fix: Use wp_authenticate + wp_set_auth_cookie + wp_set_current_user for proper session
This commit is contained in:
dwindown
@@ -461,11 +461,12 @@ function AuthWrapper() {
|
||||
);
|
||||
}
|
||||
|
||||
if (window.WNW_CONFIG?.standaloneMode && !isAuthenticated) {
|
||||
// Redirect to WordPress login with return URL
|
||||
const returnUrl = encodeURIComponent(window.location.href);
|
||||
window.location.href = `/wp-login.php?redirect_to=${returnUrl}`;
|
||||
return null;
|
||||
if (window.WNW_CONFIG?.standaloneMode && !isAuthenticated && location.pathname !== '/login') {
|
||||
return <Navigate to="/login" replace />;
|
||||
}
|
||||
|
||||
if (location.pathname === '/login' && isAuthenticated) {
|
||||
return <Navigate to="/" replace />;
|
||||
}
|
||||
|
||||
return (
|
||||
|
||||
@@ -1,84 +0,0 @@
|
||||
<?php
|
||||
/**
|
||||
* WooNooW Standalone Admin Entry Point
|
||||
*
|
||||
* Minimal WordPress bootstrap - no theme, no plugins bloat.
|
||||
* This file provides a clean, fast admin interface without wp_head/wp_footer.
|
||||
*
|
||||
* @package WooNooW
|
||||
*/
|
||||
|
||||
// Load WordPress core only (no theme, no plugins)
|
||||
define( 'WP_USE_THEMES', false );
|
||||
define( 'WOONOOW_STANDALONE_ADMIN', true );
|
||||
|
||||
// Load WordPress
|
||||
require_once( __DIR__ . '/../../../../wp-load.php' );
|
||||
|
||||
// Check if user is logged in and has permissions
|
||||
$is_authenticated = is_user_logged_in() && current_user_can( 'manage_woocommerce' );
|
||||
|
||||
// Get nonce for REST API
|
||||
$nonce = wp_create_nonce( 'wp_rest' );
|
||||
$rest_url = rest_url( 'woonoow/v1' );
|
||||
$wp_admin_url = admin_url( 'admin.php?page=woonoow' );
|
||||
|
||||
// Get current user data if authenticated
|
||||
$current_user = null;
|
||||
if ( $is_authenticated ) {
|
||||
$user = wp_get_current_user();
|
||||
$current_user = [
|
||||
'id' => $user->ID,
|
||||
'name' => $user->display_name,
|
||||
'email' => $user->user_email,
|
||||
'avatar' => get_avatar_url( $user->ID ),
|
||||
];
|
||||
}
|
||||
|
||||
// Get asset URLs
|
||||
$plugin_url = plugins_url( '', dirname( __FILE__ ) );
|
||||
$asset_url = $plugin_url . '/admin-spa/dist';
|
||||
$css_url = $asset_url . '/app.css';
|
||||
$js_url = $asset_url . '/app.js';
|
||||
|
||||
// Add cache busting
|
||||
$version = defined( 'WP_DEBUG' ) && WP_DEBUG ? time() : '1.0.0';
|
||||
$css_url .= '?ver=' . $version;
|
||||
$js_url .= '?ver=' . $version;
|
||||
?>
|
||||
<!DOCTYPE html>
|
||||
<html lang="<?php echo esc_attr( get_locale() ); ?>">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<meta name="robots" content="noindex, nofollow">
|
||||
<title>WooNooW Admin</title>
|
||||
|
||||
<!-- WooNooW Assets Only - NO wp_head() -->
|
||||
<link rel="stylesheet" href="<?php echo esc_url( $css_url ); ?>">
|
||||
</head>
|
||||
<body class="woonoow-standalone">
|
||||
<div id="woonoow-admin-app"></div>
|
||||
|
||||
<script>
|
||||
// Minimal config - no WordPress bloat
|
||||
window.WNW_CONFIG = {
|
||||
restUrl: <?php echo wp_json_encode( $rest_url ); ?>,
|
||||
nonce: <?php echo wp_json_encode( $nonce ); ?>,
|
||||
standaloneMode: true,
|
||||
wpAdminUrl: <?php echo wp_json_encode( $wp_admin_url ); ?>,
|
||||
isAuthenticated: <?php echo $is_authenticated ? 'true' : 'false'; ?>,
|
||||
currentUser: <?php echo wp_json_encode( $current_user ); ?>,
|
||||
locale: <?php echo wp_json_encode( get_locale() ); ?>,
|
||||
siteUrl: <?php echo wp_json_encode( home_url() ); ?>,
|
||||
siteName: <?php echo wp_json_encode( get_bloginfo( 'name' ) ); ?>
|
||||
};
|
||||
</script>
|
||||
|
||||
<script type="module" src="<?php echo esc_url( $js_url ); ?>"></script>
|
||||
|
||||
<?php
|
||||
// NO wp_footer() - we don't want theme/plugin scripts
|
||||
?>
|
||||
</body>
|
||||
</html>
|
||||
@@ -31,20 +31,8 @@ class AuthController {
|
||||
], 400 );
|
||||
}
|
||||
|
||||
// Use wp_signon to properly authenticate and set cookies (same as wp-login.php)
|
||||
$credentials = [
|
||||
'user_login' => $username,
|
||||
'user_password' => $password,
|
||||
'remember' => true,
|
||||
];
|
||||
|
||||
$user = wp_signon( $credentials, is_ssl() );
|
||||
|
||||
// Debug logging
|
||||
if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
|
||||
error_log( '[AuthController::login] wp_signon result: ' . ( is_wp_error( $user ) ? 'ERROR' : 'SUCCESS' ) );
|
||||
error_log( '[AuthController::login] User ID: ' . ( is_wp_error( $user ) ? 'N/A' : $user->ID ) );
|
||||
}
|
||||
// Authenticate user (same as wp-login.php)
|
||||
$user = wp_authenticate( $username, $password );
|
||||
|
||||
if ( is_wp_error( $user ) ) {
|
||||
return new WP_REST_Response( [
|
||||
@@ -55,14 +43,24 @@ class AuthController {
|
||||
|
||||
// Check if user has WooCommerce permissions
|
||||
if ( ! user_can( $user, 'manage_woocommerce' ) ) {
|
||||
// Logout if no permission
|
||||
wp_logout();
|
||||
return new WP_REST_Response( [
|
||||
'success' => false,
|
||||
'message' => __( 'You do not have permission to access this area', 'woonoow' ),
|
||||
], 403 );
|
||||
}
|
||||
|
||||
// CRITICAL: Set auth cookie AND current user (as per WordPress best practices)
|
||||
// This ensures session is properly established for both standalone and wp-admin
|
||||
wp_set_auth_cookie( $user->ID, true, is_ssl() );
|
||||
wp_set_current_user( $user->ID );
|
||||
|
||||
// Debug logging
|
||||
if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
|
||||
error_log( '[AuthController::login] Login successful for user ID: ' . $user->ID );
|
||||
error_log( '[AuthController::login] Current user ID: ' . get_current_user_id() );
|
||||
error_log( '[AuthController::login] Cookies set: ' . ( headers_sent() ? 'Headers already sent!' : 'OK' ) );
|
||||
}
|
||||
|
||||
// Return user data and new nonce
|
||||
return new WP_REST_Response( [
|
||||
'success' => true,
|
||||
|
||||
Reference in New Issue
Block a user