描述
Auto Login for Sakura Rental Server allows administrators to issue one-time, time-limited auto-login URLs using HMAC signatures.
This is useful for secure temporary access or system integration.
Features:
– Secure auto-login with one-time tokens
– Tokens are HMAC-signed and invalidated after use
– Token issuance and usage history (up to 100 entries per user)
– Records IP address and username of the issuer
– Rate limiting: 1 request per second per IP
– WP-CLI commands for token generation and history inspection
Example use cases:
– Temporarily granting admin access
– Safe automatic login from external systems
– Keeping an audit log of who issued a token and from where
Usage
Generate a token via CLI
wp auto-login-for-sakura-rental-server generate <user_id> [–expires=] [–remote_addr=] [–username=]
Example:
- Default expiration time: 300 seconds
--expiresand--usernameare optional
Check issue history
Token history is stored in the user meta key sakura_auto_login_history.
You can check it via WP-CLI:
wp user meta get sakura_auto_login_history
Auto-login URL format
https://example.com/?rs_auto_login_token=<64-character HMAC token>
Visiting the URL will log in as the corresponding user and redirect to the admin dashboard.
Security Notes
- Tokens are invalidated immediately after use (one-time only)
- Issue and usage history includes IP address, issuer username, and timestamps
- Stored using
set_transient()for caching compatibility - HTTPS is strongly recommended
安装
- Upload the plugin to
/wp-content/plugins/auto-login-for-sakura-rental-server/. - Activate it through the Plugins menu in WordPress.
常见问题
-
Can I revoke a token manually?
-
Yes. Run
delete_transient('sakura_auto_login_token_<token>'). -
What happens if the URL leaks?
-
Anyone with the URL can log in as the target user until the token expires. Always use HTTPS and handle URLs carefully.
评价
此插件暂无评价。
贡献者及开发者
更新日志
1.0.0
- Initial release
1.0.1
- Bugfix release