laipower/wp-content/plugins/two-factor/class-two-factor-core.php

1072 lines
32 KiB
PHP
Raw Normal View History

<?php
/**
* Two Factore Core Class.
*
* @package Two_Factor
*/
/**
* Class for creating two factor authorization.
*
* @since 0.1-dev
*
* @package Two_Factor
*/
class Two_Factor_Core {
/**
* The user meta provider key.
*
* @type string
*/
const PROVIDER_USER_META_KEY = '_two_factor_provider';
/**
* The user meta enabled providers key.
*
* @type string
*/
const ENABLED_PROVIDERS_USER_META_KEY = '_two_factor_enabled_providers';
/**
* The user meta nonce key.
*
* @type string
*/
const USER_META_NONCE_KEY = '_two_factor_nonce';
/**
* URL query paramater used for our custom actions.
*
* @var string
*/
const USER_SETTINGS_ACTION_QUERY_VAR = 'two_factor_action';
/**
* Nonce key for user settings.
*
* @var string
*/
const USER_SETTINGS_ACTION_NONCE_QUERY_ARG = '_two_factor_action_nonce';
/**
* Keep track of all the password-based authentication sessions that
* need to invalidated before the second factor authentication.
*
* @var array
*/
private static $password_auth_tokens = array();
/**
* Set up filters and actions.
*
* @param object $compat A compaitbility later for plugins.
*
* @since 0.1-dev
*/
public static function add_hooks( $compat ) {
add_action( 'plugins_loaded', array( __CLASS__, 'load_textdomain' ) );
add_action( 'init', array( __CLASS__, 'get_providers' ) );
add_action( 'wp_login', array( __CLASS__, 'wp_login' ), 10, 2 );
add_action( 'login_form_validate_2fa', array( __CLASS__, 'login_form_validate_2fa' ) );
add_action( 'login_form_backup_2fa', array( __CLASS__, 'backup_2fa' ) );
add_action( 'show_user_profile', array( __CLASS__, 'user_two_factor_options' ) );
add_action( 'edit_user_profile', array( __CLASS__, 'user_two_factor_options' ) );
add_action( 'personal_options_update', array( __CLASS__, 'user_two_factor_options_update' ) );
add_action( 'edit_user_profile_update', array( __CLASS__, 'user_two_factor_options_update' ) );
add_filter( 'manage_users_columns', array( __CLASS__, 'filter_manage_users_columns' ) );
add_filter( 'wpmu_users_columns', array( __CLASS__, 'filter_manage_users_columns' ) );
add_filter( 'manage_users_custom_column', array( __CLASS__, 'manage_users_custom_column' ), 10, 3 );
/**
* Keep track of all the user sessions for which we need to invalidate the
* authentication cookies set during the initial password check.
*
* Is there a better way of doing this?
*/
add_action( 'set_auth_cookie', array( __CLASS__, 'collect_auth_cookie_tokens' ) );
add_action( 'set_logged_in_cookie', array( __CLASS__, 'collect_auth_cookie_tokens' ) );
// Run only after the core wp_authenticate_username_password() check.
add_filter( 'authenticate', array( __CLASS__, 'filter_authenticate' ), 50 );
add_action( 'admin_init', array( __CLASS__, 'trigger_user_settings_action' ) );
add_filter( 'two_factor_providers', array( __CLASS__, 'enable_dummy_method_for_debug' ) );
$compat->init();
}
/**
* Loads the plugin's text domain.
*
* Sites on WordPress 4.6+ benefit from just-in-time loading of translations.
*/
public static function load_textdomain() {
load_plugin_textdomain( 'two-factor' );
}
/**
* For each provider, include it and then instantiate it.
*
* @since 0.1-dev
*
* @return array
*/
public static function get_providers() {
$providers = array(
'Two_Factor_Email' => TWO_FACTOR_DIR . 'providers/class-two-factor-email.php',
'Two_Factor_Totp' => TWO_FACTOR_DIR . 'providers/class-two-factor-totp.php',
'Two_Factor_FIDO_U2F' => TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f.php',
'Two_Factor_Backup_Codes' => TWO_FACTOR_DIR . 'providers/class-two-factor-backup-codes.php',
'Two_Factor_Dummy' => TWO_FACTOR_DIR . 'providers/class-two-factor-dummy.php',
);
/**
* Filter the supplied providers.
*
* This lets third-parties either remove providers (such as Email), or
* add their own providers (such as text message or Clef).
*
* @param array $providers A key-value array where the key is the class name, and
* the value is the path to the file containing the class.
*/
$providers = apply_filters( 'two_factor_providers', $providers );
// FIDO U2F is PHP 5.3+ only.
if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) {
unset( $providers['Two_Factor_FIDO_U2F'] );
trigger_error( // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_trigger_error
sprintf(
/* translators: %s: version number */
__( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
PHP_VERSION
)
);
}
/**
* For each filtered provider,
*/
foreach ( $providers as $class => $path ) {
include_once $path;
/**
* Confirm that it's been successfully included before instantiating.
*/
if ( class_exists( $class ) ) {
try {
$providers[ $class ] = call_user_func( array( $class, 'get_instance' ) );
} catch ( Exception $e ) {
unset( $providers[ $class ] );
}
}
}
return $providers;
}
/**
* Enable the dummy method only during debugging.
*
* @param array $methods List of enabled methods.
*
* @return array
*/
public static function enable_dummy_method_for_debug( $methods ) {
if ( ! self::is_wp_debug() ) {
unset( $methods['Two_Factor_Dummy'] );
}
return $methods;
}
/**
* Check if the debug mode is enabled.
*
* @return boolean
*/
protected static function is_wp_debug() {
return ( defined( 'WP_DEBUG' ) && WP_DEBUG );
}
/**
* Get the user settings page URL.
*
* Fetch this from the plugin core after we introduce proper dependency injection
* and get away from the singletons at the provider level (should be handled by core).
*
* @param integer $user_id User ID.
*
* @return string
*/
protected static function get_user_settings_page_url( $user_id ) {
$page = 'user-edit.php';
if ( defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) {
$page = 'profile.php';
}
return add_query_arg(
array(
'user_id' => intval( $user_id ),
),
self_admin_url( $page )
);
}
/**
* Get the URL for resetting the secret token.
*
* @param integer $user_id User ID.
* @param string $action Custom two factor action key.
*
* @return string
*/
public static function get_user_update_action_url( $user_id, $action ) {
return wp_nonce_url(
add_query_arg(
array(
self::USER_SETTINGS_ACTION_QUERY_VAR => $action,
),
self::get_user_settings_page_url( $user_id )
),
sprintf( '%d-%s', $user_id, $action ),
self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG
);
}
/**
* Check if a user action is valid.
*
* @param integer $user_id User ID.
* @param string $action User action ID.
*
* @return boolean
*/
public static function is_valid_user_action( $user_id, $action ) {
$request_nonce = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG, FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) );
return wp_verify_nonce(
$request_nonce,
sprintf( '%d-%s', $user_id, $action )
);
}
/**
* Get the ID of the user being edited.
*
* @return integer
*/
public static function current_user_being_edited() {
// Try to resolve the user ID from the request first.
if ( ! empty( $_REQUEST['user_id'] ) ) {
$user_id = intval( $_REQUEST['user_id'] );
if ( current_user_can( 'edit_user', $user_id ) ) {
return $user_id;
}
}
return get_current_user_id();
}
/**
* Trigger our custom update action if a valid
* action request is detected and passes the nonce check.
*
* @return void
*/
public static function trigger_user_settings_action() {
$action = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_QUERY_VAR, FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) );
$user_id = self::current_user_being_edited();
if ( ! empty( $action ) && self::is_valid_user_action( $user_id, $action ) ) {
/**
* This action is triggered when a valid Two Factor settings
* action is detected and it passes the nonce validation.
*
* @param integer $user_id User ID.
* @param string $action Settings action.
*/
do_action( 'two_factor_user_settings_action', $user_id, $action );
}
}
/**
* Keep track of all the authentication cookies that need to be
* invalidated before the second factor authentication.
*
* @param string $cookie Cookie string.
*
* @return void
*/
public static function collect_auth_cookie_tokens( $cookie ) {
$parsed = wp_parse_auth_cookie( $cookie );
if ( ! empty( $parsed['token'] ) ) {
self::$password_auth_tokens[] = $parsed['token'];
}
}
/**
* Get all Two-Factor Auth providers that are enabled for the specified|current user.
*
* @param WP_User $user WP_User object of the logged-in user.
* @return array
*/
public static function get_enabled_providers_for_user( $user = null ) {
if ( empty( $user ) || ! is_a( $user, 'WP_User' ) ) {
$user = wp_get_current_user();
}
$providers = self::get_providers();
$enabled_providers = get_user_meta( $user->ID, self::ENABLED_PROVIDERS_USER_META_KEY, true );
if ( empty( $enabled_providers ) ) {
$enabled_providers = array();
}
$enabled_providers = array_intersect( $enabled_providers, array_keys( $providers ) );
/**
* Filter the enabled two-factor authentication providers for this user.
*
* @param array $enabled_providers The enabled providers.
* @param int $user_id The user ID.
*/
return apply_filters( 'two_factor_enabled_providers_for_user', $enabled_providers, $user->ID );
}
/**
* Get all Two-Factor Auth providers that are both enabled and configured for the specified|current user.
*
* @param WP_User $user WP_User object of the logged-in user.
* @return array
*/
public static function get_available_providers_for_user( $user = null ) {
if ( empty( $user ) || ! is_a( $user, 'WP_User' ) ) {
$user = wp_get_current_user();
}
$providers = self::get_providers();
$enabled_providers = self::get_enabled_providers_for_user( $user );
$configured_providers = array();
foreach ( $providers as $classname => $provider ) {
if ( in_array( $classname, $enabled_providers, true ) && $provider->is_available_for_user( $user ) ) {
$configured_providers[ $classname ] = $provider;
}
}
return $configured_providers;
}
/**
* Gets the Two-Factor Auth provider for the specified|current user.
*
* @since 0.1-dev
*
* @param int $user_id Optional. User ID. Default is 'null'.
* @return object|null
*/
public static function get_primary_provider_for_user( $user_id = null ) {
if ( empty( $user_id ) || ! is_numeric( $user_id ) ) {
$user_id = get_current_user_id();
}
$providers = self::get_providers();
$available_providers = self::get_available_providers_for_user( get_userdata( $user_id ) );
// If there's only one available provider, force that to be the primary.
if ( empty( $available_providers ) ) {
return null;
} elseif ( 1 === count( $available_providers ) ) {
$provider = key( $available_providers );
} else {
$provider = get_user_meta( $user_id, self::PROVIDER_USER_META_KEY, true );
// If the provider specified isn't enabled, just grab the first one that is.
if ( ! isset( $available_providers[ $provider ] ) ) {
$provider = key( $available_providers );
}
}
/**
* Filter the two-factor authentication provider used for this user.
*
* @param string $provider The provider currently being used.
* @param int $user_id The user ID.
*/
$provider = apply_filters( 'two_factor_primary_provider_for_user', $provider, $user_id );
if ( isset( $providers[ $provider ] ) ) {
return $providers[ $provider ];
}
return null;
}
/**
* Quick boolean check for whether a given user is using two-step.
*
* @since 0.1-dev
*
* @param int $user_id Optional. User ID. Default is 'null'.
* @return bool
*/
public static function is_user_using_two_factor( $user_id = null ) {
$provider = self::get_primary_provider_for_user( $user_id );
return ! empty( $provider );
}
/**
* Handle the browser-based login.
*
* @since 0.1-dev
*
* @param string $user_login Username.
* @param WP_User $user WP_User object of the logged-in user.
*/
public static function wp_login( $user_login, $user ) {
if ( ! self::is_user_using_two_factor( $user->ID ) ) {
return;
}
// Invalidate the current login session to prevent from being re-used.
self::destroy_current_session_for_user( $user );
// Also clear the cookies which are no longer valid.
wp_clear_auth_cookie();
self::show_two_factor_login( $user );
exit;
}
/**
* Destroy the known password-based authentication sessions for the current user.
*
* Is there a better way of finding the current session token without
* having access to the authentication cookies which are just being set
* on the first password-based authentication request.
*
* @param \WP_User $user User object.
*
* @return void
*/
public static function destroy_current_session_for_user( $user ) {
$session_manager = WP_Session_Tokens::get_instance( $user->ID );
foreach ( self::$password_auth_tokens as $auth_token ) {
$session_manager->destroy( $auth_token );
}
}
/**
* Prevent login through XML-RPC and REST API for users with at least one
* two-factor method enabled.
*
* @param WP_User|WP_Error $user Valid WP_User only if the previous filters
* have verified and confirmed the
* authentication credentials.
*
* @return WP_User|WP_Error
*/
public static function filter_authenticate( $user ) {
if ( $user instanceof WP_User && self::is_api_request() && self::is_user_using_two_factor( $user->ID ) && ! self::is_user_api_login_enabled( $user->ID ) ) {
return new WP_Error(
'invalid_application_credentials',
__( 'Error: API login for user disabled.', 'two-factor' )
);
}
return $user;
}
/**
* If the current user can login via API requests such as XML-RPC and REST.
*
* @param integer $user_id User ID.
*
* @return boolean
*/
public static function is_user_api_login_enabled( $user_id ) {
return (bool) apply_filters( 'two_factor_user_api_login_enable', false, $user_id );
}
/**
* Is the current request an XML-RPC or REST request.
*
* @return boolean
*/
public static function is_api_request() {
if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
return true;
}
if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
return true;
}
return false;
}
/**
* Display the login form.
*
* @since 0.1-dev
*
* @param WP_User $user WP_User object of the logged-in user.
*/
public static function show_two_factor_login( $user ) {
if ( ! $user ) {
$user = wp_get_current_user();
}
$login_nonce = self::create_login_nonce( $user->ID );
if ( ! $login_nonce ) {
wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) );
}
$redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : admin_url();
self::login_html( $user, $login_nonce['key'], $redirect_to );
}
/**
* Display the Backup code 2fa screen.
*
* @since 0.1-dev
*/
public static function backup_2fa() {
$wp_auth_id = filter_input( INPUT_GET, 'wp-auth-id', FILTER_SANITIZE_NUMBER_INT );
$nonce = filter_input( INPUT_GET, 'wp-auth-nonce', FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) );
$provider = filter_input( INPUT_GET, 'provider', FILTER_CALLBACK, array( 'options' => 'sanitize_text_field' ) );
if ( ! $wp_auth_id || ! $nonce || ! $provider ) {
return;
}
$user = get_userdata( $wp_auth_id );
if ( ! $user ) {
return;
}
if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
wp_safe_redirect( home_url() );
exit;
}
$providers = self::get_available_providers_for_user( $user );
if ( isset( $providers[ $provider ] ) ) {
$provider = $providers[ $provider ];
} else {
wp_die( esc_html__( 'Cheatin&#8217; uh?', 'two-factor' ), 403 );
}
$redirect_to = filter_input( INPUT_GET, 'redirect_to', FILTER_SANITIZE_URL );
self::login_html( $user, $nonce, $redirect_to, '', $provider );
exit;
}
/**
* Generates the html form for the second step of the authentication process.
*
* @since 0.1-dev
*
* @param WP_User $user WP_User object of the logged-in user.
* @param string $login_nonce A string nonce stored in usermeta.
* @param string $redirect_to The URL to which the user would like to be redirected.
* @param string $error_msg Optional. Login error message.
* @param string|object $provider An override to the provider.
*/
public static function login_html( $user, $login_nonce, $redirect_to, $error_msg = '', $provider = null ) {
if ( empty( $provider ) ) {
$provider = self::get_primary_provider_for_user( $user->ID );
} elseif ( is_string( $provider ) && method_exists( $provider, 'get_instance' ) ) {
$provider = call_user_func( array( $provider, 'get_instance' ) );
}
$provider_class = get_class( $provider );
$available_providers = self::get_available_providers_for_user( $user );
$backup_providers = array_diff_key( $available_providers, array( $provider_class => null ) );
$interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
$rememberme = intval( self::rememberme() );
if ( ! function_exists( 'login_header' ) ) {
// We really should migrate login_header() out of `wp-login.php` so it can be called from an includes file.
include_once TWO_FACTOR_DIR . 'includes/function.login-header.php';
}
login_header();
if ( ! empty( $error_msg ) ) {
echo '<div id="login_error"><strong>' . esc_html( $error_msg ) . '</strong><br /></div>';
}
?>
<form name="validate_2fa_form" id="loginform" action="<?php echo esc_url( self::login_url( array( 'action' => 'validate_2fa' ), 'login_post' ) ); ?>" method="post" autocomplete="off">
<input type="hidden" name="provider" id="provider" value="<?php echo esc_attr( $provider_class ); ?>" />
<input type="hidden" name="wp-auth-id" id="wp-auth-id" value="<?php echo esc_attr( $user->ID ); ?>" />
<input type="hidden" name="wp-auth-nonce" id="wp-auth-nonce" value="<?php echo esc_attr( $login_nonce ); ?>" />
<?php if ( $interim_login ) { ?>
<input type="hidden" name="interim-login" value="1" />
<?php } else { ?>
<input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
<?php } ?>
<input type="hidden" name="rememberme" id="rememberme" value="<?php echo esc_attr( $rememberme ); ?>" />
<?php $provider->authentication_page( $user ); ?>
</form>
<?php
if ( 1 === count( $backup_providers ) ) :
$backup_classname = key( $backup_providers );
$backup_provider = $backup_providers[ $backup_classname ];
$login_url = self::login_url(
array(
'action' => 'backup_2fa',
'provider' => $backup_classname,
'wp-auth-id' => $user->ID,
'wp-auth-nonce' => $login_nonce,
'redirect_to' => $redirect_to,
'rememberme' => $rememberme,
)
);
?>
<div class="backup-methods-wrap">
<p class="backup-methods">
<a href="<?php echo esc_url( $login_url ); ?>">
<?php
echo esc_html(
sprintf(
// translators: %s: Two-factor method name.
__( 'Or, use your backup method: %s &rarr;', 'two-factor' ),
$backup_provider->get_label()
)
);
?>
</a>
</p>
</div>
<?php elseif ( 1 < count( $backup_providers ) ) : ?>
<div class="backup-methods-wrap">
<p class="backup-methods">
<a href="javascript:;" onclick="document.querySelector('ul.backup-methods').style.display = 'block';">
<?php esc_html_e( 'Or, use a backup method…', 'two-factor' ); ?>
</a>
</p>
<ul class="backup-methods">
<?php
foreach ( $backup_providers as $backup_classname => $backup_provider ) :
$login_url = self::login_url(
array(
'action' => 'backup_2fa',
'provider' => $backup_classname,
'wp-auth-id' => $user->ID,
'wp-auth-nonce' => $login_nonce,
'redirect_to' => $redirect_to,
'rememberme' => $rememberme,
)
);
?>
<li>
<a href="<?php echo esc_url( $login_url ); ?>">
<?php echo esc_html( $backup_provider->get_label() ); ?>
</a>
</li>
<?php endforeach; ?>
</ul>
</div>
<?php endif; ?>
<style>
/* @todo: migrate to an external stylesheet. */
.backup-methods-wrap {
margin-top: 16px;
padding: 0 24px;
}
.backup-methods-wrap a {
color: #999;
text-decoration: none;
}
ul.backup-methods {
display: none;
padding-left: 1.5em;
}
/* Prevent Jetpack from hiding our controls, see https://github.com/Automattic/jetpack/issues/3747 */
.jetpack-sso-form-display #loginform > p,
.jetpack-sso-form-display #loginform > div {
display: block;
}
</style>
<?php
if ( ! function_exists( 'login_footer' ) ) {
include_once TWO_FACTOR_DIR . 'includes/function.login-footer.php';
}
login_footer();
?>
<?php
}
/**
* Generate the two-factor login form URL.
*
* @param array $params List of query argument pairs to add to the URL.
* @param string $scheme URL scheme context.
*
* @return string
*/
public static function login_url( $params = array(), $scheme = 'login' ) {
if ( ! is_array( $params ) ) {
$params = array();
}
$params = urlencode_deep( $params );
return add_query_arg( $params, site_url( 'wp-login.php', $scheme ) );
}
/**
* Get the hash of a nonce for storage and comparison.
*
* @param string $nonce Nonce value to be hashed.
*
* @return string
*/
protected static function hash_login_nonce( $nonce ) {
return wp_hash( $nonce, 'nonce' );
}
/**
* Create the login nonce.
*
* @since 0.1-dev
*
* @param int $user_id User ID.
* @return array
*/
public static function create_login_nonce( $user_id ) {
$login_nonce = array(
'expiration' => time() + HOUR_IN_SECONDS,
);
try {
$login_nonce['key'] = bin2hex( random_bytes( 32 ) );
} catch ( Exception $ex ) {
$login_nonce['key'] = wp_hash( $user_id . wp_rand() . microtime(), 'nonce' );
}
// Store the nonce hashed to avoid leaking it via database access.
$login_nonce_stored = $login_nonce;
$login_nonce_stored['key'] = self::hash_login_nonce( $login_nonce['key'] );
if ( ! update_user_meta( $user_id, self::USER_META_NONCE_KEY, $login_nonce_stored ) ) {
return false;
}
return $login_nonce;
}
/**
* Delete the login nonce.
*
* @since 0.1-dev
*
* @param int $user_id User ID.
* @return bool
*/
public static function delete_login_nonce( $user_id ) {
return delete_user_meta( $user_id, self::USER_META_NONCE_KEY );
}
/**
* Verify the login nonce.
*
* @since 0.1-dev
*
* @param int $user_id User ID.
* @param string $nonce Login nonce.
* @return bool
*/
public static function verify_login_nonce( $user_id, $nonce ) {
$login_nonce = get_user_meta( $user_id, self::USER_META_NONCE_KEY, true );
if ( ! $login_nonce || empty( $login_nonce['key'] ) || empty( $login_nonce['expiration'] ) ) {
return false;
}
if ( hash_equals( $login_nonce['key'], self::hash_login_nonce( $nonce ) ) && time() < $login_nonce['expiration'] ) {
return true;
}
// Require a fresh nonce if verification fails.
self::delete_login_nonce( $user_id );
return false;
}
/**
* Login form validation.
*
* @since 0.1-dev
*/
public static function login_form_validate_2fa() {
$wp_auth_id = filter_input( INPUT_POST, 'wp-auth-id', FILTER_SANITIZE_NUMBER_INT );
$nonce = filter_input( INPUT_POST, 'wp-auth-nonce', FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) );
if ( ! $wp_auth_id || ! $nonce ) {
return;
}
$user = get_userdata( $wp_auth_id );
if ( ! $user ) {
return;
}
if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
wp_safe_redirect( home_url() );
exit;
}
$provider = filter_input( INPUT_POST, 'provider', FILTER_CALLBACK, array( 'options' => 'sanitize_text_field' ) );
if ( $provider ) {
$providers = self::get_available_providers_for_user( $user );
if ( isset( $providers[ $provider ] ) ) {
$provider = $providers[ $provider ];
} else {
wp_die( esc_html__( 'Cheatin&#8217; uh?', 'two-factor' ), 403 );
}
} else {
$provider = self::get_primary_provider_for_user( $user->ID );
}
// Allow the provider to re-send codes, etc.
if ( true === $provider->pre_process_authentication( $user ) ) {
$login_nonce = self::create_login_nonce( $user->ID );
if ( ! $login_nonce ) {
wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) );
}
self::login_html( $user, $login_nonce['key'], $_REQUEST['redirect_to'], '', $provider );
exit;
}
// Ask the provider to verify the second factor.
if ( true !== $provider->validate_authentication( $user ) ) {
do_action( 'wp_login_failed', $user->user_login, new WP_Error( 'two_factor_invalid', __( 'ERROR: Invalid verification code.', 'two-factor' ) ) );
$login_nonce = self::create_login_nonce( $user->ID );
if ( ! $login_nonce ) {
wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) );
}
self::login_html( $user, $login_nonce['key'], $_REQUEST['redirect_to'], esc_html__( 'ERROR: Invalid verification code.', 'two-factor' ), $provider );
exit;
}
self::delete_login_nonce( $user->ID );
$rememberme = false;
if ( isset( $_REQUEST['rememberme'] ) && $_REQUEST['rememberme'] ) {
$rememberme = true;
}
wp_set_auth_cookie( $user->ID, $rememberme );
do_action( 'two_factor_user_authenticated', $user );
// Must be global because that's how login_header() uses it.
global $interim_login;
$interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited,WordPress.Security.NonceVerification.Recommended
if ( $interim_login ) {
$customize_login = isset( $_REQUEST['customize-login'] );
if ( $customize_login ) {
wp_enqueue_script( 'customize-base' );
}
$message = '<p class="message">' . __( 'You have logged in successfully.', 'two-factor' ) . '</p>';
$interim_login = 'success'; // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
login_header( '', $message );
?>
</div>
<?php
/** This action is documented in wp-login.php */
do_action( 'login_footer' );
?>
<?php if ( $customize_login ) : ?>
<script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo esc_url( wp_customize_url() ); ?>', channel: 'login' }).send('login') }, 1000 );</script>
<?php endif; ?>
</body></html>
<?php
exit;
}
$redirect_to = apply_filters( 'login_redirect', $_REQUEST['redirect_to'], $_REQUEST['redirect_to'], $user );
wp_safe_redirect( $redirect_to );
exit;
}
/**
* Filter the columns on the Users admin screen.
*
* @param array $columns Available columns.
* @return array Updated array of columns.
*/
public static function filter_manage_users_columns( array $columns ) {
$columns['two-factor'] = __( 'Two-Factor', 'two-factor' );
return $columns;
}
/**
* Output the 2FA column data on the Users screen.
*
* @param string $output The column output.
* @param string $column_name The column ID.
* @param int $user_id The user ID.
* @return string The column output.
*/
public static function manage_users_custom_column( $output, $column_name, $user_id ) {
if ( 'two-factor' !== $column_name ) {
return $output;
}
if ( ! self::is_user_using_two_factor( $user_id ) ) {
return sprintf( '<span class="dashicons-before dashicons-no-alt">%s</span>', esc_html__( 'Disabled', 'two-factor' ) );
} else {
$provider = self::get_primary_provider_for_user( $user_id );
return esc_html( $provider->get_label() );
}
}
/**
* Add user profile fields.
*
* This executes during the `show_user_profile` & `edit_user_profile` actions.
*
* @since 0.1-dev
*
* @param WP_User $user WP_User object of the logged-in user.
*/
public static function user_two_factor_options( $user ) {
wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ), array(), TWO_FACTOR_VERSION );
$enabled_providers = array_keys( self::get_available_providers_for_user( $user ) );
$primary_provider = self::get_primary_provider_for_user( $user->ID );
if ( ! empty( $primary_provider ) && is_object( $primary_provider ) ) {
$primary_provider_key = get_class( $primary_provider );
} else {
$primary_provider_key = null;
}
wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false );
?>
<input type="hidden" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php /* Dummy input so $_POST value is passed when no providers are enabled. */ ?>" />
<table class="form-table" id="two-factor-options">
<tr>
<th>
<?php esc_html_e( 'Two-Factor Options', 'two-factor' ); ?>
</th>
<td>
<table class="two-factor-methods-table">
<thead>
<tr>
<th class="col-enabled" scope="col"><?php esc_html_e( 'Enabled', 'two-factor' ); ?></th>
<th class="col-primary" scope="col"><?php esc_html_e( 'Primary', 'two-factor' ); ?></th>
<th class="col-name" scope="col"><?php esc_html_e( 'Type', 'two-factor' ); ?></th>
</tr>
</thead>
<tbody>
<?php foreach ( self::get_providers() as $class => $object ) : ?>
<tr>
<th scope="row"><input id="enabled-<?php echo esc_attr( $class ); ?>" type="checkbox" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php echo esc_attr( $class ); ?>" <?php checked( in_array( $class, $enabled_providers, true ) ); ?> /></th>
<th scope="row"><input type="radio" name="<?php echo esc_attr( self::PROVIDER_USER_META_KEY ); ?>" value="<?php echo esc_attr( $class ); ?>" <?php checked( $class, $primary_provider_key ); ?> /></th>
<td>
<label class="two-factor-method-label" for="enabled-<?php echo esc_attr( $class ); ?>"><?php echo esc_html( $object->get_label() ); ?></label>
<?php
/**
* Fires after user options are shown.
*
* Use the {@see 'two_factor_user_options_' . $class } hook instead.
*
* @deprecated 0.7.0
*
* @param WP_User $user The user.
*/
do_action_deprecated( 'two-factor-user-options-' . $class, array( $user ), '0.7.0', 'two_factor_user_options_' . $class );
do_action( 'two_factor_user_options_' . $class, $user );
?>
</td>
</tr>
<?php endforeach; ?>
</tbody>
</table>
</td>
</tr>
</table>
<?php
/**
* Fires after the Two Factor methods table.
*
* To be used by Two Factor methods to add settings UI.
*
* @since 0.1-dev
*/
do_action( 'show_user_security_settings', $user );
}
/**
* Update the user meta value.
*
* This executes during the `personal_options_update` & `edit_user_profile_update` actions.
*
* @since 0.1-dev
*
* @param int $user_id User ID.
*/
public static function user_two_factor_options_update( $user_id ) {
if ( isset( $_POST['_nonce_user_two_factor_options'] ) ) {
check_admin_referer( 'user_two_factor_options', '_nonce_user_two_factor_options' );
if ( ! isset( $_POST[ self::ENABLED_PROVIDERS_USER_META_KEY ] ) ||
! is_array( $_POST[ self::ENABLED_PROVIDERS_USER_META_KEY ] ) ) {
return;
}
$providers = self::get_providers();
$enabled_providers = $_POST[ self::ENABLED_PROVIDERS_USER_META_KEY ];
// Enable only the available providers.
$enabled_providers = array_intersect( $enabled_providers, array_keys( $providers ) );
update_user_meta( $user_id, self::ENABLED_PROVIDERS_USER_META_KEY, $enabled_providers );
// Primary provider must be enabled.
$new_provider = isset( $_POST[ self::PROVIDER_USER_META_KEY ] ) ? $_POST[ self::PROVIDER_USER_META_KEY ] : '';
if ( ! empty( $new_provider ) && in_array( $new_provider, $enabled_providers, true ) ) {
update_user_meta( $user_id, self::PROVIDER_USER_META_KEY, $new_provider );
}
}
}
/**
* Should the login session persist between sessions.
*
* @return boolean
*/
public static function rememberme() {
$rememberme = false;
if ( ! empty( $_REQUEST['rememberme'] ) ) {
$rememberme = true;
}
return (bool) apply_filters( 'two_factor_rememberme', $rememberme );
}
}