描述
Auto Login for Sakura Rental Server allows administrators to issue one-time, time-limited auto-login URLs using HMAC signatures.
This is useful for secure temporary access or system integration.
Features:
– Secure auto-login with one-time tokens
– Tokens are HMAC-signed and invalidated after use
– Token issuance and usage history (up to 100 entries per user)
– Records IP address and username of the issuer
– Rate limiting: 1 request per second per IP
– WP-CLI commands for token generation and history inspection
Example use cases:
– Temporarily granting admin access
– Safe automatic login from external systems
– Keeping an audit log of who issued a token and from where
Usage
Generate a token via CLI
`
wp auto-login-for-sakura-rental-server generate [–expires=] [–remote_addr=] [–username=]
`
Example:
- Default expiration time: 300 seconds
--expiresand--usernameare optional
Check issue history
Token history is stored in the user meta key sakura_auto_login_history.
You can check it via WP-CLI:
wp user meta get sakura_auto_login_history
Auto-login URL format
`
https://example.com/?rs_auto_login_token=<64-character HMAC token>
`
Visiting the URL will log in as the corresponding user and redirect to the admin dashboard.
Security Notes
- Tokens are invalidated immediately after use (one-time only)
- Issue and usage history includes IP address, issuer username, and timestamps
- Stored using
set_transient()for caching compatibility - HTTPS is strongly recommended
安裝
- Upload the plugin to
/wp-content/plugins/auto-login-for-sakura-rental-server/. - Activate it through the Plugins menu in WordPress.
常見問題
-
Can I revoke a token manually?
-
Yes. Run
delete_transient('sakura_auto_login_token_<token>'). -
What happens if the URL leaks?
-
Anyone with the URL can log in as the target user until the token expires. Always use HTTPS and handle URLs carefully.
評價
There are no reviews for this plugin.
貢獻者及開發者
修改日誌
1.0.0
- Initial release