One-click authorization: optional magic link + inline button delivered alongside the OTP code.
Login intent system: GET|POST /auth/intent-status and POST /auth/complete-intent endpoints for polling one-click flow.
Webhook endpoint POST /auth/button-callback for Reddy bot inline button callbacks (HMAC-verified).
Reddy ID whitelist: restrict authentication to a configured set of Reddy IDs.
Translation defaults were updated to avoid early textdomain loading notices on WordPress 6.7+; en_US and ru_RU catalogs included.
Auth failure observability: new mksddn_reddy_auth_failure action on every failed OTP, intent, or finalize step.
Transport observability: new mksddn_reddy_transport_failed and mksddn_reddy_transport_response actions.
New mksddn_reddy_send_payload filter to modify the Reddy bot request payload before delivery.
Settings page redesigned with tabbed layout.
Breaking changes from 1.0.0:
REST error responses: the default message for generic failures changed from “Invalid credentials.” to “Unable to process authentication request.”. The code field is unchanged. Clients should rely on code, not message.
Rate-limit error message changed from the Reddy API text to “Too many requests. Try again later.”.
Monolith content lock (monolith_lock_enabled) now redirects to wp-login.php when no login page is configured (previously redirected to home_url(‘/’)). Sites with monolith lock on but no login page set will now land on WP login.
mksddn_reddy_otp_message filter: the default message passed as the first argument now depends on delivery mode. When delivery_mode is link_only, the message uses the magic link template (no {code}). Custom filter handlers should check the delivery context if they manipulate the message.
1.0.0
Do not require Bearer on HTTP OPTIONS when REST API content lock is enabled (CORS preflight for cross-origin SPAs).
Stable 1.0.0 release.
0.1.4
Admin settings for bot message texts: OTP template ({code}, {ttl}) and connection test message.
Filter mksddn_reddy_otp_message still overrides the final OTP text after the admin template is applied.
Filter mksddn_reddy_bot_test_message for customizing the connection test message.
0.1.3
REST login no longer sets a WordPress cookie by default. Optional issue_session parameter (default false); use issue_token for Bearer auth. Shortcode login still sets a cookie.
Protect site content uses cookie sessions only; Protect all REST API content requires Bearer tokens. Documented split between monolith and REST protection.
Revoke all Bearer tokens and destroy WordPress sessions when a WordPress user is deleted.
Bearer token validation requires an active _mksddn_reddy_id user meta mapping.
Site and REST content lock: WP staff with edit_posts (administrator, editor) bypass Reddy-only lock without OTP.
Filter mksddn_reddy_content_lock_bypass to customize lock bypass per user.
More reliable login page detection for monolith content lock (configured page, URL path, shortcode fallback).
