Most of the authentication functions are pluggable, meaning you can fully override the actual functions by simply defining them in a plugin which will be loaded before the pluggable.php
file and provide the services you declare.
Take a look at wp_authenticate
and wp_check_password
. They have filters and actions in them as well that should allow you to do any pre-validation you need. In this case, it’s easiest to just copy the existing functions and add your code as needed.
Based on what you’ve said so far though, you can probably achieve what you are trying via the wp_authenticate_user
filter. Just return a WP_Error if your curl request fails.
add_filter( 'wp_authenticate_user', function ($user, $username, $password) {
if ( !is_wp_error( $user ) ) {
// run your curl check here
if ( ! $curling ) {
return new WP_Error( 'curling_is_dangerous', __( '<strong>ERROR:</strong> wat? ' .
'That doesn\'t even look like a curl!' ) );
}
}
return $user;
} );