外掛標籤
開發者團隊
原文外掛簡介
Sticklight Connector provides a structured way to use the WordPress user system in external or React-based applications.
The plugin extends the WordPress REST API with additional endpoints that allow authenticated clients to retrieve user context and interact with WordPress data, while fully respecting core authentication methods, roles, and capability checks.
Sticklight does not replace WordPress authentication. It relies on wp_authenticate for credential validation and WordPress Application Passwords for API access, and follows standard permission checks (current_user_can) for all requests.
Typical use cases
React applications connected to a WordPress site
Headless or hybrid WordPress setups
Admin or user dashboards built outside wp-admin
External tools that require authenticated access to WordPress data
Features
Authenticates via wp_authenticate and issues Application Passwords for API access
Adds REST endpoints for login, logout, and retrieving current user context
Enforces WordPress capability checks on all requests
Supports cross-origin headless setups
Extensible via WordPress hooks and filters
Usage
Login
Authenticate with username (or email) and password:
POST /wp-json/sticklight/v1/auth/login
On success the response includes an Application Password for subsequent API requests and the authenticated user:
{
"app_password": "XXXX XXXX XXXX XXXX XXXX XXXX",
"user": {
"user_id": 1,
"username": "admin",
"display_name": "Admin",
"email": "[email protected]",
"roles": ["administrator"]
}
}
Use the returned app_password with HTTP Basic Authentication for all further requests.
Current user
Retrieve the current authenticated user:
GET /wp-json/sticklight/v1/auth/me
Logout
Revoke the current Application Password session:
POST /wp-json/sticklight/v1/auth/logout
User registration
User creation is handled through the built-in WordPress REST API (POST /wp-json/wp/v2/users) and requires administrator authentication.
Accessing protected data
Requests to any endpoint must pass standard WordPress permission checks. Sticklight does not bypass or override these checks.
Security
Sticklight follows WordPress security practices:
Authenticates via wp_authenticate, which respects all security plugin hooks (rate limiting, two-factor authentication, brute-force protection)
Issues Application Passwords scoped to individual sessions
Does not provide user registration — accounts must be created by an administrator
Applies capability checks (current_user_can) on all endpoints
Does not expose private data without proper permissions
For external applications, it is recommended to:
Use HTTPS
Restrict allowed origins
Avoid exposing sensitive endpoints unnecessarily
