+/**
+ * WordPress User API
+ *
+ * @package WordPress
+ */
+
+/**
+ * Authenticate user with remember capability.
+ *
+ * The credentials is an array that has 'user_login', 'user_password', and
+ * 'remember' indices. If the credentials is not given, then the log in form
+ * will be assumed and used if set.
+ *
+ * The various authentication cookies will be set by this function and will be
+ * set for a longer period depending on if the 'remember' credential is set to
+ * true.
+ *
+ * @since 2.5.0
+ *
+ * @param array $credentials Optional. User info in order to sign on.
+ * @param bool $secure_cookie Optional. Whether to use secure cookie.
+ * @return object Either WP_Error on failure, or WP_User on success.
+ */
+function wp_signon( $credentials = '', $secure_cookie = '' ) {
+ if ( empty($credentials) ) {
+ if ( ! empty($_POST['log']) )
+ $credentials['user_login'] = $_POST['log'];
+ if ( ! empty($_POST['pwd']) )
+ $credentials['user_password'] = $_POST['pwd'];
+ if ( ! empty($_POST['rememberme']) )
+ $credentials['remember'] = $_POST['rememberme'];
+ }
+
+ if ( !empty($credentials['remember']) )
+ $credentials['remember'] = true;
+ else
+ $credentials['remember'] = false;
+
+ // TODO do we deprecate the wp_authentication action?
+ do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));
+
+ if ( '' === $secure_cookie )
+ $secure_cookie = is_ssl() ? true : false;
+
+ global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie
+ $auth_secure_cookie = $secure_cookie;
+
+ add_filter('authenticate', 'wp_authenticate_cookie', 30, 3);
+
+ $user = wp_authenticate($credentials['user_login'], $credentials['user_password']);
+
+ if ( is_wp_error($user) ) {
+ if ( $user->get_error_codes() == array('empty_username', 'empty_password') ) {
+ $user = new WP_Error('', '');
+ }
+
+ return $user;
+ }
+
+ wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
+ do_action('wp_login', $credentials['user_login']);
+ return $user;
+}
+
+
+/**
+ * Authenticate the user using the username and password.
+ */
+add_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
+function wp_authenticate_username_password($user, $username, $password) {
+ if ( is_a($user, 'WP_User') ) { return $user; }
+
+ if ( empty($username) || empty($password) ) {
+ $error = new WP_Error();
+
+ if ( empty($username) )
+ $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
+
+ if ( empty($password) )
+ $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
+
+ return $error;
+ }
+
+ $userdata = get_userdatabylogin($username);
+
+ if ( !$userdata ) {
+ return new WP_Error('invalid_username', sprintf(__('<strong>ERROR</strong>: Invalid username. <a href="%s" title="Password Lost and Found">Lost your password</a>?'), site_url('wp-login.php?action=lostpassword', 'login')));
+ }
+
+ $userdata = apply_filters('wp_authenticate_user', $userdata, $password);
+ if ( is_wp_error($userdata) ) {
+ return $userdata;
+ }
+
+ if ( !wp_check_password($password, $userdata->user_pass, $userdata->ID) ) {
+ return new WP_Error('incorrect_password', sprintf(__('<strong>ERROR</strong>: Incorrect password. <a href="%s" title="Password Lost and Found">Lost your password</a>?'), site_url('wp-login.php?action=lostpassword', 'login')));
+ }
+
+ $user = new WP_User($userdata->ID);
+ return $user;
+}