=== Sticklight ===
Contributors: elemntor
Tags: react, rest-api, authentication, headless, api,
Requires at least: 6.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv3
License URI: https://www.gnu.org/licenses/gpl-3.0.html

Use WordPress authentication and permissions in external React applications via secure REST API endpoints.

== Description ==

Sticklight Connector provides a structured way to use the WordPress user system in external or React-based applications.

The plugin extends the WordPress REST API with additional endpoints that allow authenticated clients to retrieve user context and interact with WordPress data, while fully respecting core authentication methods, roles, and capability checks.

Sticklight does not replace WordPress authentication. It relies on `wp_authenticate` for credential validation and WordPress Application Passwords for API access, and follows standard permission checks (`current_user_can`) for all requests.

= Typical use cases =

* React applications connected to a WordPress site
* Headless or hybrid WordPress setups
* Admin or user dashboards built outside wp-admin
* External tools that require authenticated access to WordPress data

= Features =

* Authenticates via `wp_authenticate` and issues Application Passwords for API access
* Adds REST endpoints for login, logout, and retrieving current user context
* Enforces WordPress capability checks on all requests
* Supports cross-origin headless setups
* Extensible via WordPress hooks and filters

== Installation ==

1. Upload the plugin files to the `/wp-content/plugins/sticklight-connector` directory, or install the plugin through the WordPress plugins screen.
2. Activate the plugin through the **Plugins** screen in WordPress.
3. Ensure permalinks are enabled (**Settings** > **Permalinks**).

No additional configuration is required for basic usage.

== Usage ==

= Login =

Authenticate with username (or email) and password:

`POST /wp-json/sticklight/v1/auth/login`

On success the response includes an Application Password for subsequent API requests and the authenticated user:

    {
      "app_password": "XXXX XXXX XXXX XXXX XXXX XXXX",
      "user": {
        "user_id": 1,
        "username": "admin",
        "display_name": "Admin",
        "email": "admin@example.com",
        "roles": ["administrator"]
      }
    }

Use the returned `app_password` with HTTP Basic Authentication for all further requests.

= Current user =

Retrieve the current authenticated user:

`GET /wp-json/sticklight/v1/auth/me`

= Logout =

Revoke the current Application Password session:

`POST /wp-json/sticklight/v1/auth/logout`

= User registration =

User creation is handled through the built-in WordPress REST API (`POST /wp-json/wp/v2/users`) and requires administrator authentication.

= Accessing protected data =

Requests to any endpoint must pass standard WordPress permission checks. Sticklight does not bypass or override these checks.

== Security ==

Sticklight follows WordPress security practices:

* Authenticates via `wp_authenticate`, which respects all security plugin hooks (rate limiting, two-factor authentication, brute-force protection)
* Issues Application Passwords scoped to individual sessions
* Does not provide user registration — accounts must be created by an administrator
* Applies capability checks (`current_user_can`) on all endpoints
* Does not expose private data without proper permissions

For external applications, it is recommended to:

* Use HTTPS
* Restrict allowed origins
* Avoid exposing sensitive endpoints unnecessarily

== Frequently Asked Questions ==

= Does this plugin replace WordPress authentication? =

No. It delegates credential validation to `wp_authenticate` and uses WordPress Application Passwords for API access.

= Does it allow bypassing permissions? =

No. All requests are validated using standard WordPress capability checks.

= Can it be used in headless setups? =

Yes. It is designed for headless and cross-origin WordPress architectures.

= Does it handle user registration? =

No. User creation should be done through the built-in WordPress REST API (`POST /wp-json/wp/v2/users`) with administrator authentication.

= Can I extend the endpoints? =

Yes. Developers can add or modify behavior using WordPress hooks and filters.

== Changelog ==

= 1.0.0 =

* Initial release.
