Wordpress authentication in node.js

I didn't quite understand if you want to the user authenticate primarily on your node.js application and then creates the cookie for WordPress, or the opposite, but once you understand how WordPress are doing it, you'll be able to accomplish both.

First of all, WordPress use lots of hashes and salts to security its cookies, so you need to know where these hashes and salts are to be able to define the same values for those on you nodejs application.

On wp-config.php you will find the constants of the hashes and salts we're looking for, I think you just need to transport to your nodejs application the constant values for LOGGED_IN_KEY, LOGGED_IN_SALT, NONCE_KEY and NONCE_SALT. You might give a better look on the file wp-includes/default-constants.php where WordPress keep its default constant values, pay attention to the if(defined(..)) because if the constant is defined in somewhere else prior to this file (probably on the wp-config.php) the value will be from that not from the wp-includes/default-constants.php file.

Now, you need to understand how WordPress is creating its cookies.This is an example of logged in cookie:

Cookie Name: wordpress_logged_in_2801795354f6f1c2d2ab3b48033a8257Cookie Value: admin|1392386298|647852d61caf4cfdea975d54ecb09ca8Cookie Value: %user_login%|%cookie_expire_time%|%hashed_sliced_user_hashed_password%

You need to make your nodejs application understand this cookie, being able to break it just like WordPress.

The functions to create authentication cookies on WordPress resides on wp-includes/pluggable.php

$logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');//...setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);

Note that the constant LOGGED_IN_COOKIE is default set on wp-includes/default-constants.php, on the same file you have the COOKIEHASH constant, you need to transport the value of that to your nodejs application to be able to read and validate the cookie name too, the COOKIEHASH is just the website URL hashed with md5.

if ( !defined( 'COOKIEHASH' ) ) {    $siteurl = get_site_option( 'siteurl' );    if ( $siteurl )        define( 'COOKIEHASH', md5( $siteurl ) );    else        define( 'COOKIEHASH', '' );}//...define('LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH);

if you don't want to transport all that, you can just set on wp-config.php the LOGGED_IN_COOKIE constant with the logged in cookie name that you want for WordPress and portrait just this constant to your nodejs, like this:

//WordPress wp-config.phpdefine('LOGGED_IN_COOKIE', 'logged_in_'.'%privateHashKey%');//NODEJSvar LOGGED_IN_COOKIE = 'logged_in_'+'%privateHashKey%';

And finally you'll need to portrait the the functions wp_generate_auth_cookie, wp_hash and hash_hmacto your nodejs application if you want to create the cookie there, the first two functions reside on the filewp-inclues/pluggable.phpthehash_hmacresides onwp-includes/compat.php`.

if ( !function_exists('wp_generate_auth_cookie') ) ://...function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {    $user = get_userdata($user_id);    $pass_frag = substr($user->user_pass, 8, 4);    $key = wp_hash($user->user_login . $pass_frag . '|' . $expiration, $scheme);    $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);    $cookie = $user->user_login . '|' . $expiration . '|' . $hash;    return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);}endif;

Once you understand what wp_generate_auth_cookie function is doing, you'll also be able to decode the cookie and authenticate the WordPress user on your nodejs application.

Note that what WordPress is doing for the the logged in cookie value, is simply slicing the hashed password for the user on your database, merging with the user login name and the expiration time (unix time) for the cookie, and hashing all together. Then he creates the cookie value with user login name, the expiration time for the cookie and the hash that he just created, with the first two values he can verify the "token hash" with the hashed password from the user.

You might want to know that to logout an user on WordPress you need to pass the nonce key for the user on the logout url, so if you want to logout an user from WordPress by your nodejs application, you might want to transport the nonce key functions.

If your application will be in a subdomain, you might want to declare on wp-config.php, or WordPress will just use the full domain on the cookie, and the cookie will not be available for subdomains.

define('COOKIE_DOMAIN', '.domain.com');

Hope this give you better directions. Good luck.

Have a look at this npm package: https://www.npmjs.com/package/wp-authThis is a cookie-based authentication package that lets you authenticate users in nodejs based on the cookies.I am using it myself for authentication users in my node app using wordpress cookies.

I hope this helps.

To extend the already given answer there are a couple of node.js libraries to authenticate a user with wordpress via cookies, exactly like wordpress does by default

1. https://github.com/j3k0/node-wordpress-auth (fork of https://github.com/Nightgunner5/node-wordpress-auth)

2. https://github.com/jhurliman/node-phpass (a port of https://github.com/rchouinard/phpass which is same library WP is using to hash passwords, to node.js)