Open montchr opened 1 year ago
Also see the numerous upstream issues for the plugin recommended in the Next.js example:
Thanks for opening this issue! As a note, examples are not part of Next.js, and its auditing, so we mostly rely on the community to keep them up-to-date and to the standards. That said, I pinged some team members to see if we have the capacity to look into this specific integration.
In any case, if you have a suggestion to improve the example, we welcome PRs! :pray:
Regarding the closing of #29877, I agree it might have been a bit premature to close it, I apologize! I think the confusion was that it used the wrong issue template (we have the one for examples, the one that you used) and most of the required steps were skipped, so we discarded it a bit too quickly. Again, thanks for reopening though!
Verify canary release
Provide environment information
Originates in recommendations within documentation, and results in the "working" but potentially-insecure implementation of those recommendations.
Which example does this report relate to?
cms-wordpress
What browser are you using? (if relevant)
No response
How are you deploying your application? (if relevant)
No response
Describe the Bug
The example circumvents pre-existing security/authorization controls implemented within WordPress core. Users should be able to reasonably expect that a Next.js-based implementation of post previews provides the same level of security and access control as that of WordPress core.
Additionally relevant: #29877 was closed and locked without providing any explanation as to the verification process. How was the verified reproduction performed?
The response is somewhat alarming considering the prominence of the
cms-wordpress
example, however the unceremonious closure and locking of #29877 results in the flagged misuse of WordPress authentication being buried without context, forcing the original commenter's concerns to go unaddressed, and allowing the potential issues in the example to proliferate.Expected Behavior
The official example should provide a gold standard baseline for Next.js integration with WordPress, especially with regard to authenticated post previews, as at the time of writing, the WordPress+Next.js ecosystem is populated by numerous differing implementations of post preview functionality over the years, and it would be very much appreciated if Next.js provided an example implementation using authentication best-practices.
For example, an approach leveraging per-user WordPress Application Passwords.
To Reproduce
See #29877 –
Or, roughly: