外掛標籤
開發者團隊
原文外掛簡介
MksDdn Reddy Auth provides OTP-based authentication with:
WordPress cookie session login for the frontend (shortcode, or REST with issue_session: true).
Optional Bearer token issuing for REST clients (issue_token: true; cookie not set by default on REST login).
Rate limiting and one-time OTP verification.
Optional site and REST API protection for unauthenticated visitors.
Optional allowed request sources (Origin/Referer) for plugin REST endpoints.
The plugin maps each Reddy ID to a WordPress user and can create an account automatically on first successful login.
Getting Started
1. Configure the Reddy bot token
For production, define the token in wp-config.php:
define( 'MKSDDN_REDDY_BOT_TOKEN', 'your-bot-token' );
For local development you can store the token in Settings > Reddy Auth instead. Use Bot connection test to verify delivery to a Reddy user.
2. Set up the login page
Create a WordPress page (for example, /login/) and insert:
[mksddn_reddy_login]
Users enter their Reddy ID, receive a one-time code in Reddy, and sign in through the form.
3. Review protection settings
By default, both protection options are disabled so your site stays accessible after activation. Enable them only after the login page is configured:
Protect site content — redirects unauthenticated visitors to the login page.
Protect all REST API content — returns 401 for protected REST routes.
Public auth routes remain available without login:
POST /wp-json/mksddn-reddy-auth/v1/auth/send-code
POST /wp-json/mksddn-reddy-auth/v1/auth/login
GET /wp-json/mksddn-reddy-auth/v1/auth/intent-status
POST /wp-json/mksddn-reddy-auth/v1/auth/intent-status
POST /wp-json/mksddn-reddy-auth/v1/auth/complete-intent
Webhook callback route is also public for BotMother integration:
POST /wp-json/mksddn-reddy-auth/v1/auth/button-callback
4. Use REST API for headless clients
Typical flow:
POST /auth/send-code with { "reddy_id": "123456" }
POST /auth/login with { "reddy_id": "123456", "code": "111111", "issue_token": true } for headless clients. Add "issue_session": true only when the browser must also receive a WordPress cookie (same-origin SPA).
Call protected REST routes with Authorization: Bearer
GET /auth/me to read the current user (Bearer or cookie session).
POST /auth/logout to end the cookie session and revoke the Bearer token when provided.
One-click flow:
POST /auth/send-code returns intent_id and intent_secret when one-click is enabled.
Poll GET|POST /auth/intent-status with intent_id + intent_secret.
After approval, finalize auth via POST /auth/complete-intent with intent_id, intent_secret, and optional issue_token / issue_session.
For one-click polling, intent-status supports both:
GET /auth/intent-status with intent_id + intent_secret query params.
POST /auth/intent-status with intent_id + intent_secret in JSON body.
Protect site content checks the WordPress cookie session (shortcode login or REST login with issue_session: true). It does not accept Bearer tokens. Protect all REST API content requires a Bearer token and ignores cookie-only sessions.
Download OpenAPI and Postman files from Settings > Reddy Auth > Developer Resources.
5. Optional: restrict REST callers by browser source
In Settings > Reddy Auth, Allowed request sources limits plugin REST traffic (/mksddn-reddy-auth/v1/*) to listed Origin or Referer URLs. Leave empty to allow any client (recommended for server-to-server integrations). This is a soft guard for browser apps, not a secret key.
6. Optional: harden one-click webhook verification
In Settings > Reddy Auth > One-Click Authorization, set Webhook secret (optional) to match BotMother webhook Secret.
With a configured secret, webhook signature verification uses sha256(body + bot_token + "." + webhook_secret).
With an empty secret, compatibility mode uses sha256(body + bot_token).
External services
This plugin connects to the Reddy bot API at https://bot.reddy.team to deliver one-time passwords and optional admin connection test messages.
What the service is used for
Deliver OTP codes to a Reddy user during login.
Send an optional admin “bot connection test” message from Settings > Reddy Auth.
What data is sent and when
OTP send / login: Reddy user ID (userKey) and message text containing the one-time code (and expiry hint). Message text is configurable in Settings > Reddy Auth > Bot Messages (placeholders {code}, {ttl}). Sent when a user requests a code via the login form or REST API.
Bot connection test: Reddy user ID (userKey) and a configurable test message from Settings > Reddy Auth > Bot Messages. Sent only when an administrator runs Bot connection test in Settings > Reddy Auth.
Bot token: Your bot token is included in the API request URL path (configured via MKSDDN_REDDY_BOT_TOKEN in wp-config.php or the development fallback field in settings). It is not sent to WordPress.org.
Data is transmitted only when OTP delivery or the connection test is triggered. The plugin does not send site content, post data, or WordPress user passwords to Reddy.
This service is provided by Reddy: terms of use and privacy policy at https://help.reddy.team/pages/user-agreement
No other third-party services are required for core plugin operation.
