Doing a quick look through your plugin code I see that you are overriding the default wp_authenticate() function. And early on it does this check:
if(!isset($_POST['wp-submit'])) return new WP_Error('user_login', __('<strong>You must be logged in to view this site</strong>.'));;
Which will always fail for XML-RPC requests. So your wp_authenticate() always returns a WP_Error object, which the XML-RPC login method looks for and always returns the bad username/password text:
if (is_wp_error($user)) {
$this->error = new IXR_Error(403, __('Bad login/pass combination.'));
return false;
}
One thing you could do is skip your additional checks XMLRPC_REQUEST is defined as true.
Ok, I’ve made an update that works now with the iPhone app, but I’m not sure if there are any security issues with this:
if(!function_exists('wp_authenticate')) {
function wp_authenticate($username, $password) {
global $wpdb, $error, $absolutePrivacy;
$username = sanitize_user($username);
$password = trim($password);
$user = apply_filters('authenticate', null, $username, $password);
if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) return $user; //allows the XML-RPC protocol for remote publishing
I also found that I didn’t need to include the RSD link in the wp_login header like I thought I did.
I tested this with 2.8.1 and it worked, haven’t tried with 2.7.
The XML-RPC code expects to get a WP_Error object back if auth fails:
$user = wp_authenticate($username, $password);
if (is_wp_error($user)) {
$this->error = new IXR_Error(403, __('Bad login/pass combination.'));
return false;
}
So you should probably check $user after the auth filter and make sure to return a WP_Error if it fails. Basically the same thing that the original wp_authenticate function does.
