Title: Plugin init triggers user authentication
Last modified: January 19, 2021

---

# Plugin init triggers user authentication

 *  Resolved [therealgilles](https://wordpress.org/support/users/chamois_blanc/)
 * (@chamois_blanc)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/plugin-init-triggers-user-authentication/)
 * Is it valid to trigger user authentication during a plugin init sequence?
    Or
   is user authentication supposed to happen after after_setup_theme has run? Or
   are there no rules? (because this cannot be enforced)
 * I have a situation where a plugin is calling wp_create_nonce() during its assets
   init and therefore triggering user authentication and another one adding a filter
   on the application_password_is_api_request hook on after_setup_theme, which is
   then too late.
 * Thanks for any insight.

Viewing 5 replies - 1 through 5 (of 5 total)

 *  [Joy](https://wordpress.org/support/users/joyously/)
 * (@joyously)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/plugin-init-triggers-user-authentication/#post-13929439)
 * You can look at [https://codex.wordpress.org/Plugin_API/Action_Reference](https://codex.wordpress.org/Plugin_API/Action_Reference)
   for an order that actions are run. (this is an old and partial list)
    If a plugin
   tries to do something out of order, it usually doesn’t work. Remember that the
   authentication functions are pluggable, but called at a specific point in the
   load order. You should ask the plugin author to check that the plugin works when
   the user is not logged in.
 *  Thread Starter [therealgilles](https://wordpress.org/support/users/chamois_blanc/)
 * (@chamois_blanc)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/plugin-init-triggers-user-authentication/#post-13929462)
 * Thank you for the pointer. I had been looking at it, as well as this [one](https://www.rarst.net/wordpress/wordpress-core-load/).
 * In this case, it works, until the 2nd plugin tries to use the application_password_is_api_request
   filter and then it doesn’t. I guess it’s not clear (to me) whether the first 
   plugin is calling wp_create_nonce() too early, or whether the second plugin is
   setting the application_password_is_api_request filter too late.
 * As far as I understand, WP does not enforce when user authentication can or cannot
   happen.
 *  [Joy](https://wordpress.org/support/users/joyously/)
 * (@joyously)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/plugin-init-triggers-user-authentication/#post-13929769)
 * > As far as I understand, WP does not enforce when user authentication can or
   > cannot happen.
 * Plugins rely on the functions that WP provides to do the authentication. But 
   as I said,
 * > Remember that the authentication functions are pluggable, but called at a specific
   > point in the load order.
 * You can’t call functions that have user data before the user is authenticated.
   Well, you can, but it won’t work right.
 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/plugin-init-triggers-user-authentication/#post-13929853)
 * If a user is logged in at all, that user is established just before the “init”
   action. Any code that runs before this that relies upon a logged in user will
   likely fail.
 *  Thread Starter [therealgilles](https://wordpress.org/support/users/chamois_blanc/)
 * (@chamois_blanc)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/plugin-init-triggers-user-authentication/#post-13930212)
 * Thank you for all the responses.
 * I found out how the REST API handles the (premature) user authentication issue
   in wp-includes/rest-api/class-wp-rest-server.php:
 *     ```
         public function serve_request( $path = null ) {
           /* @var WP_User|null $current_user */
           global $current_user;
   
           if ( $current_user instanceof WP_User && ! $current_user->exists() ) {
             /*
              * If there is no current user authenticated via other means, clear
              * the cached lack of user, so that an authenticate check can set it
              * properly.
              *
              * This is done because for authentications such as Application
              * Passwords, we don't want it to be accepted unless the current HTTP
              * request is a REST API request, which can't always be identified early
              * enough in evaluation.
              */
             $current_user = null;
           }
       ```
   

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Plugin init triggers user authentication’ is closed to new replies.

## Tags

 * [after_setup_theme](https://wordpress.org/support/topic-tag/after_setup_theme/)
 * [authentication](https://wordpress.org/support/topic-tag/authentication/)
 * [init](https://wordpress.org/support/topic-tag/init/)
 * [user](https://wordpress.org/support/topic-tag/user/)

 * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
 * 5 replies
 * 3 participants
 * Last reply from: [therealgilles](https://wordpress.org/support/users/chamois_blanc/)
 * Last activity: [5 years, 4 months ago](https://wordpress.org/support/topic/plugin-init-triggers-user-authentication/#post-13930212)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics