內容簡介
總結:Peace Protocol 外掛讓 WordPress 網站管理員可以驗證為他們的網站,並向運行相同協議和/或 indie auth 的其他 WordPress 網站發送加密簽名的「peace」消息。
1. 什麼是 Peace Protocol 外掛的主要功能?
- 允許 WordPress 網站管理員驗證其網站並發送加密簽名的「peace」消息給其他運行相同協議和/或 indie auth 的 WordPress 網站
- 提供 Peace Log Wall,可以使用 [peaceprotocol_log_wall] 短代碼顯示收到的 peace 消息
- 自動訂閱從連接的網站接收 peace feeds
- 生成、輪換和管理驗證 tokens
- 提供用於追蹤原因的用戶封禁系統
- 支援使用 IndieAuth 標準和 PKCE 的替代驗證
2. Peace Protocol 外掛的安全功能有哪些?
- 只允許 WordPress 網站管理員使用
- 網站級別驗證,管理員會以他們的網站身份進行驗證
- 不提供公開使用者註冊系統,僅在安全握手後創建聯合使用者
- 使用加密 tokens 進行驗證
- 提供有限權限的聯合使用者系統,他們只能對文章進行評論,無法訪問 WordPress 管理區域
- 安全存儲 tokens,設定授權碼在 5 分鐘後過期
外掛標籤
開發者團隊
原文外掛簡介
Peace Protocol enables WordPress site administrators to authenticate as their website and send cryptographically signed “peace” messages to other WordPress sites running the same protocol. This creates a decentralized network where admins can establish trust relationships, share peace, and enable cross-site interactions.
🔒 **Security-First Design**
Admin-Only Authentication
WordPress Administrators Only: This plugin is designed exclusively for WordPress site administrators
Site-Level Authentication: Admins authenticate as their website, not as individual users
No Public Registration: No public user registration system – only federated users created after secure handshakes
Cryptographic Tokens: Each site uses cryptographically secure tokens for authentication
Federated User System
Limited Permissions: Federated users can only comment on posts, no admin access
Automatic Cleanup: Federated users are removed when the plugin is uninstalled
Role-Based Security: Federated users have the federated_peer role with minimal capabilities
No Dashboard Access: Federated users cannot access WordPress admin areas
Token Security
Cryptographically Secure: Tokens are generated using WordPress’s secure password generator
Token Rotation: Support for multiple tokens with automatic rotation
Secure Storage: Tokens are stored securely in WordPress options
Expiring Authorization Codes: Authorization codes expire after 5 minutes
🌟 **Key Features**
Core Functionality
Send Peace: Send cryptographically signed peace messages to other WordPress sites
Peace Log Wall: Display received peace messages using the [peaceprotocol_log_wall] shortcode
Automatic Feed Subscription: Automatically subscribe to peace feeds from sites you connect with
Token Management: Generate, rotate, and manage authentication tokens
User Banning System: Ban problematic users with reason tracking
IndieAuth Support: Alternative authentication using the IndieAuth standard with PKCE
Federated Login System
Cross-Site Authentication: Users from remote sites can comment as their site identity
Seamless Integration: Works with existing WordPress comment systems
Secure Handshake: Only sites completing the cryptographic handshake can create federated logins
Automatic User Creation: Creates federated users automatically after successful handshake
Dual Authentication: Support for both Peace Protocol tokens and IndieAuth standard
Admin Interface
Token Management: Generate, view, and delete authentication tokens
Feed Management: View and manage subscribed peace feeds
Peace Log: View all received peace messages in the admin area
User Banning: Ban users with reason tracking and management
Settings Configuration: Configure button position and auto-insertion
Frontend Features
Peace Button: Floating peace hand button (✌️) that can be positioned anywhere
Auto-Insertion: Automatically insert the peace button on your site
Shortcode Support: Use [peaceprotocol_hand_button] to manually place the button
Responsive Design: Works on all devices and screen sizes
Dark Mode Support: Automatically adapts to user’s color scheme preference
Choice Modal: User-friendly modal to choose between Peace Protocol and IndieAuth authentication
Technical Features
REST API: Modern REST API endpoints for all functionality
AJAX Fallback: AJAX endpoints for sites with REST API disabled
CORS Support: Proper CORS headers for cross-site communication
Translation Ready: Full internationalization support with multiple languages
Custom Post Types: Uses custom post types for peace logs
IndieAuth Endpoints: Full IndieAuth specification compliance with authorization and token endpoints
PKCE Support: Proof Key for Code Exchange for enhanced security
🚀 **How It Works**
For WordPress Administrators
Install & Activate: Install the plugin and activate it on your WordPress site
Generate Tokens: Go to Settings > Peace Protocol and generate authentication tokens
Send Peace: Use the peace button to send cryptographically signed peace to other sites
Build Network: Connect with other WordPress sites and build a network of trust
Federated Login Process
Peace Protocol Authentication
User from Site A visits Site B and wants to comment
User clicks “Peace” button on Site B
User chooses “Login with Peace Protocol” from the choice modal
Site B redirects to Site A for authentication
Site A validates the user and generates an authorization code
User is redirected back to Site B with the authorization code
Site B automatically logs in the user as a federated user from Site A
User can comment on Site B as “siteacom”
IndieAuth Authentication
User from Site A visits Site B and wants to comment
User clicks “Peace” button on Site B
User chooses “Login with IndieAuth” from the choice modal
Site B discovers IndieAuth endpoints on Site A
Site B redirects to Site A’s IndieAuth authorization endpoint
Site A validates the user and generates an authorization code
User is redirected back to Site B with the authorization code
Site B exchanges the code for an access token using PKCE
Site B automatically logs in the user as a federated user from Site A
User can comment on Site B as “Logged in as siteacom”
Security Flow
Cryptographic Handshake: Sites exchange cryptographically signed tokens
Token Validation: Each peace message is validated using secure tokens
Federated User Creation: Only after successful handshake are federated users created
Limited Permissions: Federated users have minimal permissions and no admin access
Automatic Cleanup: All federated data is removed on plugin uninstall
🛡️ **Security Considerations**
What This Plugin Does NOT Do
❌ No Public User Registration: Only WordPress administrators can use this plugin (federated users are created automatically after secure handshakes)
❌ No Admin Access for Federated Users: Federated users cannot access WordPress admin
❌ No Database Access: Federated users cannot access sensitive site data
❌ No File System Access: Federated users cannot upload or modify files
❌ No Plugin/Theme Management: Federated users cannot install or modify plugins/themes
What This Plugin DOES Do
✅ Site-to-Site Authentication: WordPress admins authenticate as their website
✅ Cryptographic Verification: All peace messages are cryptographically signed
✅ Limited Federated Access: Federated users can only comment on posts
✅ Automatic Cleanup: All federated data is removed on uninstall
✅ Secure Token Management: Tokens are cryptographically secure and can be rotated
🌍 **Internationalization**
Peace Protocol is fully translation-ready and includes translations for:
– English (default)
– Spanish (es_ES)
– French (fr_FR)
– Japanese (ja)
– Chinese Simplified (zh_CN)