MksDdn Reddy Auth provides OTP-based authentication with:<\/p>\n\n
issue_session: true<\/code>).<\/li>\n- Optional Bearer token issuing for REST clients (
issue_token: true<\/code>; cookie not set by default on REST login).<\/li>\n- Rate limiting and one-time OTP verification.<\/li>\n
- Optional site and REST API protection for unauthenticated visitors.<\/li>\n
- Optional allowed request sources (Origin\/Referer) for plugin REST endpoints.<\/li>\n<\/ul>\n\n
The plugin maps each Reddy ID to a WordPress user and can create an account automatically on first successful login.<\/p>\n\n
Getting Started<\/h3>\n\n1. Configure the Reddy bot token<\/h4>\n\n
For production, define the token in wp-config.php<\/code>:<\/p>\n\ndefine( 'MKSDDN_REDDY_BOT_TOKEN', 'your-bot-token' );\n<\/code><\/pre>\n\nFor local development you can store the token in Settings > Reddy Auth<\/strong> instead. Use Bot connection test<\/strong> to verify delivery to a Reddy user.<\/p>\n\n2. Set up the login page<\/h4>\n\n
Create a WordPress page (for example, \/login\/<\/code>) and insert:<\/p>\n\n[mksddn_reddy_login]\n<\/code><\/pre>\n\nUsers enter their Reddy ID, receive a one-time code in Reddy, and sign in through the form.<\/p>\n\n
3. Review protection settings<\/h4>\n\n
By default, both protection options are disabled<\/strong> so your site stays accessible after activation. Enable them only after the login page is configured:<\/p>\n\n\n- Protect site content<\/strong> \u2014 redirects unauthenticated visitors to the login page.<\/li>\n
- Protect all REST API content<\/strong> \u2014 returns
401<\/code> for protected REST routes.<\/li>\n<\/ul>\n\nPublic auth routes remain available without login:<\/p>\n\n
\nPOST \/wp-json\/mksddn-reddy-auth\/v1\/auth\/send-code<\/code><\/li>\nPOST \/wp-json\/mksddn-reddy-auth\/v1\/auth\/login<\/code><\/li>\n<\/ul>\n\n4. Use REST API for headless clients<\/h4>\n\n
Typical flow:<\/p>\n\n
\nPOST \/auth\/send-code<\/code> with { \"reddy_id\": \"123456\" }<\/code><\/li>\nPOST \/auth\/login<\/code> with { \"reddy_id\": \"123456\", \"code\": \"111111\", \"issue_token\": true }<\/code> for headless clients. Add \"issue_session\": true<\/code> only when the browser must also receive a WordPress cookie (same-origin SPA).<\/li>\n- Call protected REST routes with
Authorization: Bearer <token><\/code>.<\/li>\nGET \/auth\/me<\/code> to read the current user (Bearer or cookie session).<\/li>\nPOST \/auth\/logout<\/code> to end the cookie session and revoke the Bearer token when provided.<\/li>\n<\/ol>\n\nProtect site content<\/strong> checks the WordPress cookie session (shortcode login or REST login with issue_session: true<\/code>). It does not accept Bearer tokens. Protect all REST API content<\/strong> requires a Bearer token and ignores cookie-only sessions.<\/p>\n\nDownload OpenAPI and Postman files from Settings > Reddy Auth > Developer Resources<\/strong>.<\/p>\n\n5. Optional: restrict REST callers by browser source<\/h4>\n\n
In Settings > Reddy Auth<\/strong>, Allowed request sources<\/strong> limits plugin REST traffic (\/mksddn-reddy-auth\/v1\/*<\/code>) to listed Origin<\/code> or Referer<\/code> URLs. Leave empty to allow any client (recommended for server-to-server integrations). This is a soft guard for browser apps, not a secret key.<\/p>\n\nExternal services<\/h3>\n\n
This plugin connects to the Reddy bot API<\/strong> at https:\/\/bot.reddy.team<\/code> to deliver one-time passwords and optional admin connection test messages.<\/p>\n\nWhat the service is used for<\/strong><\/p>\n\n\n- Deliver OTP codes to a Reddy user during login.<\/li>\n
- Send an optional admin \"bot connection test\" message from Settings > Reddy Auth<\/strong>.<\/li>\n<\/ul>\n\n
What data is sent and when<\/strong><\/p>\n\n\n- OTP send \/ login:<\/strong> Reddy user ID (
userKey<\/code>) and message text containing the one-time code (and expiry hint). Message text is configurable in Settings > Reddy Auth > Bot Messages<\/strong> (placeholders {code}<\/code>, {ttl}<\/code>). Sent when a user requests a code via the login form or REST API.<\/li>\n- Bot connection test:<\/strong> Reddy user ID (
userKey<\/code>) and a configurable test message from Settings > Reddy Auth > Bot Messages<\/strong>. Sent only when an administrator runs Bot connection test<\/strong> in Settings > Reddy Auth<\/strong>.<\/li>\n- Bot token:<\/strong> Your bot token is included in the API request URL path (configured via
MKSDDN_REDDY_BOT_TOKEN<\/code> in wp-config.php<\/code> or the development fallback field in settings). It is not sent to WordPress.org.<\/li>\n<\/ul>\n\nData is transmitted only when OTP delivery or the connection test is triggered. The plugin does not send site content, post data, or WordPress user passwords to Reddy.<\/p>\n\n
This service is provided by Reddy: terms of use and privacy policy at https:\/\/help.reddy.team\/pages\/user-agreement<\/p>\n\n
No other third-party services are required for core plugin operation.<\/p>\n\n\n
\n- Upload the plugin to the
\/wp-content\/plugins\/<\/code> directory.<\/li>\n- Activate the plugin through the Plugins<\/strong> menu in WordPress.<\/li>\n
- Open Settings > Reddy Auth<\/strong> and configure bot token and security options.<\/li>\n
- Create a login page and add the shortcode
[mksddn_reddy_login]<\/code>.<\/li>\n- If site protection is enabled, select that page in the Login page<\/strong> setting.<\/li>\n<\/ol>\n\n\n
\nWhere should I store the bot token?<\/h3><\/dt>\nUse the MKSDDN_REDDY_BOT_TOKEN<\/code> constant in wp-config.php<\/code> on production sites. The settings page field is a development fallback and should not replace secure server-side configuration in live environments.<\/p><\/dd>\nWhy am I stuck in a redirect loop?<\/h3><\/dt>\nThis usually happens when Protect site content<\/strong> is enabled but no valid login page is selected. Create a page with [mksddn_reddy_login]<\/code>, choose it in Login page<\/strong>, and save settings.<\/p><\/dd>\nDoes this plugin replace `\/wp-login.php`?<\/h3><\/dt>\nNo. It adds a Reddy OTP login flow via shortcode and REST endpoints. Standard WordPress login may still be available unless you restrict it separately.<\/p><\/dd>\n
Are WordPress users created automatically?<\/h3><\/dt>\nYes. On first successful OTP login the plugin creates a WordPress user mapped to the Reddy ID and stores the mapping in user meta.<\/p><\/dd>\n
How do REST clients authenticate?<\/h3><\/dt>\nSend issue_token: true<\/code> in the login request, then pass the returned token in the Authorization: Bearer<\/code> header. REST login does not<\/strong> set a WordPress cookie unless you also send issue_session: true<\/code>. Use the login shortcode or issue_session: true<\/code> when the browser needs access to Protect site content<\/strong> pages.<\/p><\/dd>\nWhat is the difference between issue_token and issue_session?<\/h3><\/dt>\nissue_token returns a Bearer token for REST API clients. issue_session<\/code> sets the WordPress auth cookie. Shortcode login always sets a cookie. REST login sets a cookie only when issue_session<\/code> is true (default false). Headless integrations should use issue_token<\/code> without issue_session<\/code> so site content stays locked until an explicit cookie login.<\/p><\/dd>\nWhat happens when an administrator deletes a Reddy user?<\/h3><\/dt>\nAll plugin Bearer tokens for that WordPress user are revoked and WordPress session tokens are destroyed. The user must complete OTP login again. Deleting the WordPress account does not permanently block the Reddy ID; a successful OTP login can recreate the account.<\/p><\/dd>\n
Why do I get HTTP 429?<\/h3><\/dt>\nThe plugin rate-limits OTP send and login attempts per Reddy ID and client IP. Wait for the limit window to expire or adjust limits in Settings > Reddy Auth<\/strong>.<\/p><\/dd>\nWhat does Allowed request sources do?<\/h3><\/dt>\nIt optionally checks Origin<\/code> or Referer<\/code> on plugin REST routes only. Empty list = no restriction (default). Non-empty list = browser apps must call from a listed URL. It does not replace OTP, rate limits, or Bearer auth\u2014headers can be spoofed.<\/p><\/dd>\nWhy do I get HTTP 403 with \"Request not allowed from this source\"?<\/h3><\/dt>\nAllowed request sources<\/strong> is configured and the request has no matching Origin<\/code>\/Referer<\/code>. Add your frontend URL to the list, send a matching Origin<\/code> header from server clients, leave the list empty for backends, or use the mksddn_reddy_is_request_url_allowed<\/code> filter.<\/p><\/dd>\nWhich data does the plugin store?<\/h3><\/dt>\nSettings in WordPress options, Reddy ID mapping in user meta, Bearer token hashes in a custom database table, and OTP\/rate-limit state in transients. Raw OTP codes and raw tokens are not stored.<\/p><\/dd>\n
What happens on uninstall?<\/h3><\/dt>\nIf uninstall cleanup runs, plugin-owned options, user meta, custom tables, and transients are removed according to uninstall.php<\/code>.<\/p><\/dd>\n\n<\/dl>\n\n\n1.0.0<\/h4>\n\n\n- Do not require Bearer on HTTP OPTIONS when REST API content lock is enabled (CORS preflight for cross-origin SPAs).<\/li>\n
- Stable 1.0.0 release.<\/li>\n<\/ul>\n\n
0.1.4<\/h4>\n\n\n- Admin settings for bot message texts: OTP template ({code}, {ttl}) and connection test message.<\/li>\n
- Filter
mksddn_reddy_otp_message<\/code> still overrides the final OTP text after the admin template is applied.<\/li>\n- Filter
mksddn_reddy_bot_test_message<\/code> for customizing the connection test message.<\/li>\n<\/ul>\n\n0.1.3<\/h4>\n\n\n- REST login no longer sets a WordPress cookie by default. Optional
issue_session<\/code> parameter (default false); use issue_token<\/code> for Bearer auth. Shortcode login still sets a cookie.<\/li>\n- Protect site content<\/strong> uses cookie sessions only; Protect all REST API content<\/strong> requires Bearer tokens. Documented split between monolith and REST protection.<\/li>\n
- Revoke all Bearer tokens and destroy WordPress sessions when a WordPress user is deleted.<\/li>\n
- Bearer token validation requires an active
_mksddn_reddy_id<\/code> user meta mapping.<\/li>\n- Site and REST content lock: WP staff with
edit_posts<\/code> (administrator, editor) bypass Reddy-only lock without OTP.<\/li>\n- Filter
mksddn_reddy_content_lock_bypass<\/code> to customize lock bypass per user.<\/li>\n- More reliable login page detection for monolith content lock (configured page, URL path, shortcode fallback).<\/li>\n
- REST content lock respects existing authentication errors before enforcing Reddy check.<\/li>\n<\/ul>\n\n
0.1.2<\/h4>\n\n\n- Direct Reddy terms of use and privacy policy links in External services readme section.<\/li>\n
- Require cookie session or Bearer token authentication for POST
\/auth\/logout<\/code> REST endpoint.<\/li>\n<\/ul>\n\n0.1.1<\/h4>\n\n\n- External services<\/strong> disclosure in readme for Reddy bot API (OTP delivery).<\/li>\n
- Safer defaults: site and REST protection disabled until explicitly enabled in settings.<\/li>\n
- Monolith content lock skipped until a login page or shortcode page is configured.<\/li>\n
- Admin setup notice after activation pointing to Settings > Reddy Auth<\/strong>.<\/li>\n
- Uninstall cleanup removes plugin-owned transients (OTP and rate-limit state).<\/li>\n
- Optional Allowed request sources<\/strong> for plugin REST endpoints (Origin\/Referer allowlist, HTTP 403 when mismatched).<\/li>\n
- Updated plugin metadata (GitHub URIs, license, WordPress and PHP requirements).<\/li>\n
- Tested up to WordPress 7.0.<\/li>\n
- Hardened REST middleware: sanitize request URI before route checks.<\/li>\n
- Clearer rate limit labels and field descriptions in settings.<\/li>\n
- Improved uninstall cleanup and WPCS compliance across core files.<\/li>\n
- Removed redundant textdomain loader (WordPress auto-loads plugin translations).<\/li>\n<\/ul>\n\n
0.1.0<\/h4>\n\n\n- Initial MVP release.<\/li>\n<\/ul>","raw_excerpt":"Authenticate WordPress users via Reddy OTP flow for monolith and REST API clients.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/317429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=317429"}],"author":[{"embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/mksddn"}],"wp:attachment":[{"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=317429"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=317429"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=317429"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=317429"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=317429"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=317429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}