外掛標籤
開發者團隊
② 後台搜尋「QRAuth – Passwordless & Social Login」→ 直接安裝(推薦)
原文外掛簡介
QRAuth replaces the password field on your WordPress login page with a drop-in QR widget. Users sign in by scanning with the QRAuth mobile app; a cryptographic signature is verified server-to-server before WordPress sets the auth cookie. Social login (Google, GitHub, Microsoft, Apple) is brokered by QRAuth’s hosted approval page, so you never have to register an OAuth app or hold a client secret.
One Client ID is the only configuration. Paste it into Settings → QRAuth and the widget appears on wp-login.php. Everything else — the approval flow, the signing, the token refresh — lives in the QRAuth platform.
Account safety is the default. Auto-provisioning is off out of the box: only WordPress users who already exist (matched on email) can sign in via QRAuth. Flip on auto-provisioning and new users are created as Subscriber — that’s the only role available, intentionally and at every layer (settings UI, sanitiser, runtime). Operators who need a different role for an individual user can change it manually via Users → All Users after their first sign-in. The plugin never stores the signing material, never issues a redirect outside your site, and never touches your user table on uninstall.
Self-hosted, no third-party scripts on wp-login.php. The QRAuth web component ships vendored inside the plugin — the only outbound call is from your server to QRAuth’s verification endpoint during a sign-in attempt.
Open source build. The compressed JavaScript at assets/js/qrauth-components.js is built from publicly available TypeScript source at https://github.com/qrauth-io/qrauth/tree/main/packages/web-components. The unminified source files are also vendored alongside the minified bundle inside this plugin (assets/js/source/) for offline review. See the Source section below for build instructions.
External services
This plugin connects to QRAuth (https://qrauth.io) — the identity verification service that performs the actual passwordless / social sign-in. QRAuth is operated by ProgressNet, the publisher of this plugin. Without QRAuth there is no widget and no sign-in.
What the service is and what it is used for
QRAuth verifies that the user who scanned the QR code (or completed a social-provider flow on the hosted approval page) is the same person who initiated the sign-in on your WordPress site, then returns a signed assertion that the plugin uses to set the WordPress auth cookie.
What data is sent and when
Auth-session creation — when a visitor opens a page that hosts the widget (wp-login.php, the registration form, a shortcode-enabled page, or a WooCommerce sign-in form), the plugin’s same-origin REST proxy sends your Client ID, Client Secret (server-side only — never exposed to the browser), and the host page URL to https://qrauth.io/api/v1/auth-sessions. No visitor data is included in this request.
Sign-in verification — when the visitor approves the sign-in (by scanning with the QRAuth mobile app or completing a social-provider flow on QRAuth’s hosted approval page), the plugin’s REST proxy fetches the verified result from https://qrauth.io/api/v1/auth-sessions/verify-result. The response carries the QRAuth user identifier and, when the email scope is allowed in Settings → QRAuth, the user’s email address. The plugin uses this only to locate or create the matching WordPress user; nothing beyond a hashed link reference is retained.
Hosted approval page — when a visitor on a phone taps “Continue with QRAuth”, the browser navigates to https://qrauth.io/a/
The vendored web component (assets/js/qrauth-components.js) is served from your own WordPress site — there is no third-party JavaScript on wp-login.php, and the component does not contact qrauth.io directly from the browser; all server-to-server calls are proxied via your site’s REST API.
Service terms and policies
Terms of Service: https://qrauth.io/terms
Privacy Policy: https://qrauth.io/privacy
Data Processing Addendum: https://qrauth.io/dpa
List of Sub-processors: https://qrauth.io/subprocessors
Source
The compiled bundle at assets/js/qrauth-components.js carries the following banner header at the top of the file:
`
/*!
* @qrauth/web-components v0.4.1
* Vendored by qrauth-passwordless-social-login. Do not edit by hand.
*
* Source: https://github.com/qrauth-io/qrauth/tree/main/packages/web-components
* License: MIT
* npm: https://www.npmjs.com/package/@qrauth/web-components
* Build: npm install && npm run build:assets (see bin/fetch-web-components.mjs)
*
* The unminified TypeScript source for this bundle is also vendored at
* assets/js/source/ — see assets/js/source/README.md for provenance.
*/
`
The unminified TypeScript source files are also vendored alongside the compiled bundle inside this plugin (assets/js/source/) for offline review.
The plugin’s own source — PHP, the small browser adapter (assets/js/qrauth-adapter.js), build scripts, tests, and CI — is publicly maintained under GPL-2.0-or-later at:
Plugin source repository: https://github.com/qrauth-io/qrauth-passwordless-social-login
The PHP and assets/js/qrauth-adapter.js shipped in the plugin ZIP are non-minified — read them directly without checking out the repo.
The vendored file assets/js/qrauth-components.js is a pinned production build of the public @qrauth/web-components library. The non-compiled source for that library is openly available:
Source repository: https://github.com/qrauth-io/qrauth/tree/main/packages/web-components (MIT-licensed)
npm release: https://www.npmjs.com/package/@qrauth/web-components — pinned to v0.4.1, sha512 in package.json under the qrauth.webComponentsIntegrity key
Build instructions for the upstream library: https://github.com/qrauth-io/qrauth/blob/main/BUILDING.md
To regenerate the vendored bundle from the pinned npm release, clone the plugin source repository linked above and run from its root:
npm install
npm run build:assets
The build script bin/fetch-web-components.mjs (kept in the plugin source repository, not in the WordPress.org plugin ZIP) downloads the npm tarball, verifies its sha512 SRI hash against package.json#qrauth.webComponentsIntegrity, extracts the IIFE build, and writes it to assets/js/qrauth-components.js. CI runs the same script before the WordPress.org plugin-check job, so the bundle distributed on the directory always matches the published npm release. To rebuild from upstream source instead of the pinned tarball, follow BUILDING.md in the upstream library repository above.
