONOOW_STANDALONE_ADMIN', true );
// Load WordPress
require_once( __DIR__ . '/../../../../wp-load.php' );
// Check if user is logged in and has permissions
$is_authenticated = is_user_logged_in() && current_user_can( 'manage_woocommerce' );
// Get nonce for REST API
$nonce = wp_create_nonce( 'wp_rest' );
$rest_url = rest_url( 'woonoow/v1' );
$wp_admin_url = admin_url( 'admin.php?page=woonoow' );
// Get current user data if authenticated
$current_user = null;
if ( $is_authenticated ) {
$user = wp_get_current_user();
$current_user = [
'id' => $user->ID,
'name' => $user->display_name,
'email' => $user->user_email,
'avatar' => get_avatar_url( $user->ID ),
];
}
// Get asset URLs
$plugin_url = plugins_url( '', dirname( __FILE__ ) );
$asset_url = $plugin_url . '/admin-spa/dist';
$css_url = $asset_url . '/app.css';
$js_url = $asset_url . '/app.js';
// Add cache busting
$version = defined( 'WP_DEBUG' ) && WP_DEBUG ? time() : '1.0.0';
$css_url .= '?ver=' . $version;
$js_url .= '?ver=' . $version;
?>
<!DOCTYPE html>
<html lang="<?php echo esc_attr( get_locale() ); ?>">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="robots" content="noindex, nofollow">
<title>WooNooW Admin</title>
<!-- WooNooW Assets Only - NO wp_head() -->
<link rel="stylesheet" href="<?php echo esc_url( $css_url ); ?>">
</head>
<body class="woonoow-standalone">
<div id="woonoow-admin-app"></div>
<script>
// Minimal config - no WordPress bloat
window.WNW_CONFIG = {
restUrl: <?php echo wp_json_encode( $rest_url ); ?>,
nonce: <?php echo wp_json_encode( $nonce ); ?>,
standaloneMode: true,
wpAdminUrl: <?php echo wp_json_encode( $wp_admin_url ); ?>,
isAuthenticated: <?php echo $is_authenticated ? 'true' : 'false'; ?>,
currentUser: <?php echo wp_json_encode( $current_user ); ?>,
locale: <?php echo wp_json_encode( get_locale() ); ?>,
siteUrl: <?php echo wp_json_encode( home_url() ); ?>,
siteName: <?php echo wp_json_encode( get_bloginfo( 'name' ) ); ?>
};
</script>
<script type="module" src="<?php echo esc_url( $js_url ); ?>"></script>
<?php
// NO wp_footer() - we don't want theme/plugin scripts
?>
</body>
</html>

30
includes/Api/AuthController.php
View File

@@ -31,20 +31,8 @@ class AuthController {
], 400 ); ], 400 );
} }
// Use wp_signon to properly authenticate and set cookies (same as wp-login.php) // Authenticate user (same as wp-login.php)
$credentials = [ $user = wp_authenticate( $username, $password );
'user_login' => $username,
'user_password' => $password,
'remember' => true,
];
$user = wp_signon( $credentials, is_ssl() );
// Debug logging
if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
error_log( '[AuthController::login] wp_signon result: ' . ( is_wp_error( $user ) ? 'ERROR' : 'SUCCESS' ) );
error_log( '[AuthController::login] User ID: ' . ( is_wp_error( $user ) ? 'N/A' : $user->ID ) );
}
if ( is_wp_error( $user ) ) { if ( is_wp_error( $user ) ) {
return new WP_REST_Response( [ return new WP_REST_Response( [
@@ -55,14 +43,24 @@ class AuthController {
// Check if user has WooCommerce permissions // Check if user has WooCommerce permissions
if ( ! user_can( $user, 'manage_woocommerce' ) ) { if ( ! user_can( $user, 'manage_woocommerce' ) ) {
// Logout if no permission
wp_logout();
return new WP_REST_Response( [ return new WP_REST_Response( [
'success' => false, 'success' => false,
'message' => __( 'You do not have permission to access this area', 'woonoow' ), 'message' => __( 'You do not have permission to access this area', 'woonoow' ),
], 403 ); ], 403 );
} }
// CRITICAL: Set auth cookie AND current user (as per WordPress best practices)
// This ensures session is properly established for both standalone and wp-admin
wp_set_auth_cookie( $user->ID, true, is_ssl() );
wp_set_current_user( $user->ID );
// Debug logging
if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
error_log( '[AuthController::login] Login successful for user ID: ' . $user->ID );
error_log( '[AuthController::login] Current user ID: ' . get_current_user_id() );
error_log( '[AuthController::login] Cookies set: ' . ( headers_sent() ? 'Headers already sent!' : 'OK' ) );
}
// Return user data and new nonce // Return user data and new nonce
return new WP_REST_Response( [ return new WP_REST_Response( [
'success' => true, 'success' => true,