WordPress – XMLRPC – IXR client and http Basic Authentication

In the context of :

WordPress contains a rich XML library to manage exchanges via XMLRPC to send or receive datas to/from another WP website. (also named webservices)

The limits are :
- it is impossible from one WP site to send datas to a WP website protected via http Basic Authentication (.htaccess and .htpasswd used time to time during development steps).
and use of URI like http://user:paswd@www.domain.tld/xmlrpc.php don’t work.
- …

The (3 hours) trip in the online docs and sources :

In WP core source, most important files are :

include_once(ABSPATH . WPINC . '/class-IXR.php'); /* not included in wp-settings */
include_once(ABSPATH . WPINC . '/class-wp-http-ixr-client.php'); /* not included in wp-settings */

added to those called at start of WP

class-wp-xmlrpc-server.php

IXR in WP is the The Incutio XML-RPC Library.
As explained here,
http://www.phppatterns.com/docs/develop/xmlrpc_progress
this library don’t contain ways to manage authentication.

Continuing research, we found another library xml-rpc for library with features supporting authentication.

http://phpxmlrpc.sourceforge.net/

By reading the source of the xmlrpc.inc, the way to authenticate is described by adding some headers in xml datas sent by the client.

$credentials='Authorization: Basic ' . base64_encode($username . ':' . $password) . "\r\n";

Fortunately WP create his own wp-ixr-client (extend of IXR class) and uses his class-HTTP library and function wp_remote_post found in http.php

The WP_Http class contains a lot of filters.
Here, the most interesting is – http_request_args – (line 110 in WP 3.2.1)

A quick (and very basic) solution :

With the filter – http_request_args – to add the Authorization in the request.

Example of code :

function xili_add_basic_authentication ( $args, $url ) {
 
	if ( false !== strpos($url, 'www.target_site.tld') ) {
		//error_log ($url);
		//error_log (serialize( $args ));
		$args['headers']['Authorization'] = 'Basic '. base64_encode('http_user' . ':' . 'http_passwd');
	}
	return $args;
}
 
add_filter ( 'http_request_args', 'xili_add_basic_authentication', 10, 2 );

Note that:

  • ‘headers’ is an array and that class WP_Http build the lines sent to remote site.
  • ‘http_user’ and ‘http_passwd’ are the user login and password written in .passwd file with path in .htaccess of the target wp website. They are not the login/pass of xmlrpc protocol (wp users).
  • Basic Authentication is very basic but can be an example for other ideas using WP_Http class filters…

Hope this small post will be helpful !

This entry was posted in Experts corner, Studies and tagged , , , , , , . Bookmark the permalink.

One Response to WordPress – XMLRPC – IXR client and http Basic Authentication

  1. Ray says:

    Thanks for this! Helped with a .htpasswd issue I was having when using wp_remote_post()!

Laisser un commentaire