Auto Login for Sakura Rental Server

Auto Login for Sakura Rental Server allows administrators to issue one-time, time-limited auto-login URLs using HMAC signatures.
This is useful for secure temporary access or system integration.

Features:
– Secure auto-login with one-time tokens
– Tokens are HMAC-signed and invalidated after use
– Token issuance and usage history (up to 100 entries per user)
– Records IP address and username of the issuer
– Rate limiting: 1 request per second per IP
– WP-CLI commands for token generation and history inspection

Example use cases:
– Temporarily granting admin access
– Safe automatic login from external systems
– Keeping an audit log of who issued a token and from where

Usage

Generate a token via CLI

wp auto-login-for-sakura-rental-server generate <user_id> [–expires=] [–remote_addr=] [–username=]

Example:

• Default expiration time: 300 seconds
• --expires and --username are optional

Check issue history

Token history is stored in the user meta key sakura_auto_login_history.
You can check it via WP-CLI:

wp user meta get sakura_auto_login_history

Auto-login URL format

https://example.com/?rs_auto_login_token=<64-character HMAC token>

Visiting the URL will log in as the corresponding user and redirect to the admin dashboard.

Security Notes

• Tokens are invalidated immediately after use (one-time only)
• Issue and usage history includes IP address, issuer username, and timestamps
• Stored using set_transient() for caching compatibility
• HTTPS is strongly recommended