描述

MksDdn Reddy Auth provides OTP-based authentication with:

WordPress cookie session login for the frontend (shortcode, or REST with issue_session: true).
Optional Bearer token issuing for REST clients (issue_token: true; cookie not set by default on REST login).
Rate limiting and one-time OTP verification.
Optional site and REST API protection for unauthenticated visitors.
Optional allowed request sources (Origin/Referer) for plugin REST endpoints.

The plugin maps each Reddy ID to a WordPress user and can create an account automatically on first successful login.

Getting Started

1. Configure the Reddy bot token

For production, define the token in wp-config.php:

define( 'MKSDDN_REDDY_BOT_TOKEN', 'your-bot-token' );

For local development you can store the token in Settings > Reddy Auth instead. Use Bot connection test to verify delivery to a Reddy user.

2. Set up the login page

Create a WordPress page (for example, /login/) and insert:

[mksddn_reddy_login]

Users enter their Reddy ID, receive a one-time code in Reddy, and sign in through the form.

3. Review protection settings

By default, both protection options are disabled so your site stays accessible after activation. Enable them only after the login page is configured:

Protect site content — redirects unauthenticated visitors to the login page.
Protect all REST API content — returns 401 for protected REST routes.

Public auth routes remain available without login:

POST /wp-json/mksddn-reddy-auth/v1/auth/send-code
POST /wp-json/mksddn-reddy-auth/v1/auth/login
GET /wp-json/mksddn-reddy-auth/v1/auth/intent-status
POST /wp-json/mksddn-reddy-auth/v1/auth/intent-status
POST /wp-json/mksddn-reddy-auth/v1/auth/complete-intent

Webhook callback route is also public for BotMother integration:

POST /wp-json/mksddn-reddy-auth/v1/auth/button-callback

4. Use REST API for headless clients

Typical flow:

POST /auth/send-code with { "reddy_id": "123456" }
POST /auth/login with { "reddy_id": "123456", "code": "111111", "issue_token": true } for headless clients. Add "issue_session": true only when the browser must also receive a WordPress cookie (same-origin SPA).
Call protected REST routes with Authorization: Bearer <token>.
GET /auth/me to read the current user (Bearer or cookie session).
POST /auth/logout to end the cookie session and revoke the Bearer token when provided.

One-click flow:

POST /auth/send-code returns intent_id and intent_secret when one-click is enabled.
Poll GET|POST /auth/intent-status with intent_id + intent_secret.
After approval, finalize auth via POST /auth/complete-intent with intent_id, intent_secret, and optional issue_token / issue_session.

For one-click polling, intent-status supports both:

GET /auth/intent-status with intent_id + intent_secret query params.
POST /auth/intent-status with intent_id + intent_secret in JSON body.

Protect site content checks the WordPress cookie session (shortcode login or REST login with issue_session: true). It does not accept Bearer tokens. Protect all REST API content requires a Bearer token and ignores cookie-only sessions.

Download OpenAPI and Postman files from Settings > Reddy Auth > Developer Resources.

5. Optional: restrict REST callers by browser source

In Settings > Reddy Auth, Allowed request sources limits plugin REST traffic (/mksddn-reddy-auth/v1/*) to listed Origin or Referer URLs. Leave empty to allow any client (recommended for server-to-server integrations). This is a soft guard for browser apps, not a secret key.

6. Optional: harden one-click webhook verification

In Settings > Reddy Auth > One-Click Authorization, set Webhook secret (optional) to match BotMother webhook Secret.

With a configured secret, webhook signature verification uses sha256(body + bot_token + "." + webhook_secret).
With an empty secret, compatibility mode uses sha256(body + bot_token).

External services

This plugin connects to the Reddy bot API at https://bot.reddy.team to deliver one-time passwords and optional admin connection test messages.

What the service is used for

Deliver OTP codes to a Reddy user during login.
Send an optional admin “bot connection test” message from Settings > Reddy Auth.

What data is sent and when

OTP send / login: Reddy user ID (userKey) and message text containing the one-time code (and expiry hint). Message text is configurable in Settings > Reddy Auth > Bot Messages (placeholders {code}, {ttl}). Sent when a user requests a code via the login form or REST API.
Bot connection test: Reddy user ID (userKey) and a configurable test message from Settings > Reddy Auth > Bot Messages. Sent only when an administrator runs Bot connection test in Settings > Reddy Auth.
Bot token: Your bot token is included in the API request URL path (configured via MKSDDN_REDDY_BOT_TOKEN in wp-config.php or the development fallback field in settings). It is not sent to WordPress.org.

Data is transmitted only when OTP delivery or the connection test is triggered. The plugin does not send site content, post data, or WordPress user passwords to Reddy.

This service is provided by Reddy: terms of use and privacy policy at https://help.reddy.team/pages/user-agreement

No other third-party services are required for core plugin operation.

安装

Upload the plugin to the /wp-content/plugins/ directory.
Activate the plugin through the Plugins menu in WordPress.
Open Settings > Reddy Auth and configure bot token and security options.
Create a login page and add the shortcode [mksddn_reddy_login].
If site protection is enabled, select that page in the Login page setting (otherwise guests are redirected to wp-login.php fallback).

常见问题

Where should I store the bot token?: Use the MKSDDN_REDDY_BOT_TOKEN constant in wp-config.php on production sites. The settings page field is a development fallback and should not replace secure server-side configuration in live environments.
Why am I stuck in a redirect loop?: This usually happens when Protect site content is enabled but no valid login page is selected. Create a page with [mksddn_reddy_login], choose it in Login page, and save settings.
Does this plugin replace `/wp-login.php`?: No. It adds a Reddy OTP login flow via shortcode and REST endpoints. Standard WordPress login may still be available unless you restrict it separately.
Are WordPress users created automatically?: Yes. On first successful OTP login the plugin creates a WordPress user mapped to the Reddy ID and stores the mapping in user meta.
How do REST clients authenticate?: Send issue_token: true in the login request, then pass the returned token in the Authorization: Bearer header. REST login does not set a WordPress cookie unless you also send issue_session: true. Use the login shortcode or issue_session: true when the browser needs access to Protect site content pages.
What is the difference between issue_token and issue_session?: issue_token returns a Bearer token for REST API clients. issue_session sets the WordPress auth cookie. Shortcode login always sets a cookie. REST login sets a cookie only when issue_session is true (default false). Headless integrations should use issue_token without issue_session so site content stays locked until an explicit cookie login.
What happens when an administrator deletes a Reddy user?: All plugin Bearer tokens for that WordPress user are revoked and WordPress session tokens are destroyed. The user must complete OTP login again. Deleting the WordPress account does not permanently block the Reddy ID; a successful OTP login can recreate the account.
Why do I get HTTP 429?: The plugin rate-limits OTP send and login attempts per Reddy ID and client IP. Wait for the limit window to expire or adjust limits in Settings > Reddy Auth.
What does Allowed request sources do?: It optionally checks Origin or Referer on plugin REST routes only. Empty list = no restriction (default). Non-empty list = browser apps must call from a listed URL. It does not replace OTP, rate limits, or Bearer auth—headers can be spoofed.
Why do I get HTTP 403 with “Request not allowed from this source”?: Allowed request sources is configured and the request has no matching Origin/Referer. Add your frontend URL to the list, send a matching Origin header from server clients, leave the list empty for backends, or use the mksddn_reddy_is_request_url_allowed filter.
Which data does the plugin store?: Settings in WordPress options, Reddy ID mapping in user meta, Bearer token hashes in a custom database table, and OTP/rate-limit state in transients. Raw OTP codes and raw tokens are not stored.
What happens on uninstall?: If uninstall cleanup runs, plugin-owned options, user meta, custom tables, and transients are removed according to uninstall.php.

评价

此插件暂无评价。

贡献者及开发者

「MksDdn Reddy Auth」是开源软件。以下人员对此插件做出了贡献。

帮助将「MksDdn Reddy Auth」翻译成简体中文。

对开发感兴趣吗?

您可以浏览代码，查看SVN仓库，或通过RSS订阅开发日志。

更新日志

1.1.0

One-click authorization: optional magic link + inline button delivered alongside the OTP code.
Login intent system: GET|POST /auth/intent-status and POST /auth/complete-intent endpoints for polling one-click flow.
Webhook endpoint POST /auth/button-callback for Reddy bot inline button callbacks (HMAC-verified).
Reddy ID whitelist: restrict authentication to a configured set of Reddy IDs.
Translation defaults were updated to avoid early textdomain loading notices on WordPress 6.7+; en_US and ru_RU catalogs included.
Auth failure observability: new mksddn_reddy_auth_failure action on every failed OTP, intent, or finalize step.
Transport observability: new mksddn_reddy_transport_failed and mksddn_reddy_transport_response actions.
New mksddn_reddy_send_payload filter to modify the Reddy bot request payload before delivery.
Settings page redesigned with tabbed layout.

Breaking changes from 1.0.0:

REST error responses: the default message for generic failures changed from "Invalid credentials." to "Unable to process authentication request.". The code field is unchanged. Clients should rely on code, not message.
Rate-limit error message changed from the Reddy API text to "Too many requests. Try again later.".
Monolith content lock (monolith_lock_enabled) now redirects to wp-login.php when no login page is configured (previously redirected to home_url('/')). Sites with monolith lock on but no login page set will now land on WP login.
mksddn_reddy_otp_message filter: the default message passed as the first argument now depends on delivery mode. When delivery_mode is link_only, the message uses the magic link template (no {code}). Custom filter handlers should check the delivery context if they manipulate the message.

1.0.0

Do not require Bearer on HTTP OPTIONS when REST API content lock is enabled (CORS preflight for cross-origin SPAs).
Stable 1.0.0 release.

0.1.4

Admin settings for bot message texts: OTP template ({code}, {ttl}) and connection test message.
Filter mksddn_reddy_otp_message still overrides the final OTP text after the admin template is applied.
Filter mksddn_reddy_bot_test_message for customizing the connection test message.

0.1.3

REST login no longer sets a WordPress cookie by default. Optional issue_session parameter (default false); use issue_token for Bearer auth. Shortcode login still sets a cookie.
Protect site content uses cookie sessions only; Protect all REST API content requires Bearer tokens. Documented split between monolith and REST protection.
Revoke all Bearer tokens and destroy WordPress sessions when a WordPress user is deleted.
Bearer token validation requires an active _mksddn_reddy_id user meta mapping.
Site and REST content lock: WP staff with edit_posts (administrator, editor) bypass Reddy-only lock without OTP.
Filter mksddn_reddy_content_lock_bypass to customize lock bypass per user.
More reliable login page detection for monolith content lock (configured page, URL path, shortcode fallback).
REST content lock respects existing authentication errors before enforcing Reddy check.

0.1.2

Direct Reddy terms of use and privacy policy links in External services readme section.
Require cookie session or Bearer token authentication for POST /auth/logout REST endpoint.

0.1.1

External services disclosure in readme for Reddy bot API (OTP delivery).
Safer defaults: site and REST protection disabled until explicitly enabled in settings.
Monolith content lock skipped until a login page or shortcode page is configured.
Admin setup notice after activation pointing to Settings > Reddy Auth.
Uninstall cleanup removes plugin-owned transients (OTP and rate-limit state).
Optional Allowed request sources for plugin REST endpoints (Origin/Referer allowlist, HTTP 403 when mismatched).
Updated plugin metadata (GitHub URIs, license, WordPress and PHP requirements).
Tested up to WordPress 7.0.
Hardened REST middleware: sanitize request URI before route checks.
Clearer rate limit labels and field descriptions in settings.
Improved uninstall cleanup and WPCS compliance across core files.
Removed redundant textdomain loader (WordPress auto-loads plugin translations).

0.1.0

Initial MVP release.

描述

Getting Started

1. Configure the Reddy bot token

2. Set up the login page

3. Review protection settings

4. Use REST API for headless clients

5. Optional: restrict REST callers by browser source

6. Optional: harden one-click webhook verification

External services

安装

常见问题

Where should I store the bot token?

Why am I stuck in a redirect loop?

Does this plugin replace `/wp-login.php`?

Are WordPress users created automatically?

How do REST clients authenticate?

What is the difference between issue_token and issue_session?

What happens when an administrator deletes a Reddy user?

Why do I get HTTP 429?

What does Allowed request sources do?

Why do I get HTTP 403 with “Request not allowed from this source”?

Which data does the plugin store?

What happens on uninstall?

评价