diff --git a/wp-content/plugins/two-factor/LICENSE.md b/wp-content/plugins/two-factor/LICENSE.md new file mode 100644 index 00000000..d8cf7d46 --- /dev/null +++ b/wp-content/plugins/two-factor/LICENSE.md @@ -0,0 +1,280 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS diff --git a/wp-content/plugins/two-factor/assets/banner-1544x500.png b/wp-content/plugins/two-factor/assets/banner-1544x500.png new file mode 100644 index 00000000..5b6e2081 Binary files /dev/null and b/wp-content/plugins/two-factor/assets/banner-1544x500.png differ diff --git a/wp-content/plugins/two-factor/assets/banner-772x250.png b/wp-content/plugins/two-factor/assets/banner-772x250.png new file mode 100644 index 00000000..b955eeeb Binary files /dev/null and b/wp-content/plugins/two-factor/assets/banner-772x250.png differ diff --git a/wp-content/plugins/two-factor/assets/icon-128x128.png b/wp-content/plugins/two-factor/assets/icon-128x128.png new file mode 100644 index 00000000..1f3a3c31 Binary files /dev/null and b/wp-content/plugins/two-factor/assets/icon-128x128.png differ diff --git a/wp-content/plugins/two-factor/assets/icon-256x256.png b/wp-content/plugins/two-factor/assets/icon-256x256.png new file mode 100644 index 00000000..3240b832 Binary files /dev/null and b/wp-content/plugins/two-factor/assets/icon-256x256.png differ diff --git a/wp-content/plugins/two-factor/assets/icon.svg b/wp-content/plugins/two-factor/assets/icon.svg new file mode 100644 index 00000000..cc15690b --- /dev/null +++ b/wp-content/plugins/two-factor/assets/icon.svg @@ -0,0 +1,6 @@ + + + + + + diff --git a/wp-content/plugins/two-factor/assets/screenshot-1.png b/wp-content/plugins/two-factor/assets/screenshot-1.png new file mode 100644 index 00000000..545b45ee Binary files /dev/null and b/wp-content/plugins/two-factor/assets/screenshot-1.png differ diff --git a/wp-content/plugins/two-factor/assets/screenshot-2.png b/wp-content/plugins/two-factor/assets/screenshot-2.png new file mode 100644 index 00000000..b9835800 Binary files /dev/null and b/wp-content/plugins/two-factor/assets/screenshot-2.png differ diff --git a/wp-content/plugins/two-factor/assets/screenshot-3.png b/wp-content/plugins/two-factor/assets/screenshot-3.png new file mode 100644 index 00000000..a9810f87 Binary files /dev/null and b/wp-content/plugins/two-factor/assets/screenshot-3.png differ diff --git a/wp-content/plugins/two-factor/class-two-factor-compat.php b/wp-content/plugins/two-factor/class-two-factor-compat.php new file mode 100644 index 00000000..731a2dff --- /dev/null +++ b/wp-content/plugins/two-factor/class-two-factor-compat.php @@ -0,0 +1,55 @@ + 'sanitize_key' ) ); + + if ( 'jetpack-sso' === $action && $this->jetpack_is_sso_active() ) { + return true; + } + + return $rememberme; + } + + /** + * Helper to detect the presence of the active SSO module. + * + * @return boolean + */ + public function jetpack_is_sso_active() { + return ( method_exists( 'Jetpack', 'is_module_active' ) && Jetpack::is_module_active( 'sso' ) ); + } +} diff --git a/wp-content/plugins/two-factor/class-two-factor-core.php b/wp-content/plugins/two-factor/class-two-factor-core.php new file mode 100644 index 00000000..312b34be --- /dev/null +++ b/wp-content/plugins/two-factor/class-two-factor-core.php @@ -0,0 +1,1071 @@ +init(); + } + + /** + * Loads the plugin's text domain. + * + * Sites on WordPress 4.6+ benefit from just-in-time loading of translations. + */ + public static function load_textdomain() { + load_plugin_textdomain( 'two-factor' ); + } + + /** + * For each provider, include it and then instantiate it. + * + * @since 0.1-dev + * + * @return array + */ + public static function get_providers() { + $providers = array( + 'Two_Factor_Email' => TWO_FACTOR_DIR . 'providers/class-two-factor-email.php', + 'Two_Factor_Totp' => TWO_FACTOR_DIR . 'providers/class-two-factor-totp.php', + 'Two_Factor_FIDO_U2F' => TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f.php', + 'Two_Factor_Backup_Codes' => TWO_FACTOR_DIR . 'providers/class-two-factor-backup-codes.php', + 'Two_Factor_Dummy' => TWO_FACTOR_DIR . 'providers/class-two-factor-dummy.php', + ); + + /** + * Filter the supplied providers. + * + * This lets third-parties either remove providers (such as Email), or + * add their own providers (such as text message or Clef). + * + * @param array $providers A key-value array where the key is the class name, and + * the value is the path to the file containing the class. + */ + $providers = apply_filters( 'two_factor_providers', $providers ); + + // FIDO U2F is PHP 5.3+ only. + if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) { + unset( $providers['Two_Factor_FIDO_U2F'] ); + trigger_error( // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_trigger_error + sprintf( + /* translators: %s: version number */ + __( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped + PHP_VERSION + ) + ); + } + + /** + * For each filtered provider, + */ + foreach ( $providers as $class => $path ) { + include_once $path; + + /** + * Confirm that it's been successfully included before instantiating. + */ + if ( class_exists( $class ) ) { + try { + $providers[ $class ] = call_user_func( array( $class, 'get_instance' ) ); + } catch ( Exception $e ) { + unset( $providers[ $class ] ); + } + } + } + + return $providers; + } + + /** + * Enable the dummy method only during debugging. + * + * @param array $methods List of enabled methods. + * + * @return array + */ + public static function enable_dummy_method_for_debug( $methods ) { + if ( ! self::is_wp_debug() ) { + unset( $methods['Two_Factor_Dummy'] ); + } + + return $methods; + } + + /** + * Check if the debug mode is enabled. + * + * @return boolean + */ + protected static function is_wp_debug() { + return ( defined( 'WP_DEBUG' ) && WP_DEBUG ); + } + + /** + * Get the user settings page URL. + * + * Fetch this from the plugin core after we introduce proper dependency injection + * and get away from the singletons at the provider level (should be handled by core). + * + * @param integer $user_id User ID. + * + * @return string + */ + protected static function get_user_settings_page_url( $user_id ) { + $page = 'user-edit.php'; + + if ( defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) { + $page = 'profile.php'; + } + + return add_query_arg( + array( + 'user_id' => intval( $user_id ), + ), + self_admin_url( $page ) + ); + } + + /** + * Get the URL for resetting the secret token. + * + * @param integer $user_id User ID. + * @param string $action Custom two factor action key. + * + * @return string + */ + public static function get_user_update_action_url( $user_id, $action ) { + return wp_nonce_url( + add_query_arg( + array( + self::USER_SETTINGS_ACTION_QUERY_VAR => $action, + ), + self::get_user_settings_page_url( $user_id ) + ), + sprintf( '%d-%s', $user_id, $action ), + self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG + ); + } + + /** + * Check if a user action is valid. + * + * @param integer $user_id User ID. + * @param string $action User action ID. + * + * @return boolean + */ + public static function is_valid_user_action( $user_id, $action ) { + $request_nonce = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG, FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) ); + + return wp_verify_nonce( + $request_nonce, + sprintf( '%d-%s', $user_id, $action ) + ); + } + + /** + * Get the ID of the user being edited. + * + * @return integer + */ + public static function current_user_being_edited() { + // Try to resolve the user ID from the request first. + if ( ! empty( $_REQUEST['user_id'] ) ) { + $user_id = intval( $_REQUEST['user_id'] ); + + if ( current_user_can( 'edit_user', $user_id ) ) { + return $user_id; + } + } + + return get_current_user_id(); + } + + /** + * Trigger our custom update action if a valid + * action request is detected and passes the nonce check. + * + * @return void + */ + public static function trigger_user_settings_action() { + $action = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_QUERY_VAR, FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) ); + $user_id = self::current_user_being_edited(); + + if ( ! empty( $action ) && self::is_valid_user_action( $user_id, $action ) ) { + /** + * This action is triggered when a valid Two Factor settings + * action is detected and it passes the nonce validation. + * + * @param integer $user_id User ID. + * @param string $action Settings action. + */ + do_action( 'two_factor_user_settings_action', $user_id, $action ); + } + } + + /** + * Keep track of all the authentication cookies that need to be + * invalidated before the second factor authentication. + * + * @param string $cookie Cookie string. + * + * @return void + */ + public static function collect_auth_cookie_tokens( $cookie ) { + $parsed = wp_parse_auth_cookie( $cookie ); + + if ( ! empty( $parsed['token'] ) ) { + self::$password_auth_tokens[] = $parsed['token']; + } + } + + /** + * Get all Two-Factor Auth providers that are enabled for the specified|current user. + * + * @param WP_User $user WP_User object of the logged-in user. + * @return array + */ + public static function get_enabled_providers_for_user( $user = null ) { + if ( empty( $user ) || ! is_a( $user, 'WP_User' ) ) { + $user = wp_get_current_user(); + } + + $providers = self::get_providers(); + $enabled_providers = get_user_meta( $user->ID, self::ENABLED_PROVIDERS_USER_META_KEY, true ); + if ( empty( $enabled_providers ) ) { + $enabled_providers = array(); + } + $enabled_providers = array_intersect( $enabled_providers, array_keys( $providers ) ); + + /** + * Filter the enabled two-factor authentication providers for this user. + * + * @param array $enabled_providers The enabled providers. + * @param int $user_id The user ID. + */ + return apply_filters( 'two_factor_enabled_providers_for_user', $enabled_providers, $user->ID ); + } + + /** + * Get all Two-Factor Auth providers that are both enabled and configured for the specified|current user. + * + * @param WP_User $user WP_User object of the logged-in user. + * @return array + */ + public static function get_available_providers_for_user( $user = null ) { + if ( empty( $user ) || ! is_a( $user, 'WP_User' ) ) { + $user = wp_get_current_user(); + } + + $providers = self::get_providers(); + $enabled_providers = self::get_enabled_providers_for_user( $user ); + $configured_providers = array(); + + foreach ( $providers as $classname => $provider ) { + if ( in_array( $classname, $enabled_providers, true ) && $provider->is_available_for_user( $user ) ) { + $configured_providers[ $classname ] = $provider; + } + } + + return $configured_providers; + } + + /** + * Gets the Two-Factor Auth provider for the specified|current user. + * + * @since 0.1-dev + * + * @param int $user_id Optional. User ID. Default is 'null'. + * @return object|null + */ + public static function get_primary_provider_for_user( $user_id = null ) { + if ( empty( $user_id ) || ! is_numeric( $user_id ) ) { + $user_id = get_current_user_id(); + } + + $providers = self::get_providers(); + $available_providers = self::get_available_providers_for_user( get_userdata( $user_id ) ); + + // If there's only one available provider, force that to be the primary. + if ( empty( $available_providers ) ) { + return null; + } elseif ( 1 === count( $available_providers ) ) { + $provider = key( $available_providers ); + } else { + $provider = get_user_meta( $user_id, self::PROVIDER_USER_META_KEY, true ); + + // If the provider specified isn't enabled, just grab the first one that is. + if ( ! isset( $available_providers[ $provider ] ) ) { + $provider = key( $available_providers ); + } + } + + /** + * Filter the two-factor authentication provider used for this user. + * + * @param string $provider The provider currently being used. + * @param int $user_id The user ID. + */ + $provider = apply_filters( 'two_factor_primary_provider_for_user', $provider, $user_id ); + + if ( isset( $providers[ $provider ] ) ) { + return $providers[ $provider ]; + } + + return null; + } + + /** + * Quick boolean check for whether a given user is using two-step. + * + * @since 0.1-dev + * + * @param int $user_id Optional. User ID. Default is 'null'. + * @return bool + */ + public static function is_user_using_two_factor( $user_id = null ) { + $provider = self::get_primary_provider_for_user( $user_id ); + return ! empty( $provider ); + } + + /** + * Handle the browser-based login. + * + * @since 0.1-dev + * + * @param string $user_login Username. + * @param WP_User $user WP_User object of the logged-in user. + */ + public static function wp_login( $user_login, $user ) { + if ( ! self::is_user_using_two_factor( $user->ID ) ) { + return; + } + + // Invalidate the current login session to prevent from being re-used. + self::destroy_current_session_for_user( $user ); + + // Also clear the cookies which are no longer valid. + wp_clear_auth_cookie(); + + self::show_two_factor_login( $user ); + exit; + } + + /** + * Destroy the known password-based authentication sessions for the current user. + * + * Is there a better way of finding the current session token without + * having access to the authentication cookies which are just being set + * on the first password-based authentication request. + * + * @param \WP_User $user User object. + * + * @return void + */ + public static function destroy_current_session_for_user( $user ) { + $session_manager = WP_Session_Tokens::get_instance( $user->ID ); + + foreach ( self::$password_auth_tokens as $auth_token ) { + $session_manager->destroy( $auth_token ); + } + } + + /** + * Prevent login through XML-RPC and REST API for users with at least one + * two-factor method enabled. + * + * @param WP_User|WP_Error $user Valid WP_User only if the previous filters + * have verified and confirmed the + * authentication credentials. + * + * @return WP_User|WP_Error + */ + public static function filter_authenticate( $user ) { + if ( $user instanceof WP_User && self::is_api_request() && self::is_user_using_two_factor( $user->ID ) && ! self::is_user_api_login_enabled( $user->ID ) ) { + return new WP_Error( + 'invalid_application_credentials', + __( 'Error: API login for user disabled.', 'two-factor' ) + ); + } + + return $user; + } + + /** + * If the current user can login via API requests such as XML-RPC and REST. + * + * @param integer $user_id User ID. + * + * @return boolean + */ + public static function is_user_api_login_enabled( $user_id ) { + return (bool) apply_filters( 'two_factor_user_api_login_enable', false, $user_id ); + } + + /** + * Is the current request an XML-RPC or REST request. + * + * @return boolean + */ + public static function is_api_request() { + if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) { + return true; + } + + if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) { + return true; + } + + return false; + } + + /** + * Display the login form. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + */ + public static function show_two_factor_login( $user ) { + if ( ! $user ) { + $user = wp_get_current_user(); + } + + $login_nonce = self::create_login_nonce( $user->ID ); + if ( ! $login_nonce ) { + wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) ); + } + + $redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : admin_url(); + + self::login_html( $user, $login_nonce['key'], $redirect_to ); + } + + /** + * Display the Backup code 2fa screen. + * + * @since 0.1-dev + */ + public static function backup_2fa() { + $wp_auth_id = filter_input( INPUT_GET, 'wp-auth-id', FILTER_SANITIZE_NUMBER_INT ); + $nonce = filter_input( INPUT_GET, 'wp-auth-nonce', FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) ); + $provider = filter_input( INPUT_GET, 'provider', FILTER_CALLBACK, array( 'options' => 'sanitize_text_field' ) ); + + if ( ! $wp_auth_id || ! $nonce || ! $provider ) { + return; + } + + $user = get_userdata( $wp_auth_id ); + if ( ! $user ) { + return; + } + + if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) { + wp_safe_redirect( home_url() ); + exit; + } + + $providers = self::get_available_providers_for_user( $user ); + if ( isset( $providers[ $provider ] ) ) { + $provider = $providers[ $provider ]; + } else { + wp_die( esc_html__( 'Cheatin’ uh?', 'two-factor' ), 403 ); + } + + $redirect_to = filter_input( INPUT_GET, 'redirect_to', FILTER_SANITIZE_URL ); + self::login_html( $user, $nonce, $redirect_to, '', $provider ); + + exit; + } + + /** + * Generates the html form for the second step of the authentication process. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + * @param string $login_nonce A string nonce stored in usermeta. + * @param string $redirect_to The URL to which the user would like to be redirected. + * @param string $error_msg Optional. Login error message. + * @param string|object $provider An override to the provider. + */ + public static function login_html( $user, $login_nonce, $redirect_to, $error_msg = '', $provider = null ) { + if ( empty( $provider ) ) { + $provider = self::get_primary_provider_for_user( $user->ID ); + } elseif ( is_string( $provider ) && method_exists( $provider, 'get_instance' ) ) { + $provider = call_user_func( array( $provider, 'get_instance' ) ); + } + + $provider_class = get_class( $provider ); + + $available_providers = self::get_available_providers_for_user( $user ); + $backup_providers = array_diff_key( $available_providers, array( $provider_class => null ) ); + $interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended + + $rememberme = intval( self::rememberme() ); + + if ( ! function_exists( 'login_header' ) ) { + // We really should migrate login_header() out of `wp-login.php` so it can be called from an includes file. + include_once TWO_FACTOR_DIR . 'includes/function.login-header.php'; + } + + login_header(); + + if ( ! empty( $error_msg ) ) { + echo '
' . esc_html( $error_msg ) . '
'; + } + ?> + +
+ + + + + + + + + + + authentication_page( $user ); ?> +
+ + 'backup_2fa', + 'provider' => $backup_classname, + 'wp-auth-id' => $user->ID, + 'wp-auth-nonce' => $login_nonce, + 'redirect_to' => $redirect_to, + 'rememberme' => $rememberme, + ) + ); + ?> +
+

+ + get_label() + ) + ); + ?> + +

+
+ +
+

+ + + +

+ +
+ + + + + time() + HOUR_IN_SECONDS, + ); + + try { + $login_nonce['key'] = bin2hex( random_bytes( 32 ) ); + } catch ( Exception $ex ) { + $login_nonce['key'] = wp_hash( $user_id . wp_rand() . microtime(), 'nonce' ); + } + + // Store the nonce hashed to avoid leaking it via database access. + $login_nonce_stored = $login_nonce; + $login_nonce_stored['key'] = self::hash_login_nonce( $login_nonce['key'] ); + + if ( ! update_user_meta( $user_id, self::USER_META_NONCE_KEY, $login_nonce_stored ) ) { + return false; + } + + return $login_nonce; + } + + /** + * Delete the login nonce. + * + * @since 0.1-dev + * + * @param int $user_id User ID. + * @return bool + */ + public static function delete_login_nonce( $user_id ) { + return delete_user_meta( $user_id, self::USER_META_NONCE_KEY ); + } + + /** + * Verify the login nonce. + * + * @since 0.1-dev + * + * @param int $user_id User ID. + * @param string $nonce Login nonce. + * @return bool + */ + public static function verify_login_nonce( $user_id, $nonce ) { + $login_nonce = get_user_meta( $user_id, self::USER_META_NONCE_KEY, true ); + + if ( ! $login_nonce || empty( $login_nonce['key'] ) || empty( $login_nonce['expiration'] ) ) { + return false; + } + + if ( hash_equals( $login_nonce['key'], self::hash_login_nonce( $nonce ) ) && time() < $login_nonce['expiration'] ) { + return true; + } + + // Require a fresh nonce if verification fails. + self::delete_login_nonce( $user_id ); + + return false; + } + + /** + * Login form validation. + * + * @since 0.1-dev + */ + public static function login_form_validate_2fa() { + $wp_auth_id = filter_input( INPUT_POST, 'wp-auth-id', FILTER_SANITIZE_NUMBER_INT ); + $nonce = filter_input( INPUT_POST, 'wp-auth-nonce', FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) ); + + if ( ! $wp_auth_id || ! $nonce ) { + return; + } + + $user = get_userdata( $wp_auth_id ); + if ( ! $user ) { + return; + } + + if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) { + wp_safe_redirect( home_url() ); + exit; + } + + $provider = filter_input( INPUT_POST, 'provider', FILTER_CALLBACK, array( 'options' => 'sanitize_text_field' ) ); + if ( $provider ) { + $providers = self::get_available_providers_for_user( $user ); + if ( isset( $providers[ $provider ] ) ) { + $provider = $providers[ $provider ]; + } else { + wp_die( esc_html__( 'Cheatin’ uh?', 'two-factor' ), 403 ); + } + } else { + $provider = self::get_primary_provider_for_user( $user->ID ); + } + + // Allow the provider to re-send codes, etc. + if ( true === $provider->pre_process_authentication( $user ) ) { + $login_nonce = self::create_login_nonce( $user->ID ); + if ( ! $login_nonce ) { + wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) ); + } + + self::login_html( $user, $login_nonce['key'], $_REQUEST['redirect_to'], '', $provider ); + exit; + } + + // Ask the provider to verify the second factor. + if ( true !== $provider->validate_authentication( $user ) ) { + do_action( 'wp_login_failed', $user->user_login, new WP_Error( 'two_factor_invalid', __( 'ERROR: Invalid verification code.', 'two-factor' ) ) ); + + $login_nonce = self::create_login_nonce( $user->ID ); + if ( ! $login_nonce ) { + wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) ); + } + + self::login_html( $user, $login_nonce['key'], $_REQUEST['redirect_to'], esc_html__( 'ERROR: Invalid verification code.', 'two-factor' ), $provider ); + exit; + } + + self::delete_login_nonce( $user->ID ); + + $rememberme = false; + if ( isset( $_REQUEST['rememberme'] ) && $_REQUEST['rememberme'] ) { + $rememberme = true; + } + + wp_set_auth_cookie( $user->ID, $rememberme ); + + do_action( 'two_factor_user_authenticated', $user ); + + // Must be global because that's how login_header() uses it. + global $interim_login; + $interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited,WordPress.Security.NonceVerification.Recommended + + if ( $interim_login ) { + $customize_login = isset( $_REQUEST['customize-login'] ); + if ( $customize_login ) { + wp_enqueue_script( 'customize-base' ); + } + $message = '

' . __( 'You have logged in successfully.', 'two-factor' ) . '

'; + $interim_login = 'success'; // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited + login_header( '', $message ); + ?> + + + + + + + %s', esc_html__( 'Disabled', 'two-factor' ) ); + } else { + $provider = self::get_primary_provider_for_user( $user_id ); + return esc_html( $provider->get_label() ); + } + + } + + /** + * Add user profile fields. + * + * This executes during the `show_user_profile` & `edit_user_profile` actions. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + */ + public static function user_two_factor_options( $user ) { + wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ), array(), TWO_FACTOR_VERSION ); + + $enabled_providers = array_keys( self::get_available_providers_for_user( $user ) ); + $primary_provider = self::get_primary_provider_for_user( $user->ID ); + + if ( ! empty( $primary_provider ) && is_object( $primary_provider ) ) { + $primary_provider_key = get_class( $primary_provider ); + } else { + $primary_provider_key = null; + } + + wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false ); + + ?> + + + + + + +
+ + + + + + + + + + + + $object ) : ?> + + + + + + + +
/> /> + + +
+
+ } + */ +u2f.Transports; + +/** + * Data object for a single sign request. + * @typedef {{ + * version: string, + * challenge: string, + * keyHandle: string, + * appId: string + * }} + */ +u2f.SignRequest; + + +/** + * Data object for a sign response. + * @typedef {{ + * keyHandle: string, + * signatureData: string, + * clientData: string + * }} + */ +u2f.SignResponse; + + +/** + * Data object for a registration request. + * @typedef {{ + * version: string, + * challenge: string + * }} + */ +u2f.RegisterRequest; + + +/** + * Data object for a registration response. + * @typedef {{ + * version: string, + * keyHandle: string, + * transports: Transports, + * appId: string + * }} + */ +u2f.RegisterResponse; + + +/** + * Data object for a registered key. + * @typedef {{ + * version: string, + * keyHandle: string, + * transports: ?Transports, + * appId: ?string + * }} + */ +u2f.RegisteredKey; + + +/** + * Data object for a get API register response. + * @typedef {{ + * js_api_version: number + * }} + */ +u2f.GetJsApiVersionResponse; + + +//Low level MessagePort API support + +/** + * Sets up a MessagePort to the U2F extension using the + * available mechanisms. + * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback + */ +u2f.getMessagePort = function(callback) { + if (typeof chrome != 'undefined' && chrome.runtime) { + // The actual message here does not matter, but we need to get a reply + // for the callback to run. Thus, send an empty signature request + // in order to get a failure response. + var msg = { + type: u2f.MessageTypes.U2F_SIGN_REQUEST, + signRequests: [] + }; + chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function() { + if (!chrome.runtime.lastError) { + // We are on a whitelisted origin and can talk directly + // with the extension. + u2f.getChromeRuntimePort_(callback); + } else { + // chrome.runtime was available, but we couldn't message + // the extension directly, use iframe + u2f.getIframePort_(callback); + } + }); + } else if (u2f.isAndroidChrome_()) { + u2f.getAuthenticatorPort_(callback); + } else if (u2f.isIosChrome_()) { + u2f.getIosPort_(callback); + } else { + // chrome.runtime was not available at all, which is normal + // when this origin doesn't have access to any extensions. + u2f.getIframePort_(callback); + } +}; + +/** + * Detect chrome running on android based on the browser's useragent. + * @private + */ +u2f.isAndroidChrome_ = function() { + var userAgent = navigator.userAgent; + return userAgent.indexOf('Chrome') != -1 && + userAgent.indexOf('Android') != -1; +}; + +/** + * Detect chrome running on iOS based on the browser's platform. + * @private + */ +u2f.isIosChrome_ = function() { + return ["iPhone", "iPad", "iPod"].indexOf(navigator.platform) > -1; +}; + +/** + * Connects directly to the extension via chrome.runtime.connect. + * @param {function(u2f.WrappedChromeRuntimePort_)} callback + * @private + */ +u2f.getChromeRuntimePort_ = function(callback) { + var port = chrome.runtime.connect(u2f.EXTENSION_ID, + {'includeTlsChannelId': true}); + setTimeout(function() { + callback(new u2f.WrappedChromeRuntimePort_(port)); + }, 0); +}; + +/** + * Return a 'port' abstraction to the Authenticator app. + * @param {function(u2f.WrappedAuthenticatorPort_)} callback + * @private + */ +u2f.getAuthenticatorPort_ = function(callback) { + setTimeout(function() { + callback(new u2f.WrappedAuthenticatorPort_()); + }, 0); +}; + +/** + * Return a 'port' abstraction to the iOS client app. + * @param {function(u2f.WrappedIosPort_)} callback + * @private + */ +u2f.getIosPort_ = function(callback) { + setTimeout(function() { + callback(new u2f.WrappedIosPort_()); + }, 0); +}; + +/** + * A wrapper for chrome.runtime.Port that is compatible with MessagePort. + * @param {Port} port + * @constructor + * @private + */ +u2f.WrappedChromeRuntimePort_ = function(port) { + this.port_ = port; +}; + +/** + * Format and return a sign request compliant with the JS API version supported by the extension. + * @param {Array} signRequests + * @param {number} timeoutSeconds + * @param {number} reqId + * @return {Object} + */ +u2f.formatSignRequest_ = + function(appId, challenge, registeredKeys, timeoutSeconds, reqId) { + if (js_api_version === undefined || js_api_version < 1.1) { + // Adapt request to the 1.0 JS API. + var signRequests = []; + for (var i = 0; i < registeredKeys.length; i++) { + signRequests[i] = { + version: registeredKeys[i].version, + challenge: challenge, + keyHandle: registeredKeys[i].keyHandle, + appId: appId + }; + } + return { + type: u2f.MessageTypes.U2F_SIGN_REQUEST, + signRequests: signRequests, + timeoutSeconds: timeoutSeconds, + requestId: reqId + }; + } + // JS 1.1 API. + return { + type: u2f.MessageTypes.U2F_SIGN_REQUEST, + appId: appId, + challenge: challenge, + registeredKeys: registeredKeys, + timeoutSeconds: timeoutSeconds, + requestId: reqId + }; +}; + +/** + * Format and return a register request compliant with the JS API version supported by the extension.. + * @param {Array} signRequests + * @param {Array} signRequests + * @param {number} timeoutSeconds + * @param {number} reqId + * @return {Object} + */ +u2f.formatRegisterRequest_ = + function(appId, registeredKeys, registerRequests, timeoutSeconds, reqId) { + if (js_api_version === undefined || js_api_version < 1.1) { + // Adapt request to the 1.0 JS API. + for (var i = 0; i < registerRequests.length; i++) { + registerRequests[i].appId = appId; + } + var signRequests = []; + for (var i = 0; i < registeredKeys.length; i++) { + signRequests[i] = { + version: registeredKeys[i].version, + challenge: registerRequests[0], + keyHandle: registeredKeys[i].keyHandle, + appId: appId + }; + } + return { + type: u2f.MessageTypes.U2F_REGISTER_REQUEST, + signRequests: signRequests, + registerRequests: registerRequests, + timeoutSeconds: timeoutSeconds, + requestId: reqId + }; + } + // JS 1.1 API. + return { + type: u2f.MessageTypes.U2F_REGISTER_REQUEST, + appId: appId, + registerRequests: registerRequests, + registeredKeys: registeredKeys, + timeoutSeconds: timeoutSeconds, + requestId: reqId + }; +}; + + +/** + * Posts a message on the underlying channel. + * @param {Object} message + */ +u2f.WrappedChromeRuntimePort_.prototype.postMessage = function(message) { + this.port_.postMessage(message); +}; + + +/** + * Emulates the HTML 5 addEventListener interface. Works only for the + * onmessage event, which is hooked up to the chrome.runtime.Port.onMessage. + * @param {string} eventName + * @param {function({data: Object})} handler + */ +u2f.WrappedChromeRuntimePort_.prototype.addEventListener = + function(eventName, handler) { + var name = eventName.toLowerCase(); + if (name == 'message' || name == 'onmessage') { + this.port_.onMessage.addListener(function(message) { + // Emulate a minimal MessageEvent object. + handler({'data': message}); + }); + } else { + console.error('WrappedChromeRuntimePort only supports onMessage'); + } +}; + +/** + * Wrap the Authenticator app with a MessagePort interface. + * @constructor + * @private + */ +u2f.WrappedAuthenticatorPort_ = function() { + this.requestId_ = -1; + this.requestObject_ = null; +} + +/** + * Launch the Authenticator intent. + * @param {Object} message + */ +u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) { + var intentUrl = + u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ + + ';S.request=' + encodeURIComponent(JSON.stringify(message)) + + ';end'; + document.location = intentUrl; +}; + +/** + * Tells what type of port this is. + * @return {String} port type + */ +u2f.WrappedAuthenticatorPort_.prototype.getPortType = function() { + return "WrappedAuthenticatorPort_"; +}; + + +/** + * Emulates the HTML 5 addEventListener interface. + * @param {string} eventName + * @param {function({data: Object})} handler + */ +u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function(eventName, handler) { + var name = eventName.toLowerCase(); + if (name == 'message') { + var self = this; + /* Register a callback to that executes when + * chrome injects the response. */ + window.addEventListener( + 'message', self.onRequestUpdate_.bind(self, handler), false); + } else { + console.error('WrappedAuthenticatorPort only supports message'); + } +}; + +/** + * Callback invoked when a response is received from the Authenticator. + * @param function({data: Object}) callback + * @param {Object} message message Object + */ +u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ = + function(callback, message) { + var messageObject = JSON.parse(message.data); + var intentUrl = messageObject['intentURL']; + + var errorCode = messageObject['errorCode']; + var responseObject = null; + if (messageObject.hasOwnProperty('data')) { + responseObject = /** @type {Object} */ ( + JSON.parse(messageObject['data'])); + } + + callback({'data': responseObject}); +}; + +/** + * Base URL for intents to Authenticator. + * @const + * @private + */ +u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ = + 'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE'; + +/** + * Wrap the iOS client app with a MessagePort interface. + * @constructor + * @private + */ +u2f.WrappedIosPort_ = function() {}; + +/** + * Launch the iOS client app request + * @param {Object} message + */ +u2f.WrappedIosPort_.prototype.postMessage = function(message) { + var str = JSON.stringify(message); + var url = "u2f://auth?" + encodeURI(str); + location.replace(url); +}; + +/** + * Tells what type of port this is. + * @return {String} port type + */ +u2f.WrappedIosPort_.prototype.getPortType = function() { + return "WrappedIosPort_"; +}; + +/** + * Emulates the HTML 5 addEventListener interface. + * @param {string} eventName + * @param {function({data: Object})} handler + */ +u2f.WrappedIosPort_.prototype.addEventListener = function(eventName, handler) { + var name = eventName.toLowerCase(); + if (name !== 'message') { + console.error('WrappedIosPort only supports message'); + } +}; + +/** + * Sets up an embedded trampoline iframe, sourced from the extension. + * @param {function(MessagePort)} callback + * @private + */ +u2f.getIframePort_ = function(callback) { + // Create the iframe + var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID; + var iframe = document.createElement('iframe'); + iframe.src = iframeOrigin + '/u2f-comms.html'; + iframe.setAttribute('style', 'display:none'); + document.body.appendChild(iframe); + + var channel = new MessageChannel(); + var ready = function(message) { + if (message.data == 'ready') { + channel.port1.removeEventListener('message', ready); + callback(channel.port1); + } else { + console.error('First event on iframe port was not "ready"'); + } + }; + channel.port1.addEventListener('message', ready); + channel.port1.start(); + + iframe.addEventListener('load', function() { + // Deliver the port to the iframe and initialize + iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]); + }); +}; + + +//High-level JS API + +/** + * Default extension response timeout in seconds. + * @const + */ +u2f.EXTENSION_TIMEOUT_SEC = 30; + +/** + * A singleton instance for a MessagePort to the extension. + * @type {MessagePort|u2f.WrappedChromeRuntimePort_} + * @private + */ +u2f.port_ = null; + +/** + * Callbacks waiting for a port + * @type {Array} + * @private + */ +u2f.waitingForPort_ = []; + +/** + * A counter for requestIds. + * @type {number} + * @private + */ +u2f.reqCounter_ = 0; + +/** + * A map from requestIds to client callbacks + * @type {Object.} + * @private + */ +u2f.callbackMap_ = {}; + +/** + * Creates or retrieves the MessagePort singleton to use. + * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback + * @private + */ +u2f.getPortSingleton_ = function(callback) { + if (u2f.port_) { + callback(u2f.port_); + } else { + if (u2f.waitingForPort_.length == 0) { + u2f.getMessagePort(function(port) { + u2f.port_ = port; + u2f.port_.addEventListener('message', + /** @type {function(Event)} */ (u2f.responseHandler_)); + + // Careful, here be async callbacks. Maybe. + while (u2f.waitingForPort_.length) + u2f.waitingForPort_.shift()(u2f.port_); + }); + } + u2f.waitingForPort_.push(callback); + } +}; + +/** + * Handles response messages from the extension. + * @param {MessageEvent.} message + * @private + */ +u2f.responseHandler_ = function(message) { + var response = message.data; + var reqId = response['requestId']; + if (!reqId || !u2f.callbackMap_[reqId]) { + console.error('Unknown or missing requestId in response.'); + return; + } + var cb = u2f.callbackMap_[reqId]; + delete u2f.callbackMap_[reqId]; + cb(response['responseData']); +}; + +/** + * Dispatches an array of sign requests to available U2F tokens. + * If the JS API version supported by the extension is unknown, it first sends a + * message to the extension to find out the supported API version and then it sends + * the sign request. + * @param {string=} appId + * @param {string=} challenge + * @param {Array} registeredKeys + * @param {function((u2f.Error|u2f.SignResponse))} callback + * @param {number=} opt_timeoutSeconds + */ +u2f.sign = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) { + if (js_api_version === undefined) { + // Send a message to get the extension to JS API version, then send the actual sign request. + u2f.getApiVersion( + function (response) { + js_api_version = response['js_api_version'] === undefined ? 0 : response['js_api_version']; + console.log("Extension JS API Version: ", js_api_version); + u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds); + }); + } else { + // We know the JS API version. Send the actual sign request in the supported API version. + u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds); + } +}; + +/** + * Dispatches an array of sign requests to available U2F tokens. + * @param {string=} appId + * @param {string=} challenge + * @param {Array} registeredKeys + * @param {function((u2f.Error|u2f.SignResponse))} callback + * @param {number=} opt_timeoutSeconds + */ +u2f.sendSignRequest = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) { + u2f.getPortSingleton_(function(port) { + var reqId = ++u2f.reqCounter_; + u2f.callbackMap_[reqId] = callback; + var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ? + opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC); + var req = u2f.formatSignRequest_(appId, challenge, registeredKeys, timeoutSeconds, reqId); + port.postMessage(req); + }); +}; + +/** + * Dispatches register requests to available U2F tokens. An array of sign + * requests identifies already registered tokens. + * If the JS API version supported by the extension is unknown, it first sends a + * message to the extension to find out the supported API version and then it sends + * the register request. + * @param {string=} appId + * @param {Array} registerRequests + * @param {Array} registeredKeys + * @param {function((u2f.Error|u2f.RegisterResponse))} callback + * @param {number=} opt_timeoutSeconds + */ +u2f.register = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) { + if (js_api_version === undefined) { + // Send a message to get the extension to JS API version, then send the actual register request. + u2f.getApiVersion( + function (response) { + js_api_version = response['js_api_version'] === undefined ? 0: response['js_api_version']; + console.log("Extension JS API Version: ", js_api_version); + u2f.sendRegisterRequest(appId, registerRequests, registeredKeys, + callback, opt_timeoutSeconds); + }); + } else { + // We know the JS API version. Send the actual register request in the supported API version. + u2f.sendRegisterRequest(appId, registerRequests, registeredKeys, + callback, opt_timeoutSeconds); + } +}; + +/** + * Dispatches register requests to available U2F tokens. An array of sign + * requests identifies already registered tokens. + * @param {string=} appId + * @param {Array} registerRequests + * @param {Array} registeredKeys + * @param {function((u2f.Error|u2f.RegisterResponse))} callback + * @param {number=} opt_timeoutSeconds + */ +u2f.sendRegisterRequest = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) { + u2f.getPortSingleton_(function(port) { + var reqId = ++u2f.reqCounter_; + u2f.callbackMap_[reqId] = callback; + var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ? + opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC); + var req = u2f.formatRegisterRequest_( + appId, registeredKeys, registerRequests, timeoutSeconds, reqId); + port.postMessage(req); + }); +}; + + +/** + * Dispatches a message to the extension to find out the supported + * JS API version. + * If the user is on a mobile phone and is thus using Google Authenticator instead + * of the Chrome extension, don't send the request and simply return 0. + * @param {function((u2f.Error|u2f.GetJsApiVersionResponse))} callback + * @param {number=} opt_timeoutSeconds + */ +u2f.getApiVersion = function(callback, opt_timeoutSeconds) { + u2f.getPortSingleton_(function(port) { + // If we are using Android Google Authenticator or iOS client app, + // do not fire an intent to ask which JS API version to use. + if (port.getPortType) { + var apiVersion; + switch (port.getPortType()) { + case 'WrappedIosPort_': + case 'WrappedAuthenticatorPort_': + apiVersion = 1.1; + break; + + default: + apiVersion = 0; + break; + } + callback({ 'js_api_version': apiVersion }); + return; + } + var reqId = ++u2f.reqCounter_; + u2f.callbackMap_[reqId] = callback; + var req = { + type: u2f.MessageTypes.U2F_GET_API_VERSION_REQUEST, + timeoutSeconds: (typeof opt_timeoutSeconds !== 'undefined' ? + opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC), + requestId: reqId + }; + port.postMessage(req); + }); +}; diff --git a/wp-content/plugins/two-factor/includes/Yubico/U2F.php b/wp-content/plugins/two-factor/includes/Yubico/U2F.php new file mode 100644 index 00000000..e819bbc1 --- /dev/null +++ b/wp-content/plugins/two-factor/includes/Yubico/U2F.php @@ -0,0 +1,507 @@ +appId = $appId; + $this->attestDir = $attestDir; + } + + /** + * Called to get a registration request to send to a user. + * Returns an array of one registration request and a array of sign requests. + * + * @param array $registrations List of current registrations for this + * user, to prevent the user from registering the same authenticator several + * times. + * @return array An array of two elements, the first containing a + * RegisterRequest the second being an array of SignRequest + * @throws Error + */ + public function getRegisterData(array $registrations = array()) + { + $challenge = $this->createChallenge(); + $request = new RegisterRequest($challenge, $this->appId); + $signs = $this->getAuthenticateData($registrations); + return array($request, $signs); + } + + /** + * Called to verify and unpack a registration message. + * + * @param RegisterRequest $request this is a reply to + * @param object $response response from a user + * @param bool $includeCert set to true if the attestation certificate should be + * included in the returned Registration object + * @return Registration + * @throws Error + */ + public function doRegister($request, $response, $includeCert = true) + { + if( !is_object( $request ) ) { + throw new \InvalidArgumentException('$request of doRegister() method only accepts object.'); + } + + if( !is_object( $response ) ) { + throw new \InvalidArgumentException('$response of doRegister() method only accepts object.'); + } + + if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { + throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); + } + + if( !is_bool( $includeCert ) ) { + throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.'); + } + + $rawReg = $this->base64u_decode($response->registrationData); + $regData = array_values(unpack('C*', $rawReg)); + $clientData = $this->base64u_decode($response->clientData); + $cli = json_decode($clientData); + + if($cli->challenge !== $request->challenge) { + throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE ); + } + + $registration = new Registration(); + $offs = 1; + $pubKey = substr($rawReg, $offs, PUBKEY_LEN); + $offs += PUBKEY_LEN; + // Decode the pubKey to make sure it's good. + $tmpKey = $this->pubkey_to_pem($pubKey); + if($tmpKey === null) { + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); + } + $registration->publicKey = base64_encode($pubKey); + $khLen = $regData[$offs++]; + $kh = substr($rawReg, $offs, $khLen); + $offs += $khLen; + $registration->keyHandle = $this->base64u_encode($kh); + + // length of certificate is stored in byte 3 and 4 (excluding the first 4 bytes). + $certLen = 4; + $certLen += ($regData[$offs + 2] << 8); + $certLen += $regData[$offs + 3]; + + $rawCert = $this->fixSignatureUnusedBits(substr($rawReg, $offs, $certLen)); + $offs += $certLen; + $pemCert = "-----BEGIN CERTIFICATE-----\r\n"; + $pemCert .= chunk_split(base64_encode($rawCert), 64); + $pemCert .= "-----END CERTIFICATE-----"; + if($includeCert) { + $registration->certificate = base64_encode($rawCert); + } + if($this->attestDir) { + if(openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { + throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION ); + } + } + + if(!openssl_pkey_get_public($pemCert)) { + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); + } + $signature = substr($rawReg, $offs); + + $dataToVerify = chr(0); + $dataToVerify .= hash('sha256', $request->appId, true); + $dataToVerify .= hash('sha256', $clientData, true); + $dataToVerify .= $kh; + $dataToVerify .= $pubKey; + + if(openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { + return $registration; + } else { + throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE ); + } + } + + /** + * Called to get an authentication request. + * + * @param array $registrations An array of the registrations to create authentication requests for. + * @return array An array of SignRequest + * @throws Error + */ + public function getAuthenticateData(array $registrations) + { + $sigs = array(); + $challenge = $this->createChallenge(); + foreach ($registrations as $reg) { + if( !is_object( $reg ) ) { + throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.'); + } + + $sig = new SignRequest(); + $sig->appId = $this->appId; + $sig->keyHandle = $reg->keyHandle; + $sig->challenge = $challenge; + $sigs[] = $sig; + } + return $sigs; + } + + /** + * Called to verify an authentication response + * + * @param array $requests An array of outstanding authentication requests + * @param array $registrations An array of current registrations + * @param object $response A response from the authenticator + * @return Registration + * @throws Error + * + * The Registration object returned on success contains an updated counter + * that should be saved for future authentications. + * If the Error returned is ERR_COUNTER_TOO_LOW this is an indication of + * token cloning or similar and appropriate action should be taken. + */ + public function doAuthenticate(array $requests, array $registrations, $response) + { + if( !is_object( $response ) ) { + throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.'); + } + + if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { + throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); + } + + /** @var object|null $req */ + $req = null; + + /** @var object|null $reg */ + $reg = null; + + $clientData = $this->base64u_decode($response->clientData); + $decodedClient = json_decode($clientData); + foreach ($requests as $req) { + if( !is_object( $req ) ) { + throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.'); + } + + if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { + break; + } + + $req = null; + } + if($req === null) { + throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST ); + } + foreach ($registrations as $reg) { + if( !is_object( $reg ) ) { + throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.'); + } + + if($reg->keyHandle === $response->keyHandle) { + break; + } + $reg = null; + } + if($reg === null) { + throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION ); + } + $pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey)); + if($pemKey === null) { + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); + } + + $signData = $this->base64u_decode($response->signatureData); + $dataToVerify = hash('sha256', $req->appId, true); + $dataToVerify .= substr($signData, 0, 5); + $dataToVerify .= hash('sha256', $clientData, true); + $signature = substr($signData, 5); + + if(openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { + $ctr = unpack("Nctr", substr($signData, 1, 4)); + $counter = $ctr['ctr']; + /* TODO: wrap-around should be handled somehow.. */ + if($counter > $reg->counter) { + $reg->counter = $counter; + return $reg; + } else { + throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW ); + } + } else { + throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE ); + } + } + + /** + * @return array + */ + private function get_certs() + { + $files = array(); + $dir = $this->attestDir; + if($dir && $handle = opendir($dir)) { + while(false !== ($entry = readdir($handle))) { + if(is_file("$dir/$entry")) { + $files[] = "$dir/$entry"; + } + } + closedir($handle); + } + return $files; + } + + /** + * @param string $data + * @return string + */ + private function base64u_encode($data) + { + return trim(strtr(base64_encode($data), '+/', '-_'), '='); + } + + /** + * @param string $data + * @return string + */ + private function base64u_decode($data) + { + return base64_decode(strtr($data, '-_', '+/')); + } + + /** + * @param string $key + * @return null|string + */ + private function pubkey_to_pem($key) + { + if(strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { + return null; + } + + /* + * Convert the public key to binary DER format first + * Using the ECC SubjectPublicKeyInfo OIDs from RFC 5480 + * + * SEQUENCE(2 elem) 30 59 + * SEQUENCE(2 elem) 30 13 + * OID1.2.840.10045.2.1 (id-ecPublicKey) 06 07 2a 86 48 ce 3d 02 01 + * OID1.2.840.10045.3.1.7 (secp256r1) 06 08 2a 86 48 ce 3d 03 01 07 + * BIT STRING(520 bit) 03 42 ..key.. + */ + $der = "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01"; + $der .= "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42"; + $der .= "\0".$key; + + $pem = "-----BEGIN PUBLIC KEY-----\r\n"; + $pem .= chunk_split(base64_encode($der), 64); + $pem .= "-----END PUBLIC KEY-----"; + + return $pem; + } + + /** + * @return string + * @throws Error + */ + private function createChallenge() + { + $challenge = openssl_random_pseudo_bytes(32, $crypto_strong ); + if( $crypto_strong !== true ) { + throw new Error('Unable to obtain a good source of randomness', ERR_BAD_RANDOM); + } + + $challenge = $this->base64u_encode( $challenge ); + + return $challenge; + } + + /** + * Fixes a certificate where the signature contains unused bits. + * + * @param string $cert + * @return mixed + */ + private function fixSignatureUnusedBits($cert) + { + if(in_array(hash('sha256', $cert), $this->FIXCERTS)) { + $cert[strlen($cert) - 257] = "\0"; + } + return $cert; + } +} + +/** + * Class for building a registration request + * + * @package u2flib_server + */ +class RegisterRequest +{ + /** Protocol version */ + public $version = U2F_VERSION; + + /** Registration challenge */ + public $challenge; + + /** Application id */ + public $appId; + + /** + * @param string $challenge + * @param string $appId + * @internal + */ + public function __construct($challenge, $appId) + { + $this->challenge = $challenge; + $this->appId = $appId; + } +} + +/** + * Class for building up an authentication request + * + * @package u2flib_server + */ +class SignRequest +{ + /** Protocol version */ + public $version = U2F_VERSION; + + /** Authentication challenge */ + public $challenge; + + /** Key handle of a registered authenticator */ + public $keyHandle; + + /** Application id */ + public $appId; +} + +/** + * Class returned for successful registrations + * + * @package u2flib_server + */ +class Registration +{ + /** The key handle of the registered authenticator */ + public $keyHandle; + + /** The public key of the registered authenticator */ + public $publicKey; + + /** The attestation certificate of the registered authenticator */ + public $certificate; + + /** The counter associated with this registration */ + public $counter = -1; +} + +/** + * Error class, returned on errors + * + * @package u2flib_server + */ +class Error extends \Exception +{ + /** + * Override constructor and make message and code mandatory + * @param string $message + * @param int $code + * @param \Exception|null $previous + */ + public function __construct($message, $code, \Exception $previous = null) { + parent::__construct($message, $code, $previous); + } +} diff --git a/wp-content/plugins/two-factor/includes/function.login-footer.php b/wp-content/plugins/two-factor/includes/function.login-footer.php new file mode 100644 index 00000000..a2876b02 --- /dev/null +++ b/wp-content/plugins/two-factor/includes/function.login-footer.php @@ -0,0 +1,87 @@ + +

+ %s', + esc_url( home_url( '/' ) ), + sprintf( + /* translators: %s: Site title. */ + _x( '← Go to %s', 'site' ), + get_bloginfo( 'title', 'display' ) + ) + ); + /** + * Filter the "Go to site" link displayed in the login page footer. + * + * @since 5.7.0 + * + * @param string $link HTML link to the home URL of the current site. + */ + echo apply_filters( 'login_site_html_link', $html_link ); + ?> +

+ ', '' ); + } + + ?> + . ?> + + + + +
+ + + + + ` element. + * Default 'Log In'. + * @param string $message Optional. Message to display in header. Default empty. + * @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance. + */ +function login_header( $title = 'Log In', $message = '', $wp_error = null ) { + global $error, $interim_login, $action; + + // Don't index any of these forms. + add_filter( 'wp_robots', 'wp_robots_sensitive_page' ); + add_action( 'login_head', 'wp_strict_cross_origin_referrer' ); + + add_action( 'login_head', 'wp_login_viewport_meta' ); + + if ( ! is_wp_error( $wp_error ) ) { + $wp_error = new WP_Error(); + } + + // Shake it! + $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password', 'retrieve_password_email_failure' ); + /** + * Filters the error codes array for shaking the login form. + * + * @since 3.0.0 + * + * @param array $shake_error_codes Error codes that shake the login form. + */ + $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes ); + + if ( $shake_error_codes && $wp_error->has_errors() && in_array( $wp_error->get_error_code(), $shake_error_codes, true ) ) { + add_action( 'login_footer', 'wp_shake_js', 12 ); + } + + $login_title = get_bloginfo( 'name', 'display' ); + + /* translators: Login screen title. 1: Login screen name, 2: Network or site name. */ + $login_title = sprintf( __( '%1$s ‹ %2$s — WordPress' ), $title, $login_title ); + + if ( wp_is_recovery_mode() ) { + /* translators: %s: Login screen title. */ + $login_title = sprintf( __( 'Recovery Mode — %s' ), $login_title ); + } + + /** + * Filters the title tag content for login page. + * + * @since 4.9.0 + * + * @param string $login_title The page title, with extra context added. + * @param string $title The original page title. + */ + $login_title = apply_filters( 'login_title', $login_title, $title ); + + ?> + > + + + <?php echo $login_title; ?> + get_error_code() ) { + ?> + + + + + + + + +
+

+ add( 'error', $error ); + unset( $error ); + } + + if ( $wp_error->has_errors() ) { + $errors = ''; + $messages = ''; + + foreach ( $wp_error->get_error_codes() as $code ) { + $severity = $wp_error->get_error_data( $code ); + foreach ( $wp_error->get_error_messages( $code ) as $error_message ) { + if ( 'message' === $severity ) { + $messages .= ' ' . $error_message . "
\n"; + } else { + $errors .= ' ' . $error_message . "
\n"; + } + } + } + + if ( ! empty( $errors ) ) { + /** + * Filters the error messages displayed above the login form. + * + * @since 2.1.0 + * + * @param string $errors Login error message. + */ + echo '
' . apply_filters( 'login_errors', $errors ) . "
\n"; + } + + if ( ! empty( $messages ) ) { + /** + * Filters instructional messages displayed above the login form. + * + * @since 2.5.0 + * + * @param string $messages Login messages. + */ + echo '

' . apply_filters( 'login_messages', $messages ) . "

\n"; + } + } +} // End of login_header(). + +/** + * Outputs the viewport meta tag for the login page. + * + * @since 3.7.0 + */ +function wp_login_viewport_meta() { + ?> + + ID ), true ) ) { + return; + } + + // Return if we are not out of codes. + if ( $this->is_available_for_user( $user ) ) { + return; + } + ?> +
+

+ + regenerate!', 'two-factor' ), + esc_url( get_edit_user_link( $user->ID ) . '#two-factor-backup-codes' ) + ), + array( 'a' => array( 'href' => true ) ) + ); + ?> + +

+
+ ID ); + $count = self::codes_remaining_for_user( $user ); + ?> +

+ + + + +

+ + + ID, self::BACKUP_CODES_META_KEY, true ); + } + + for ( $i = 0; $i < $num_codes; $i++ ) { + $code = $this->get_code(); + $codes_hashed[] = wp_hash_password( $code ); + $codes[] = $code; + unset( $code ); + } + + update_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, $codes_hashed ); + + // Unhashed. + return $codes; + } + + /** + * Generates a JSON object of backup codes. + * + * @since 0.1-dev + */ + public function ajax_generate_json() { + $user = get_user_by( 'id', filter_input( INPUT_POST, 'user_id', FILTER_SANITIZE_NUMBER_INT ) ); + check_ajax_referer( 'two-factor-backup-codes-generate-json-' . $user->ID, 'nonce' ); + + // Setup the return data. + $codes = $this->generate_codes( $user ); + $count = self::codes_remaining_for_user( $user ); + $i18n = array( + /* translators: %s: count */ + 'count' => esc_html( sprintf( _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ), $count ) ), + /* translators: %s: the site's domain */ + 'title' => esc_html__( 'Two-Factor Backup Codes for %s', 'two-factor' ), + ); + + // Send the response. + wp_send_json_success( + array( + 'codes' => $codes, + 'i18n' => $i18n, + ) + ); + } + + /** + * Returns the number of unused codes for the specified user + * + * @param WP_User $user WP_User object of the logged-in user. + * @return int $int The number of unused codes remaining + */ + public static function codes_remaining_for_user( $user ) { + $backup_codes = get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true ); + if ( is_array( $backup_codes ) && ! empty( $backup_codes ) ) { + return count( $backup_codes ); + } + return 0; + } + + /** + * Prints the form that prompts the user to authenticate. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + */ + public function authentication_page( $user ) { + require_once ABSPATH . '/wp-admin/includes/template.php'; + ?> +


+

+ + +

+ validate_code( $user, $backup_code ); + } + + /** + * Validates a backup code. + * + * Backup Codes are single use and are deleted upon a successful validation. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + * @param int $code The backup code. + * @return boolean + */ + public function validate_code( $user, $code ) { + $backup_codes = get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true ); + + if ( is_array( $backup_codes ) && ! empty( $backup_codes ) ) { + foreach ( $backup_codes as $code_index => $code_hashed ) { + if ( wp_check_password( $code, $code_hashed, $user->ID ) ) { + $this->delete_code( $user, $code_hashed ); + return true; + } + } + } + return false; + } + + /** + * Deletes a backup code. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + * @param string $code_hashed The hashed the backup code. + */ + public function delete_code( $user, $code_hashed ) { + $backup_codes = get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true ); + + // Delete the current code from the list since it's been used. + $backup_codes = array_flip( $backup_codes ); + unset( $backup_codes[ $code_hashed ] ); + $backup_codes = array_values( array_flip( $backup_codes ) ); + + // Update the backup code master list. + update_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, $backup_codes ); + } +} diff --git a/wp-content/plugins/two-factor/providers/class-two-factor-dummy.php b/wp-content/plugins/two-factor/providers/class-two-factor-dummy.php new file mode 100644 index 00000000..f1625dce --- /dev/null +++ b/wp-content/plugins/two-factor/providers/class-two-factor-dummy.php @@ -0,0 +1,99 @@ + +

+ get_code(); + + update_user_meta( $user_id, self::TOKEN_META_KEY_TIMESTAMP, time() ); + update_user_meta( $user_id, self::TOKEN_META_KEY, wp_hash( $token ) ); + + return $token; + } + + /** + * Check if user has a valid token already. + * + * @param int $user_id User ID. + * @return boolean If user has a valid email token. + */ + public function user_has_token( $user_id ) { + $hashed_token = $this->get_user_token( $user_id ); + + if ( ! empty( $hashed_token ) ) { + return true; + } + + return false; + } + + /** + * Has the user token validity timestamp expired. + * + * @param integer $user_id User ID. + * + * @return boolean + */ + public function user_token_has_expired( $user_id ) { + $token_lifetime = $this->user_token_lifetime( $user_id ); + $token_ttl = $this->user_token_ttl( $user_id ); + + // Invalid token lifetime is considered an expired token. + if ( is_int( $token_lifetime ) && $token_lifetime <= $token_ttl ) { + return false; + } + + return true; + } + + /** + * Get the lifetime of a user token in seconds. + * + * @param integer $user_id User ID. + * + * @return integer|null Return `null` if the lifetime can't be measured. + */ + public function user_token_lifetime( $user_id ) { + $timestamp = intval( get_user_meta( $user_id, self::TOKEN_META_KEY_TIMESTAMP, true ) ); + + if ( ! empty( $timestamp ) ) { + return time() - $timestamp; + } + + return null; + } + + /** + * Return the token time-to-live for a user. + * + * @param integer $user_id User ID. + * + * @return integer + */ + public function user_token_ttl( $user_id ) { + $token_ttl = 15 * MINUTE_IN_SECONDS; + + /** + * Number of seconds the token is considered valid + * after the generation. + * + * @param integer $token_ttl Token time-to-live in seconds. + * @param integer $user_id User ID. + */ + return (int) apply_filters( 'two_factor_token_ttl', $token_ttl, $user_id ); + } + + /** + * Get the authentication token for the user. + * + * @param int $user_id User ID. + * + * @return string|boolean User token or `false` if no token found. + */ + public function get_user_token( $user_id ) { + $hashed_token = get_user_meta( $user_id, self::TOKEN_META_KEY, true ); + + if ( ! empty( $hashed_token ) && is_string( $hashed_token ) ) { + return $hashed_token; + } + + return false; + } + + /** + * Validate the user token. + * + * @since 0.1-dev + * + * @param int $user_id User ID. + * @param string $token User token. + * @return boolean + */ + public function validate_token( $user_id, $token ) { + $hashed_token = $this->get_user_token( $user_id ); + + // Bail if token is empty or it doesn't match. + if ( empty( $hashed_token ) || ! hash_equals( wp_hash( $token ), $hashed_token ) ) { + return false; + } + + if ( $this->user_token_has_expired( $user_id ) ) { + return false; + } + + // Ensure the token can be used only once. + $this->delete_token( $user_id ); + + return true; + } + + /** + * Delete the user token. + * + * @since 0.1-dev + * + * @param int $user_id User ID. + */ + public function delete_token( $user_id ) { + delete_user_meta( $user_id, self::TOKEN_META_KEY ); + } + + /** + * Generate and email the user token. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + * @return bool Whether the email contents were sent successfully. + */ + public function generate_and_email_token( $user ) { + $token = $this->generate_token( $user->ID ); + + /* translators: %s: site name */ + $subject = wp_strip_all_tags( sprintf( __( 'Your login confirmation code for %s', 'two-factor' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ) ); + /* translators: %s: token */ + $message = wp_strip_all_tags( sprintf( __( 'Enter %s to log in.', 'two-factor' ), $token ) ); + + /** + * Filter the token email subject. + * + * @param string $subject The email subject line. + * @param int $user_id The ID of the user. + */ + $subject = apply_filters( 'two_factor_token_email_subject', $subject, $user->ID ); + + /** + * Filter the token email message. + * + * @param string $message The email message. + * @param string $token The token. + * @param int $user_id The ID of the user. + */ + $message = apply_filters( 'two_factor_token_email_message', $message, $token, $user->ID ); + + return wp_mail( $user->user_email, $subject, $message ); // phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions.wp_mail_wp_mail + } + + /** + * Prints the form that prompts the user to authenticate. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + */ + public function authentication_page( $user ) { + if ( ! $user ) { + return; + } + + if ( ! $this->user_has_token( $user->ID ) || $this->user_token_has_expired( $user->ID ) ) { + $this->generate_and_email_token( $user ); + } + + require_once ABSPATH . '/wp-admin/includes/template.php'; + ?> +

+

+ + + +

+

+ +

+ + ID ) && isset( $_REQUEST[ self::INPUT_NAME_RESEND_CODE ] ) ) { + $this->generate_and_email_token( $user ); + return true; + } + + return false; + } + + /** + * Validates the users input token. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + * @return boolean + */ + public function validate_authentication( $user ) { + if ( ! isset( $user->ID ) || ! isset( $_REQUEST['two-factor-email-code'] ) ) { + return false; + } + + // Ensure there are no spaces or line breaks around the code. + $code = trim( sanitize_text_field( $_REQUEST['two-factor-email-code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already. + + return $this->validate_token( $user->ID, $code ); + } + + /** + * Whether this Two Factor provider is configured and available for the user specified. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + * @return boolean + */ + public function is_available_for_user( $user ) { + return true; + } + + /** + * Inserts markup at the end of the user profile field for this provider. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + */ + public function user_options( $user ) { + $email = $user->user_email; + ?> +
+ +
+ wp_strip_all_tags( __( 'Name', 'two-factor' ) ), + 'added' => wp_strip_all_tags( __( 'Added', 'two-factor' ) ), + 'last_used' => wp_strip_all_tags( __( 'Last Used', 'two-factor' ) ), + ); + } + + /** + * Prepares the list of items for displaying. + * + * @since 0.1-dev + */ + public function prepare_items() { + $columns = $this->get_columns(); + $hidden = array(); + $sortable = array(); + $primary = 'name'; + $this->_column_headers = array( $columns, $hidden, $sortable, $primary ); + } + + /** + * Generates content for a single row of the table + * + * @since 0.1-dev + * @access protected + * + * @param object $item The current item. + * @param string $column_name The current column name. + * @return string + */ + protected function column_default( $item, $column_name ) { + switch ( $column_name ) { + case 'name': + $out = ''; + + $actions = array( + 'rename hide-if-no-js' => Two_Factor_FIDO_U2F_Admin::rename_link( $item ), + 'delete' => Two_Factor_FIDO_U2F_Admin::delete_link( $item ), + ); + + return esc_html( $item->name ) . $out . self::row_actions( $actions ); + case 'added': + return gmdate( get_option( 'date_format', 'r' ), $item->added ); + case 'last_used': + return gmdate( get_option( 'date_format', 'r' ), $item->last_used ); + default: + return 'WTF^^?'; + } + } + + /** + * Generates custom table navigation to prevent conflicting nonces. + * + * @since 0.1-dev + * @access protected + * + * @param string $which The location of the bulk actions: 'top' or 'bottom'. + */ + protected function display_tablenav( $which ) { + // Not used for the Security key list. + } + + /** + * Generates content for a single row of the table + * + * @since 0.1-dev + * @access public + * + * @param object $item The current item. + */ + public function single_row( $item ) { + ?> + + single_row_columns( $item ); ?> + + + + + + + + +
+ getRegisterData( $security_keys ); + list( $req,$sigs ) = $data; + + update_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, $req ); + } catch ( Exception $e ) { + return false; + } + + wp_enqueue_style( + 'fido-u2f-admin', + plugins_url( 'css/fido-u2f-admin.css', __FILE__ ), + null, + self::asset_version() + ); + + wp_enqueue_script( + 'fido-u2f-admin', + plugins_url( 'js/fido-u2f-admin.js', __FILE__ ), + array( 'jquery', 'fido-u2f-api' ), + self::asset_version(), + true + ); + + /** + * Pass a U2F challenge and user data to our scripts + */ + + $translation_array = array( + 'user_id' => $user_id, + 'register' => array( + 'request' => $req, + 'sigs' => $sigs, + ), + 'text' => array( + 'insert' => esc_html__( 'Now insert (and tap) your Security Key.', 'two-factor' ), + 'error' => esc_html__( 'U2F request failed.', 'two-factor' ), + 'error_codes' => array( + // Map u2f.ErrorCodes to error messages. + 0 => esc_html__( 'Request OK.', 'two-factor' ), + 1 => esc_html__( 'Other U2F error.', 'two-factor' ), + 2 => esc_html__( 'Bad U2F request.', 'two-factor' ), + 3 => esc_html__( 'Unsupported U2F configuration.', 'two-factor' ), + 4 => esc_html__( 'U2F device ineligible.', 'two-factor' ), + 5 => esc_html__( 'U2F request timeout reached.', 'two-factor' ), + ), + 'u2f_not_supported' => esc_html__( 'FIDO U2F appears to be not supported by your web browser. Try using Google Chrome or Firefox.', 'two-factor' ), + ), + ); + + wp_localize_script( + 'fido-u2f-admin', + 'u2fL10n', + $translation_array + ); + + /** + * Script for admin UI + */ + + wp_enqueue_script( + 'inline-edit-key', + plugins_url( 'js/fido-u2f-admin-inline-edit.js', __FILE__ ), + array( 'jquery' ), + self::asset_version(), + true + ); + + wp_localize_script( + 'inline-edit-key', + 'inlineEditL10n', + array( + 'error' => esc_html__( 'Error while saving the changes.', 'two-factor' ), + ) + ); + } + + /** + * Return the current asset version number. + * + * Added as own helper to allow swapping the implementation once we inject + * it as a dependency. + * + * @return string + */ + protected static function asset_version() { + return Two_Factor_FIDO_U2F::asset_version(); + } + + /** + * Display the security key section in a users profile. + * + * This executes during the `show_user_security_settings` action. + * + * @since 0.1-dev + * + * @access public + * @static + * + * @param WP_User $user WP_User object of the logged-in user. + */ + public static function show_user_profile( $user ) { + wp_nonce_field( "user_security_keys-{$user->ID}", '_nonce_user_security_keys' ); + $new_key = false; + + $security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user->ID ); + if ( $security_keys ) { + foreach ( $security_keys as &$security_key ) { + if ( property_exists( $security_key, 'new' ) ) { + $new_key = true; + unset( $security_key->new ); + + // If we've got a new one, update the db record to not save it there any longer. + Two_Factor_FIDO_U2F::update_security_key( $user->ID, $security_key ); + } + } + unset( $security_key ); + } + + ?> +
+

+ + +

+ +

+ + +
+ + + + + +
+ + +
+

+
+ + +

+ + items = $security_keys; + $u2f_list_table->prepare_items(); + $u2f_list_table->display(); + $u2f_list_table->inline_edit(); + ?> +
+ doRegister( get_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, true ), $response ); + $reg->new = true; + + Two_Factor_FIDO_U2F::add_security_key( $user_id, $reg ); + } catch ( Exception $e ) { + return false; + } + + delete_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY ); + + wp_safe_redirect( + add_query_arg( + array( + 'new_app_pass' => 1, + ), + wp_get_referer() + ) . '#security-keys-section' + ); + exit; + } + } + + /** + * Catch the delete security key request. + * + * This executes during the `load-profile.php` & `load-user-edit.php` actions. + * + * @since 0.1-dev + * + * @access public + * @static + */ + public static function catch_delete_security_key() { + $user_id = Two_Factor_Core::current_user_being_edited(); + + if ( ! empty( $user_id ) && ! empty( $_REQUEST['delete_security_key'] ) ) { + $slug = $_REQUEST['delete_security_key']; + + check_admin_referer( "delete_security_key-{$slug}", '_nonce_delete_security_key' ); + + Two_Factor_FIDO_U2F::delete_security_key( $user_id, $slug ); + + wp_safe_redirect( remove_query_arg( 'new_app_pass', wp_get_referer() ) . '#security-keys-section' ); + exit; + } + } + + /** + * Generate a link to rename a specified security key. + * + * @since 0.1-dev + * + * @access public + * @static + * + * @param array $item The current item. + * @return string + */ + public static function rename_link( $item ) { + return sprintf( '%s', esc_html__( 'Rename', 'two-factor' ) ); + } + + /** + * Generate a link to delete a specified security key. + * + * @since 0.1-dev + * + * @access public + * @static + * + * @param array $item The current item. + * @return string + */ + public static function delete_link( $item ) { + $delete_link = add_query_arg( 'delete_security_key', $item->keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase + $delete_link = wp_nonce_url( $delete_link, "delete_security_key-{$item->keyHandle}", '_nonce_delete_security_key' ); + return sprintf( '%2$s', esc_url( $delete_link ), esc_html__( 'Delete', 'two-factor' ) ); + } + + /** + * Ajax handler for quick edit saving for a security key. + * + * @since 0.1-dev + * + * @access public + * @static + */ + public static function wp_ajax_inline_save() { + check_ajax_referer( 'keyinlineeditnonce', '_inline_edit' ); + + require TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin-list-table.php'; + $wp_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table(); + + if ( ! isset( $_POST['keyHandle'] ) ) { + wp_die(); + } + + $user_id = Two_Factor_Core::current_user_being_edited(); + $security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id ); + if ( ! $security_keys ) { + wp_die(); + } + + foreach ( $security_keys as &$key ) { + if ( $key->keyHandle === $_POST['keyHandle'] ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase + break; + } + } + + $key->name = $_POST['name']; + + $updated = Two_Factor_FIDO_U2F::update_security_key( $user_id, $key ); + if ( ! $updated ) { + wp_die( esc_html__( 'Item not updated.', 'two-factor' ) ); + } + $wp_list_table->single_row( $key ); + wp_die(); + } +} diff --git a/wp-content/plugins/two-factor/providers/class-two-factor-fido-u2f.php b/wp-content/plugins/two-factor/providers/class-two-factor-fido-u2f.php new file mode 100644 index 00000000..330451c2 --- /dev/null +++ b/wp-content/plugins/two-factor/providers/class-two-factor-fido-u2f.php @@ -0,0 +1,397 @@ + +

+ ID ); + $data = self::$u2f->getAuthenticateData( $keys ); + update_user_meta( $user->ID, self::AUTH_DATA_USER_META_KEY, $data ); + } catch ( Exception $e ) { + ?> +

+ $data, + ) + ); + + wp_enqueue_script( 'fido-u2f-login' ); + + ?> +

+ + ID, self::AUTH_DATA_USER_META_KEY, true ); + + $response = json_decode( stripslashes( $_REQUEST['u2f_response'] ) ); + + $keys = self::get_security_keys( $user->ID ); + + try { + $reg = self::$u2f->doAuthenticate( $requests, $keys, $response ); + + $reg->last_used = time(); + + self::update_security_key( $user->ID, $reg ); + + return true; + } catch ( Exception $e ) { + return false; + } + } + + /** + * Whether this Two Factor provider is configured and available for the user specified. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + * @return boolean + */ + public function is_available_for_user( $user ) { + return (bool) self::get_security_keys( $user->ID ); + } + + /** + * Inserts markup at the end of the user profile field for this provider. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + */ + public function user_options( $user ) { + ?> +

+ +

+ keyHandle ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase + || ! property_exists( $register, 'publicKey' ) || empty( $register->publicKey ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase + || ! property_exists( $register, 'certificate' ) || empty( $register->certificate ) + || ! property_exists( $register, 'counter' ) || ( -1 > $register->counter ) + ) { + return false; + } + + $register = array( + 'keyHandle' => $register->keyHandle, // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase + 'publicKey' => $register->publicKey, // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase + 'certificate' => $register->certificate, + 'counter' => $register->counter, + ); + + $register['name'] = __( 'New Security Key', 'two-factor' ); + $register['added'] = time(); + $register['last_used'] = $register['added']; + + return add_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, $register ); + } + + /** + * Retrieve registered security keys for a user. + * + * @since 0.1-dev + * + * @param int $user_id User ID. + * @return array|bool Array of keys on success, false on failure. + */ + public static function get_security_keys( $user_id ) { + if ( ! is_numeric( $user_id ) ) { + return false; + } + + $keys = get_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY ); + if ( $keys ) { + foreach ( $keys as &$key ) { + $key = (object) $key; + } + unset( $key ); + } + + return $keys; + } + + /** + * Update registered security key. + * + * Use the $prev_value parameter to differentiate between meta fields with the + * same key and user ID. + * + * If the meta field for the user does not exist, it will be added. + * + * @since 0.1-dev + * + * @param int $user_id User ID. + * @param object $data The data of registered security key. + * @return int|bool Meta ID if the key didn't exist, true on successful update, false on failure. + */ + public static function update_security_key( $user_id, $data ) { + if ( ! is_numeric( $user_id ) ) { + return false; + } + + if ( + ! is_object( $data ) + || ! property_exists( $data, 'keyHandle' ) || empty( $data->keyHandle ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase + || ! property_exists( $data, 'publicKey' ) || empty( $data->publicKey ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase + || ! property_exists( $data, 'certificate' ) || empty( $data->certificate ) + || ! property_exists( $data, 'counter' ) || ( -1 > $data->counter ) + ) { + return false; + } + + $keys = self::get_security_keys( $user_id ); + if ( $keys ) { + foreach ( $keys as $key ) { + if ( $key->keyHandle === $data->keyHandle ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase + return update_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, (array) $data, (array) $key ); + } + } + } + + return self::add_security_key( $user_id, $data ); + } + + /** + * Remove registered security key matching criteria from a user. + * + * @since 0.1-dev + * + * @param int $user_id User ID. + * @param string $keyHandle Optional. Key handle. + * @return bool True on success, false on failure. + */ + public static function delete_security_key( $user_id, $keyHandle = null ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase + global $wpdb; + + if ( ! is_numeric( $user_id ) ) { + return false; + } + + $user_id = absint( $user_id ); + if ( ! $user_id ) { + return false; + } + + $keyHandle = wp_unslash( $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase + $keyHandle = maybe_serialize( $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase + + $query = $wpdb->prepare( "SELECT umeta_id FROM {$wpdb->usermeta} WHERE meta_key = %s AND user_id = %d", self::REGISTERED_KEY_USER_META_KEY, $user_id ); + + if ( $keyHandle ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase + $key_handle_lookup = sprintf( ':"%s";s:', $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase + + $query .= $wpdb->prepare( + ' AND meta_value LIKE %s', + '%' . $wpdb->esc_like( $key_handle_lookup ) . '%' + ); + } + + $meta_ids = $wpdb->get_col( $query ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared + if ( ! count( $meta_ids ) ) { + return false; + } + + foreach ( $meta_ids as $meta_id ) { + delete_metadata_by_mid( 'user', $meta_id ); + } + + return true; + } +} diff --git a/wp-content/plugins/two-factor/providers/class-two-factor-provider.php b/wp-content/plugins/two-factor/providers/class-two-factor-provider.php new file mode 100644 index 00000000..a2f9be06 --- /dev/null +++ b/wp-content/plugins/two-factor/providers/class-two-factor-provider.php @@ -0,0 +1,102 @@ +get_label() ); + } + + /** + * Prints the form that prompts the user to authenticate. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + */ + abstract public function authentication_page( $user ); + + /** + * Allow providers to do extra processing before the authentication. + * Return `true` to prevent the authentication and render the + * authentication page. + * + * @param WP_User $user WP_User object of the logged-in user. + * @return boolean + */ + public function pre_process_authentication( $user ) { + return false; + } + + /** + * Validates the users input token. + * + * @since 0.1-dev + * + * @param WP_User $user WP_User object of the logged-in user. + * @return boolean + */ + abstract public function validate_authentication( $user ); + + /** + * Whether this Two Factor provider is configured and available for the user specified. + * + * @param WP_User $user WP_User object of the logged-in user. + * @return boolean + */ + abstract public function is_available_for_user( $user ); + + /** + * Generate a random eight-digit string to send out as an auth code. + * + * @since 0.1-dev + * + * @param int $length The code length. + * @param string|array $chars Valid auth code characters. + * @return string + */ + public function get_code( $length = 8, $chars = '1234567890' ) { + $code = ''; + if ( is_array( $chars ) ) { + $chars = implode( '', $chars ); + } + for ( $i = 0; $i < $length; $i++ ) { + $code .= substr( $chars, wp_rand( 0, strlen( $chars ) - 1 ), 1 ); + } + return $code; + } +} diff --git a/wp-content/plugins/two-factor/providers/class-two-factor-totp.php b/wp-content/plugins/two-factor/providers/class-two-factor-totp.php new file mode 100644 index 00000000..e64ecd8a --- /dev/null +++ b/wp-content/plugins/two-factor/providers/class-two-factor-totp.php @@ -0,0 +1,578 @@ +delete_user_totp_key( $user_id ); + } + } + + /** + * Get the URL for deleting the secret token. + * + * @param integer $user_id User ID. + * + * @return string + * + * @codeCoverageIgnore + */ + protected function get_token_delete_url_for_user( $user_id ) { + return Two_Factor_Core::get_user_update_action_url( $user_id, self::ACTION_SECRET_DELETE ); + } + + /** + * Display TOTP options on the user settings page. + * + * @param WP_User $user The current user being edited. + * @return false + * + * @codeCoverageIgnore + */ + public function user_two_factor_options( $user ) { + if ( ! isset( $user->ID ) ) { + return false; + } + + wp_nonce_field( 'user_two_factor_totp_options', '_nonce_user_two_factor_totp_options', false ); + + $key = $this->get_user_totp_key( $user->ID ); + $this->admin_notices( $user->ID ); + + ?> +
+ generate_key(); + $site_name = get_bloginfo( 'name', 'display' ); + $totp_title = apply_filters( 'two_factor_totp_title', $site_name . ':' . $user->user_login, $user ); + ?> +

+ +

+

+ +

+

+ +

+

+ + + +

+ +

+ +

+

+ + + + +

+ +
+ is_valid_key( $key ) ) { + if ( $this->is_valid_authcode( $key, $authcode ) ) { + if ( ! $this->set_user_totp_key( $user_id, $key ) ) { + $errors[] = __( 'Unable to save Two Factor Authentication code. Please re-scan the QR code and enter the code provided by your application.', 'two-factor' ); + } + } else { + $errors[] = __( 'Invalid Two Factor Authentication code.', 'two-factor' ); + } + } else { + $errors[] = __( 'Invalid Two Factor Authentication secret key.', 'two-factor' ); + } + } + + if ( ! empty( $errors ) ) { + $notices['error'] = $errors; + } + + if ( ! empty( $notices ) ) { + update_user_meta( $user_id, self::NOTICES_META_KEY, $notices ); + } + } + } + + /** + * Get the TOTP secret key for a user. + * + * @param int $user_id User ID. + * + * @return string + */ + public function get_user_totp_key( $user_id ) { + return (string) get_user_meta( $user_id, self::SECRET_META_KEY, true ); + } + + /** + * Set the TOTP secret key for a user. + * + * @param int $user_id User ID. + * @param string $key TOTP secret key. + * + * @return boolean If the key was stored successfully. + */ + public function set_user_totp_key( $user_id, $key ) { + return update_user_meta( $user_id, self::SECRET_META_KEY, $key ); + } + + /** + * Delete the TOTP secret key for a user. + * + * @param int $user_id User ID. + * + * @return boolean If the key was deleted successfully. + */ + public function delete_user_totp_key( $user_id ) { + return delete_user_meta( $user_id, self::SECRET_META_KEY ); + } + + /** + * Check if the TOTP secret key has a proper format. + * + * @param string $key TOTP secret key. + * + * @return boolean + */ + public function is_valid_key( $key ) { + $check = sprintf( '/^[%s]+$/', self::$base_32_chars ); + + if ( 1 === preg_match( $check, $key ) ) { + return true; + } + + return false; + } + + /** + * Display any available admin notices. + * + * @param integer $user_id User ID. + * + * @return void + * + * @codeCoverageIgnore + */ + public function admin_notices( $user_id ) { + $notices = get_user_meta( $user_id, self::NOTICES_META_KEY, true ); + + if ( ! empty( $notices ) ) { + delete_user_meta( $user_id, self::NOTICES_META_KEY ); + + foreach ( $notices as $class => $messages ) { + ?> +
+ +

+ +

+ +
+ is_valid_authcode( + $this->get_user_totp_key( $user->ID ), + sanitize_text_field( $_REQUEST['authcode'] ) + ); + } + + return false; + } + + /** + * Checks if a given code is valid for a given key, allowing for a certain amount of time drift + * + * @param string $key The share secret key to use. + * @param string $authcode The code to test. + * + * @return bool Whether the code is valid within the time frame + */ + public static function is_valid_authcode( $key, $authcode ) { + /** + * Filter the maximum ticks to allow when checking valid codes. + * + * Ticks are the allowed offset from the correct time in 30 second increments, + * so the default of 4 allows codes that are two minutes to either side of server time + * + * @deprecated 0.7.0 Use {@see 'two_factor_totp_time_step_allowance'} instead. + * @param int $max_ticks Max ticks of time correction to allow. Default 4. + */ + $max_ticks = apply_filters_deprecated( 'two-factor-totp-time-step-allowance', array( self::DEFAULT_TIME_STEP_ALLOWANCE ), '0.7.0', 'two_factor_totp_time_step_allowance' ); + + $max_ticks = apply_filters( 'two_factor_totp_time_step_allowance', self::DEFAULT_TIME_STEP_ALLOWANCE ); + + // Array of all ticks to allow, sorted using absolute value to test closest match first. + $ticks = range( - $max_ticks, $max_ticks ); + usort( $ticks, array( __CLASS__, 'abssort' ) ); + + $time = time() / self::DEFAULT_TIME_STEP_SEC; + + foreach ( $ticks as $offset ) { + $log_time = $time + $offset; + if ( hash_equals(self::calc_totp( $key, $log_time ), $authcode ) ) { + return true; + } + } + return false; + } + + /** + * Generates key + * + * @param int $bitsize Nume of bits to use for key. + * + * @return string $bitsize long string composed of available base32 chars. + */ + public static function generate_key( $bitsize = self::DEFAULT_KEY_BIT_SIZE ) { + $bytes = ceil( $bitsize / 8 ); + $secret = wp_generate_password( $bytes, true, true ); + + return self::base32_encode( $secret ); + } + + /** + * Pack stuff + * + * @param string $value The value to be packed. + * + * @return string Binary packed string. + */ + public static function pack64( $value ) { + // 64bit mode (PHP_INT_SIZE == 8). + if ( PHP_INT_SIZE >= 8 ) { + // If we're on PHP 5.6.3+ we can use the new 64bit pack functionality. + if ( version_compare( PHP_VERSION, '5.6.3', '>=' ) && PHP_INT_SIZE >= 8 ) { + return pack( 'J', $value ); // phpcs:ignore PHPCompatibility.ParameterValues.NewPackFormat.NewFormatFound + } + $highmap = 0xffffffff << 32; + $higher = ( $value & $highmap ) >> 32; + } else { + /* + * 32bit PHP can't shift 32 bits like that, so we have to assume 0 for the higher + * and not pack anything beyond it's limits. + */ + $higher = 0; + } + + $lowmap = 0xffffffff; + $lower = $value & $lowmap; + + return pack( 'NN', $higher, $lower ); + } + + /** + * Calculate a valid code given the shared secret key + * + * @param string $key The shared secret key to use for calculating code. + * @param mixed $step_count The time step used to calculate the code, which is the floor of time() divided by step size. + * @param int $digits The number of digits in the returned code. + * @param string $hash The hash used to calculate the code. + * @param int $time_step The size of the time step. + * + * @return string The totp code + */ + public static function calc_totp( $key, $step_count = false, $digits = self::DEFAULT_DIGIT_COUNT, $hash = self::DEFAULT_CRYPTO, $time_step = self::DEFAULT_TIME_STEP_SEC ) { + $secret = self::base32_decode( $key ); + + if ( false === $step_count ) { + $step_count = floor( time() / $time_step ); + } + + $timestamp = self::pack64( $step_count ); + + $hash = hash_hmac( $hash, $timestamp, $secret, true ); + + $offset = ord( $hash[19] ) & 0xf; + + $code = ( + ( ( ord( $hash[ $offset + 0 ] ) & 0x7f ) << 24 ) | + ( ( ord( $hash[ $offset + 1 ] ) & 0xff ) << 16 ) | + ( ( ord( $hash[ $offset + 2 ] ) & 0xff ) << 8 ) | + ( ord( $hash[ $offset + 3 ] ) & 0xff ) + ) % pow( 10, $digits ); + + return str_pad( $code, $digits, '0', STR_PAD_LEFT ); + } + + /** + * Uses the Google Charts API to build a QR Code for use with an otpauth url + * + * @param string $name The name to display in the Authentication app. + * @param string $key The secret key to share with the Authentication app. + * @param string $title The title to display in the Authentication app. + * + * @return string A URL to use as an img src to display the QR code + * + * @codeCoverageIgnore + */ + public static function get_google_qr_code( $name, $key, $title = null ) { + // Encode to support spaces, question marks and other characters. + $name = rawurlencode( $name ); + $google_url = urlencode( 'otpauth://totp/' . $name . '?secret=' . $key ); + if ( isset( $title ) ) { + $google_url .= urlencode( '&issuer=' . rawurlencode( $title ) ); + } + return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=' . $google_url; + } + + /** + * Whether this Two Factor provider is configured and available for the user specified. + * + * @param WP_User $user WP_User object of the logged-in user. + * + * @return boolean + */ + public function is_available_for_user( $user ) { + // Only available if the secret key has been saved for the user. + $key = $this->get_user_totp_key( $user->ID ); + + return ! empty( $key ); + } + + /** + * Prints the form that prompts the user to authenticate. + * + * @param WP_User $user WP_User object of the logged-in user. + * + * @codeCoverageIgnore + */ + public function authentication_page( $user ) { + require_once ABSPATH . '/wp-admin/includes/template.php'; + ?> +

+ +

+

+ + +

+ + = 8 ) { + $j -= 8; + $binary .= chr( ( $n & ( 0xFF << $j ) ) >> $j ); + } + } + + return $binary; + } + + /** + * Used with usort to sort an array by distance from 0 + * + * @param int $a First array element. + * @param int $b Second array element. + * + * @return int -1, 0, or 1 as needed by usort + */ + private static function abssort( $a, $b ) { + $a = abs( $a ); + $b = abs( $b ); + if ( $a === $b ) { + return 0; + } + return ( $a < $b ) ? -1 : 1; + } +} diff --git a/wp-content/plugins/two-factor/providers/css/fido-u2f-admin.css b/wp-content/plugins/two-factor/providers/css/fido-u2f-admin.css new file mode 100644 index 00000000..96ca78aa --- /dev/null +++ b/wp-content/plugins/two-factor/providers/css/fido-u2f-admin.css @@ -0,0 +1,12 @@ +#security-keys-section .wp-list-table { + margin-bottom: 2em; +} + +#security-keys-section .register-security-key .spinner { + float: none; +} + +#security-keys-section .security-key-status { + vertical-align: middle; + font-style: italic; +} diff --git a/wp-content/plugins/two-factor/providers/js/fido-u2f-admin-inline-edit.js b/wp-content/plugins/two-factor/providers/js/fido-u2f-admin-inline-edit.js new file mode 100644 index 00000000..b7b0123e --- /dev/null +++ b/wp-content/plugins/two-factor/providers/js/fido-u2f-admin-inline-edit.js @@ -0,0 +1,150 @@ +/* global window, document, jQuery, inlineEditL10n, ajaxurl */ +var inlineEditKey; + +( function( $ ) { + inlineEditKey = { + + init: function() { + var t = this, + row = $( '#security-keys-section #inline-edit' ); + + t.what = '#key-'; + + $( '#security-keys-section #the-list' ).on( 'click', 'a.editinline', function() { + inlineEditKey.edit( this ); + return false; + } ); + + // Prepare the edit row. + row.keyup( function( event ) { + if ( 27 === event.which ) { + return inlineEditKey.revert(); + } + } ); + + $( 'a.cancel', row ).click( function() { + return inlineEditKey.revert(); + } ); + + $( 'a.save', row ).click( function() { + return inlineEditKey.save( this ); + } ); + + $( 'input, select', row ).keydown( function( event ) { + if ( 13 === event.which ) { + return inlineEditKey.save( this ); + } + } ); + }, + + toggle: function( el ) { + var t = this; + + if ( 'none' === $( t.what + t.getId( el ) ).css( 'display' ) ) { + t.revert(); + } else { + t.edit( el ); + } + }, + + edit: function( id ) { + var editRow, rowData, val, + t = this; + t.revert(); + + if ( 'object' === typeof id ) { + id = t.getId( id ); + } + + editRow = $( '#inline-edit' ).clone( true ); + rowData = $( '#inline_' + id ); + + $( 'td', editRow ).attr( 'colspan', $( 'th:visible, td:visible', '#security-keys-section .widefat thead' ).length ); + + $( t.what + id ).hide().after( editRow ).after( '' ); + + val = $( '.name', rowData ); + val.find( 'img' ).replaceWith( function() { + return this.alt; + } ); + val = val.text(); + $( ':input[name="name"]', editRow ).val( val ); + + $( editRow ).attr( 'id', 'edit-' + id ).addClass( 'inline-editor' ).show(); + $( '.ptitle', editRow ).eq( 0 ).focus(); + + return false; + }, + + save: function( id ) { + var params, fields; + + if ( 'object' === typeof id ) { + id = this.getId( id ); + } + + $( '#security-keys-section table.widefat .spinner' ).addClass( 'is-active' ); + + params = { + action: 'inline-save-key', + keyHandle: id, + user_id: window.u2fL10n.user_id + }; + + fields = $( '#edit-' + id ).find( ':input' ).serialize(); + params = fields + '&' + $.param( params ); + + // Make ajax request. + $.post( ajaxurl, params, + function( r ) { + var row, newID; + $( '#security-keys-section table.widefat .spinner' ).removeClass( 'is-active' ); + + if ( r ) { + if ( -1 !== r.indexOf( '' )[0].submit.call( $( '#your-profile' )[0] ); + } ); + } ); +}( jQuery ) ); diff --git a/wp-content/plugins/two-factor/providers/js/fido-u2f-login.js b/wp-content/plugins/two-factor/providers/js/fido-u2f-login.js new file mode 100644 index 00000000..28295307 --- /dev/null +++ b/wp-content/plugins/two-factor/providers/js/fido-u2f-login.js @@ -0,0 +1,16 @@ +/* global window, u2f, u2fL10n, jQuery */ +( function( $ ) { + if ( ! window.u2fL10n ) { + window.console.error( 'u2fL10n is not defined' ); + return; + } + + u2f.sign( u2fL10n.request[0].appId, u2fL10n.request[0].challenge, u2fL10n.request, function( data ) { + if ( data.errorCode ) { + window.console.error( 'Registration Failed', data.errorCode ); + } else { + $( '#u2f_response' ).val( JSON.stringify( data ) ); + $( '#loginform' ).submit(); + } + } ); +}( jQuery ) ); diff --git a/wp-content/plugins/two-factor/readme.txt b/wp-content/plugins/two-factor/readme.txt new file mode 100644 index 00000000..1a09d79b --- /dev/null +++ b/wp-content/plugins/two-factor/readme.txt @@ -0,0 +1,44 @@ +=== Two-Factor === +Contributors: georgestephanis, valendesigns, stevenkword, extendwings, sgrant, aaroncampbell, johnbillion, stevegrunwell, netweb, kasparsd, alihusnainarshad, passoniate +Tags: two factor, two step, authentication, login, totp, fido u2f, u2f, email, backup codes, 2fa, yubikey +Requires at least: 4.3 +Tested up to: 6.0 +Requires PHP: 5.6 +Stable tag: 0.7.3 + +Enable Two-Factor Authentication using time-based one-time passwords (OTP, Google Authenticator), Universal 2nd Factor (FIDO U2F, YubiKey), email and backup verification codes. + +== Description == + +Use the "Two-Factor Options" section under "Users" → "Your Profile" to enable and configure one or multiple two-factor authentication providers for your account: + +- Email codes +- Time Based One-Time Passwords (TOTP) +- FIDO Universal 2nd Factor (U2F) +- Backup Codes +- Dummy Method (only for testing purposes) + +For more history, see [this post](https://georgestephanis.wordpress.com/2013/08/14/two-cents-on-two-factor/). + += Actions & Filters = + +Here is a list of action and filter hooks provided by the plugin: + +- `two_factor_providers` filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers. +- `two_factor_enabled_providers_for_user` filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID. +- `two_factor_user_authenticated` action which receives the logged in `WP_User` object as the first argument for determining the logged in user right after the authentication workflow. +- `two_factor_token_ttl` filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the `WP_User` object being authenticated. + +== Screenshots == + +1. Two-factor options under User Profile. +2. U2F Security Keys section under User Profile. +3. Email Code Authentication during WordPress Login. + +== Get Involved == + +Development happens [on GitHub](https://github.com/wordpress/two-factor/). + +== Changelog == + +See the [release history](https://github.com/wordpress/two-factor/releases). diff --git a/wp-content/plugins/two-factor/two-factor.php b/wp-content/plugins/two-factor/two-factor.php new file mode 100644 index 00000000..4899cdb2 --- /dev/null +++ b/wp-content/plugins/two-factor/two-factor.php @@ -0,0 +1,48 @@ +