Wordpress password reset hook

Question

I'm trying to do something with wordpress passwords that may or maynot be considered kosher.

Situation:
Basically I have two different services both requiring passwords. One of these services is a simple wordpress account and one is another app, having nothing to do with wordpress. I would like to sync usernames and passwords across the two, meaning that every time a wordpress username changes, the app's username changes and every time the wordpress password changes, the app's password changes.

Problem/Question:
There are several ways I could deal with the username, but the password is the tricky one. I 'm looking to exploit a hook from the wordpress password reset interface so that any time a new password is set, it grabs it in its plain-text form (before it's hashed) and sends it to an API that I'm using to hash/store the passwords separately for this non-wordpress app. Is there a way to accomplish this?

Any shots at a solution are much appreciated.

Answer 1

You can try using hook the validate_password_reset to validate password. Following code can be used to validate alphanumeric password.

add_action('validate_password_reset','wdm_validate_password_reset',10,2);

function wdm_validate_password_reset( $errors, $user)
{
    $exp = '/^(?=.*\d)((?=.*[a-z])|(?=.*[A-Z])).{6,32}$/';

    if(strlen($_POST['pass1'])<6 || !preg_match($exp, $_POST['pass1']) )
           $errors->add( 'error',  'Password must be alphanumeric and contain minimum 6 characters.','');
}

Answer 2

Yes, there are hooks for this in /wp-login.php (password reset) and /wp-admin/includes/user.php (password change in user page).

# When reseting password in wp-login
add_action( 'password_reset', function( $user, $pass ) 
{
    var_dump( $pass );
    die();
}, 10, 2 );

and

# When checking if passwords match
add_action( 'check_passwords', function( $user, $pass1, $pass2 ) 
{
    var_dump( $pass1 );
    die();
}, 10, 3 );