Auto Login for Sakura Rental Server allows administrators to issue one-time, time-limited auto-login URLs using HMAC signatures.
This is useful for secure temporary access or system integration.
Features:
– Secure auto-login with one-time tokens
– Tokens are HMAC-signed and invalidated after use
– Token issuance and usage history (up to 100 entries per user)
– Records IP address and username of the issuer
– Rate limiting: 1 request per second per IP
– WP-CLI commands for token generation and history inspection
Example use cases:
– Temporarily granting admin access
– Safe automatic login from external systems
– Keeping an audit log of who issued a token and from where
Usage
Generate a token via CLI
`
wp auto-login-for-sakura-rental-server generate [–expires=] [–remote_addr=] [–username=]
`
Example:
- Default expiration time: 300 seconds
--expiresand--usernameare optional
Check issue history
Token history is stored in the user meta key sakura_auto_login_history.
You can check it via WP-CLI:
wp user meta get sakura_auto_login_history
Auto-login URL format
`
https://example.com/?rs_auto_login_token=<64-character HMAC token>
`
Visiting the URL will log in as the corresponding user and redirect to the admin dashboard.
Security Notes
- Tokens are invalidated immediately after use (one-time only)
- Issue and usage history includes IP address, issuer username, and timestamps
- Stored using
set_transient()for caching compatibility - HTTPS is strongly recommended
