search

auth0 / wordpress

WordPress Plugin for Auth0 Authentication
https://auth0.com/docs/cms/wordpress
MIT License
152 stars 96 forks source link

Add compatibility class that can be used to improve integration with 3rd-party plugins #208

Closed lots0logs closed 8 years ago

lots0logs commented 8 years ago

Proposal

Add a plugin compatibility class that can be used to better integrate auth0 with select 3rd-party plugins. For starters the new class improves integration with Wordfence by ensuring failed login attempts are recorded in Wordfence logs.

glena commented 8 years ago

and what will this be used for?

$wf_log->logLogin( $action, $fail, $username['username'] );

what does wordferences do with this log? isn't it enough with the auth0 tenant logs? (you can create a cron to download then and add push to wordference)

lots0logs commented 8 years ago

Wordfence uses those logs to determine when to block or throttle an ip from accessing the website due to failed logins based on how you configure it in its settings. It also displays the top 5 failed logins on your dashboard within the wordfence widget.

The reason I did not go the cron route is because, and yes this is a bit selfish, but it wouldnt work for my site's setup. Basically I have our wordpress and our forum (which is nodejs-based) using the same connection in Auth0. The Auth0 logs do not include which website actually made the failed attempt so there is no way to easily tell the WordPress attempts from those made on our forum. While that won't be the same for everyone, I'm sure that my use-case is not that unusual. Obviously both methods have their pros and cons. This is what I implemented on my site and I think its a good solution to achieve the intended goal.

glena commented 8 years ago

well you can use the client_id to filter that...

I want to avoid to add integration with other plugins since I will need to mantain it (and everyone want to extend it later).

lots0logs commented 8 years ago

The client ID is the same for both if I remember correctly. I don't have time to check it right now. But honestly, I think you should reconsider. Such integrations will make Auth0 plugin more useful. Also, it makes it more likely that other people will contribute. If something breaks and the person who contributed it isn't around to fix it you could always drop the integration in question.