init();
}
/**
* Loads the plugin's text domain.
*
* Sites on WordPress 4.6+ benefit from just-in-time loading of translations.
*/
public static function load_textdomain() {
load_plugin_textdomain( 'two-factor' );
}
/**
* For each provider, include it and then instantiate it.
*
* @since 0.1-dev
*
* @return array
*/
public static function get_providers() {
$providers = array(
'Two_Factor_Email' => TWO_FACTOR_DIR . 'providers/class-two-factor-email.php',
'Two_Factor_Totp' => TWO_FACTOR_DIR . 'providers/class-two-factor-totp.php',
'Two_Factor_FIDO_U2F' => TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f.php',
'Two_Factor_Backup_Codes' => TWO_FACTOR_DIR . 'providers/class-two-factor-backup-codes.php',
'Two_Factor_Dummy' => TWO_FACTOR_DIR . 'providers/class-two-factor-dummy.php',
);
/**
* Filter the supplied providers.
*
* This lets third-parties either remove providers (such as Email), or
* add their own providers (such as text message or Clef).
*
* @param array $providers A key-value array where the key is the class name, and
* the value is the path to the file containing the class.
*/
$providers = apply_filters( 'two_factor_providers', $providers );
// FIDO U2F is PHP 5.3+ only.
if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) {
unset( $providers['Two_Factor_FIDO_U2F'] );
trigger_error( // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_trigger_error
sprintf(
/* translators: %s: version number */
__( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
PHP_VERSION
)
);
}
/**
* For each filtered provider,
*/
foreach ( $providers as $provider_key => $path ) {
require_once $path;
$class = $provider_key;
/**
* Filters the classname for a provider. The dynamic portion of the filter is the defined providers key.
*
* @param string $class The PHP Classname of the provider.
* @param string $path The provided provider path to be included.
*/
$class = apply_filters( "two_factor_provider_classname_{$provider_key}", $class, $path );
/**
* Confirm that it's been successfully included before instantiating.
*/
if ( class_exists( $class ) ) {
try {
$providers[ $provider_key ] = call_user_func( array( $class, 'get_instance' ) );
} catch ( Exception $e ) {
unset( $providers[ $provider_key ] );
}
}
}
return $providers;
}
/**
* Enable the dummy method only during debugging.
*
* @param array $methods List of enabled methods.
*
* @return array
*/
public static function enable_dummy_method_for_debug( $methods ) {
if ( ! self::is_wp_debug() ) {
unset( $methods['Two_Factor_Dummy'] );
}
return $methods;
}
/**
* Check if the debug mode is enabled.
*
* @return boolean
*/
protected static function is_wp_debug() {
return ( defined( 'WP_DEBUG' ) && WP_DEBUG );
}
/**
* Get the user settings page URL.
*
* Fetch this from the plugin core after we introduce proper dependency injection
* and get away from the singletons at the provider level (should be handled by core).
*
* @param integer $user_id User ID.
*
* @return string
*/
protected static function get_user_settings_page_url( $user_id ) {
if ( defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) {
return self_admin_url( 'profile.php' );
}
return add_query_arg(
array(
'user_id' => intval( $user_id ),
),
self_admin_url( 'user-edit.php' )
);
}
/**
* Get the URL for resetting the secret token.
*
* @param integer $user_id User ID.
* @param string $action Custom two factor action key.
*
* @return string
*/
public static function get_user_update_action_url( $user_id, $action ) {
return wp_nonce_url(
add_query_arg(
array(
self::USER_SETTINGS_ACTION_QUERY_VAR => $action,
),
self::get_user_settings_page_url( $user_id )
),
sprintf( '%d-%s', $user_id, $action ),
self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG
);
}
/**
* Get the two-factor revalidate URL.
*
* @param bool $interim If the URL should load the interim login iframe modal.
* @return string
*/
public static function get_user_two_factor_revalidate_url( $interim = false ) {
$args = array(
'action' => 'revalidate_2fa',
);
if ( $interim ) {
$args['interim-login'] = 1;
}
return self::login_url( $args );
}
/**
* Check if a user action is valid.
*
* @param integer $user_id User ID.
* @param string $action User action ID.
*
* @return boolean
*/
public static function is_valid_user_action( $user_id, $action ) {
$request_nonce = isset( $_REQUEST[ self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG ] ) ? wp_unslash( $_REQUEST[ self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG ] ) : '';
if ( ! $user_id || ! $action || ! $request_nonce ) {
return false;
}
return wp_verify_nonce(
$request_nonce,
sprintf( '%d-%s', $user_id, $action )
);
}
/**
* Get the ID of the user being edited.
*
* @return integer
*/
public static function current_user_being_edited() {
// Try to resolve the user ID from the request first.
if ( ! empty( $_REQUEST['user_id'] ) ) {
$user_id = intval( $_REQUEST['user_id'] );
if ( current_user_can( 'edit_user', $user_id ) ) {
return $user_id;
}
}
return get_current_user_id();
}
/**
* Trigger our custom update action if a valid
* action request is detected and passes the nonce check.
*
* @return void
*/
public static function trigger_user_settings_action() {
$action = isset( $_REQUEST[ self::USER_SETTINGS_ACTION_QUERY_VAR ] ) ? wp_unslash( $_REQUEST[ self::USER_SETTINGS_ACTION_QUERY_VAR ] ) : '';
$user_id = self::current_user_being_edited();
if ( self::is_valid_user_action( $user_id, $action ) ) {
/**
* This action is triggered when a valid Two Factor settings
* action is detected and it passes the nonce validation.
*
* @param integer $user_id User ID.
* @param string $action Settings action.
*/
do_action( 'two_factor_user_settings_action', $user_id, $action );
}
}
/**
* Keep track of all the authentication cookies that need to be
* invalidated before the second factor authentication.
*
* @param string $cookie Cookie string.
*
* @return void
*/
public static function collect_auth_cookie_tokens( $cookie ) {
$parsed = wp_parse_auth_cookie( $cookie );
if ( ! empty( $parsed['token'] ) ) {
self::$password_auth_tokens[] = $parsed['token'];
}
}
/**
* Fetch the WP_User object for a provided input.
*
* @since 0.8.0
*
* @param int|WP_User $user Optional. The WP_User or user ID. Defaults to current user.
*
* @return false|WP_User WP_User on success, false on failure.
*/
public static function fetch_user( $user = null ) {
if ( null === $user ) {
$user = wp_get_current_user();
} elseif ( ! ( $user instanceof WP_User ) ) {
$user = get_user_by( 'id', $user );
}
if ( ! $user || ! $user->exists() ) {
return false;
}
return $user;
}
/**
* Get all Two-Factor Auth providers that are enabled for the specified|current user.
*
* @param int|WP_User $user Optonal. User ID, or WP_User object of the the user. Defaults to current user.
* @return array
*/
public static function get_enabled_providers_for_user( $user = null ) {
$user = self::fetch_user( $user );
if ( ! $user ) {
return array();
}
$providers = self::get_providers();
$enabled_providers = get_user_meta( $user->ID, self::ENABLED_PROVIDERS_USER_META_KEY, true );
if ( empty( $enabled_providers ) ) {
$enabled_providers = array();
}
$enabled_providers = array_intersect( $enabled_providers, array_keys( $providers ) );
/**
* Filter the enabled two-factor authentication providers for this user.
*
* @param array $enabled_providers The enabled providers.
* @param int $user_id The user ID.
*/
return apply_filters( 'two_factor_enabled_providers_for_user', $enabled_providers, $user->ID );
}
/**
* Get all Two-Factor Auth providers that are both enabled and configured for the specified|current user.
*
* @param int|WP_User $user Optonal. User ID, or WP_User object of the the user. Defaults to current user.
* @return array
*/
public static function get_available_providers_for_user( $user = null ) {
$user = self::fetch_user( $user );
if ( ! $user ) {
return array();
}
$providers = self::get_providers();
$enabled_providers = self::get_enabled_providers_for_user( $user );
$configured_providers = array();
foreach ( $providers as $provider_key => $provider ) {
if ( in_array( $provider_key, $enabled_providers, true ) && $provider->is_available_for_user( $user ) ) {
$configured_providers[ $provider_key ] = $provider;
}
}
return $configured_providers;
}
/**
* Fetch the provider for the request based on the user preferences.
*
* @param int|WP_User $user Optonal. User ID, or WP_User object of the the user. Defaults to current user.
* @param null|string|object $preferred_provider Optional. The name of the provider, the provider, or empty.
* @return null|object The provider
*/
public static function get_provider_for_user( $user = null, $preferred_provider = null ) {
$user = self::fetch_user( $user );
if ( ! $user ) {
return null;
}
// If a specific provider instance is passed, process it just as the key.
if ( $preferred_provider && $preferred_provider instanceof Two_Factor_Provider ) {
$preferred_provider = $preferred_provider->get_key();
}
// Default to the currently logged in provider.
if ( ! $preferred_provider && get_current_user_id() === $user->ID ) {
$session = self::get_current_user_session();
if ( ! empty( $session['two-factor-provider'] ) ) {
$preferred_provider = $session['two-factor-provider'];
}
}
if ( is_string( $preferred_provider ) ) {
$providers = self::get_available_providers_for_user( $user );
if ( isset( $providers[ $preferred_provider ] ) ) {
return $providers[ $preferred_provider ];
}
}
return self::get_primary_provider_for_user( $user );
}
/**
* Gets the Two-Factor Auth provider for the specified|current user.
*
* @since 0.1-dev
*
* @param int|WP_User $user Optonal. User ID, or WP_User object of the the user. Defaults to current user.
* @return object|null
*/
public static function get_primary_provider_for_user( $user = null ) {
$user = self::fetch_user( $user );
if ( ! $user ) {
return null;
}
$providers = self::get_providers();
$available_providers = self::get_available_providers_for_user( $user );
// If there's only one available provider, force that to be the primary.
if ( empty( $available_providers ) ) {
return null;
} elseif ( 1 === count( $available_providers ) ) {
$provider = key( $available_providers );
} else {
$provider = get_user_meta( $user->ID, self::PROVIDER_USER_META_KEY, true );
// If the provider specified isn't enabled, just grab the first one that is.
if ( ! isset( $available_providers[ $provider ] ) ) {
$provider = key( $available_providers );
}
}
/**
* Filter the two-factor authentication provider used for this user.
*
* @param string $provider The provider currently being used.
* @param int $user_id The user ID.
*/
$provider = apply_filters( 'two_factor_primary_provider_for_user', $provider, $user->ID );
if ( isset( $providers[ $provider ] ) ) {
return $providers[ $provider ];
}
return null;
}
/**
* Quick boolean check for whether a given user is using two-step.
*
* @since 0.1-dev
*
* @param int|WP_User $user Optonal. User ID, or WP_User object of the the user. Defaults to current user.
* @return bool
*/
public static function is_user_using_two_factor( $user = null ) {
$provider = self::get_primary_provider_for_user( $user );
return ! empty( $provider );
}
/**
* Handle the browser-based login.
*
* @since 0.1-dev
*
* @param string $user_login Username.
* @param WP_User $user WP_User object of the logged-in user.
*/
public static function wp_login( $user_login, $user ) {
if ( ! self::is_user_using_two_factor( $user->ID ) ) {
return;
}
// Invalidate the current login session to prevent from being re-used.
self::destroy_current_session_for_user( $user );
// Also clear the cookies which are no longer valid.
wp_clear_auth_cookie();
self::show_two_factor_login( $user );
exit;
}
/**
* Destroy the known password-based authentication sessions for the current user.
*
* Is there a better way of finding the current session token without
* having access to the authentication cookies which are just being set
* on the first password-based authentication request.
*
* @param \WP_User $user User object.
*
* @return void
*/
public static function destroy_current_session_for_user( $user ) {
$session_manager = WP_Session_Tokens::get_instance( $user->ID );
foreach ( self::$password_auth_tokens as $auth_token ) {
$session_manager->destroy( $auth_token );
}
}
/**
* Prevent login through XML-RPC and REST API for users with at least one
* two-factor method enabled.
*
* @param WP_User|WP_Error $user Valid WP_User only if the previous filters
* have verified and confirmed the
* authentication credentials.
*
* @return WP_User|WP_Error
*/
public static function filter_authenticate( $user ) {
if ( $user instanceof WP_User && self::is_api_request() && self::is_user_using_two_factor( $user->ID ) && ! self::is_user_api_login_enabled( $user->ID ) ) {
return new WP_Error(
'invalid_application_credentials',
__( 'Error: API login for user disabled.', 'two-factor' )
);
}
return $user;
}
/**
* Prevent login cookies being set on login for Two Factor users.
*
* This makes it so that Core never sends the auth cookies. `login_form_validate_2fa()` will send them manually once the 2nd factor has been verified.
*
* @param WP_User|WP_Error $user Valid WP_User only if the previous filters
* have verified and confirmed the
* authentication credentials.
*
* @return WP_User|WP_Error
*/
public static function filter_authenticate_block_cookies( $user ) {
/*
* NOTE: The `login_init` action is checked for here to ensure we're within the regular login flow,
* rather than through an unsupported 3rd-party login process which this plugin doesn't support.
*/
if ( $user instanceof WP_User && self::is_user_using_two_factor( $user->ID ) && did_action( 'login_init' ) ) {
add_filter( 'send_auth_cookies', '__return_false', PHP_INT_MAX );
}
return $user;
}
/**
* If the current user can login via API requests such as XML-RPC and REST.
*
* @param integer $user_id User ID.
*
* @return boolean
*/
public static function is_user_api_login_enabled( $user_id ) {
return (bool) apply_filters( 'two_factor_user_api_login_enable', false, $user_id );
}
/**
* Is the current request an XML-RPC or REST request.
*
* @return boolean
*/
public static function is_api_request() {
if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
return true;
}
if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
return true;
}
return false;
}
/**
* Display the login form.
*
* @since 0.1-dev
*
* @param WP_User $user WP_User object of the logged-in user.
*/
public static function show_two_factor_login( $user ) {
if ( ! $user ) {
$user = wp_get_current_user();
}
$login_nonce = self::create_login_nonce( $user->ID );
if ( ! $login_nonce ) {
wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) );
}
$redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : admin_url();
self::login_html( $user, $login_nonce['key'], $redirect_to );
}
/**
* Displays a message informing the user that their account has had failed login attempts.
*
* @param WP_User $user WP_User object of the logged-in user.
*/
public static function maybe_show_last_login_failure_notice( $user ) {
$last_failed_two_factor_login = (int) get_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY, true );
$failed_login_count = (int) get_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY, true );
if ( $last_failed_two_factor_login ) {
echo '';
printf(
_n(
'WARNING: Your account has attempted to login without providing a valid two factor token. The last failed login occured %2$s ago. If this wasn\'t you, you should reset your password.',
'WARNING: Your account has attempted to login %1$s times without providing a valid two factor token. The last failed login occured %2$s ago. If this wasn\'t you, you should reset your password.',
$failed_login_count,
'two-factor'
),
number_format_i18n( $failed_login_count ),
human_time_diff( $last_failed_two_factor_login, time() )
);
echo '
';
}
}
/**
* Show the password reset notice if the user's password was reset.
*
* They were also sent an email notification in `send_password_reset_email()`, but email sent from a typical
* web server is not reliable enough to trust completely.
*
* @param WP_Error $errors
*/
public static function maybe_show_reset_password_notice( $errors ) {
if ( 'incorrect_password' !== $errors->get_error_code() ) {
return $errors;
}
if ( ! isset( $_POST['log'] ) ) {
return $errors;
}
$user_name = sanitize_user( wp_unslash( $_POST['log'] ) );
$attempted_user = get_user_by( 'login', $user_name );
if ( ! $attempted_user && str_contains( $user_name, '@' ) ) {
$attempted_user = get_user_by( 'email', $user_name );
}
if ( ! $attempted_user ) {
return $errors;
}
$password_was_reset = get_user_meta( $attempted_user->ID, self::USER_PASSWORD_WAS_RESET_KEY, true );
if ( ! $password_was_reset ) {
return $errors;
}
$errors->remove( 'incorrect_password' );
$errors->add(
'two_factor_password_reset',
sprintf(
__( 'Your password was reset because of too many failed Two Factor attempts. You will need to create a new password to regain access. Please check your email for more information.', 'two-factor' ),
esc_url( add_query_arg( 'action', 'lostpassword', wp_login_url() ) )
)
);
return $errors;
}
/**
* Clear the password reset notice after the user resets their password.
*
* @param WP_User $user
*/
public static function clear_password_reset_notice( $user ) {
delete_user_meta( $user->ID, self::USER_PASSWORD_WAS_RESET_KEY );
}
/**
* Generates the html form for the second step of the authentication process.
*
* @since 0.1-dev
*
* @param WP_User $user WP_User object of the logged-in user.
* @param string $login_nonce A string nonce stored in usermeta.
* @param string $redirect_to The URL to which the user would like to be redirected.
* @param string $error_msg Optional. Login error message.
* @param string|object $provider An override to the provider.
*/
public static function login_html( $user, $login_nonce, $redirect_to, $error_msg = '', $provider = null, $action = 'validate_2fa' ) {
$provider = self::get_provider_for_user( $user, $provider );
if ( ! $provider ) {
wp_die( __( 'Cheatin’ uh?', 'two-factor' ) );
}
$provider_key = $provider->get_key();
$available_providers = self::get_available_providers_for_user( $user );
$backup_providers = array_diff_key( $available_providers, array( $provider_key => null ) );
$interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
$rememberme = intval( self::rememberme() );
if ( ! function_exists( 'login_header' ) ) {
// We really should migrate login_header() out of `wp-login.php` so it can be called from an includes file.
require_once TWO_FACTOR_DIR . 'includes/function.login-header.php';
}
// Disable the language switcher.
add_filter( 'login_display_language_dropdown', '__return_false' );
login_header();
if ( ! empty( $error_msg ) ) {
echo '' . esc_html( $error_msg ) . '
';
} elseif ( 'validate_2fa' === $action ) {
self::maybe_show_last_login_failure_notice( $user );
}
?>
$action,
'wp-auth-id' => $user->ID,
'wp-auth-nonce' => $login_nonce,
);
if ( $rememberme ) {
$backup_link_args['rememberme'] = $rememberme;
}
if ( $redirect_to ) {
$backup_link_args['redirect_to'] = $redirect_to;
}
if ( $interim_login ) {
$backup_link_args['interim-login'] = 1;
}
?>
$user_id,
'expiration' => time() + ( 10 * MINUTE_IN_SECONDS ),
);
try {
$login_nonce['key'] = bin2hex( random_bytes( 32 ) );
} catch ( Exception $ex ) {
$login_nonce['key'] = wp_hash( $user_id . wp_rand() . microtime(), 'nonce' );
}
// Store the nonce hashed to avoid leaking it via database access.
$hashed_key = self::hash_login_nonce( $login_nonce );
if ( $hashed_key ) {
$login_nonce_stored = array(
'expiration' => $login_nonce['expiration'],
'key' => $hashed_key,
);
if ( update_user_meta( $user_id, self::USER_META_NONCE_KEY, $login_nonce_stored ) ) {
return $login_nonce;
}
}
return false;
}
/**
* Delete the login nonce.
*
* @since 0.1-dev
*
* @param int $user_id User ID.
* @return bool
*/
public static function delete_login_nonce( $user_id ) {
return delete_user_meta( $user_id, self::USER_META_NONCE_KEY );
}
/**
* Verify the login nonce.
*
* @since 0.1-dev
*
* @param int $user_id User ID.
* @param string $nonce Login nonce.
* @return bool
*/
public static function verify_login_nonce( $user_id, $nonce ) {
$login_nonce = get_user_meta( $user_id, self::USER_META_NONCE_KEY, true );
if ( ! $login_nonce || empty( $login_nonce['key'] ) || empty( $login_nonce['expiration'] ) ) {
return false;
}
$unverified_nonce = array(
'user_id' => $user_id,
'expiration' => $login_nonce['expiration'],
'key' => $nonce,
);
$unverified_hash = self::hash_login_nonce( $unverified_nonce );
$hashes_match = $unverified_hash && hash_equals( $login_nonce['key'], $unverified_hash );
if ( $hashes_match && time() < $login_nonce['expiration'] ) {
return true;
}
// Require a fresh nonce if verification fails.
self::delete_login_nonce( $user_id );
return false;
}
/**
* Determine the minimum wait between two factor attempts for a user.
*
* This implements an increasing backoff, requiring an attacker to wait longer
* each time to attempt to brute-force the login.
*
* @param WP_User $user The user being operated upon.
* @return int Time delay in seconds between login attempts.
*/
public static function get_user_time_delay( $user ) {
/**
* Filter the minimum time duration between two factor attempts.
*
* @param int $rate_limit The number of seconds between two factor attempts.
*/
$rate_limit = apply_filters( 'two_factor_rate_limit', 1 );
$user_failed_logins = get_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY, true );
if ( $user_failed_logins ) {
$rate_limit = pow( 2, $user_failed_logins ) * $rate_limit;
/**
* Filter the maximum time duration a user may be locked out from retrying two factor authentications.
*
* @param int $max_rate_limit The maximum number of seconds a user might be locked out for. Default 15 minutes.
*/
$max_rate_limit = apply_filters( 'two_factor_max_rate_limit', 15 * MINUTE_IN_SECONDS );
$rate_limit = min( $max_rate_limit, $rate_limit );
}
/**
* Filters the per-user time duration between two factor login attempts.
*
* @param int $rate_limit The number of seconds between two factor attempts.
* @param WP_User $user The user attempting to login.
*/
return apply_filters( 'two_factor_user_rate_limit', $rate_limit, $user );
}
/**
* Determine if a time delay between user two factor login attempts should be triggered.
*
* @since 0.8.0
*
* @param WP_User $user The User.
* @return bool True if rate limit is okay, false if not.
*/
public static function is_user_rate_limited( $user ) {
$rate_limit = self::get_user_time_delay( $user );
$last_failed = get_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY, true );
$rate_limited = false;
if ( $last_failed && $last_failed + $rate_limit > time() ) {
$rate_limited = true;
}
/**
* Filter whether this login attempt is rate limited or not.
*
* This allows for dedicated plugins to rate limit two factor login attempts
* based on their own rules.
*
* @param bool $rate_limited Whether the user login is rate limited.
* @param WP_User $user The user attempting to login.
*/
return apply_filters( 'two_factor_is_user_rate_limited', $rate_limited, $user );
}
/**
* Determine if the current user session is logged in with 2FA.
*
* @since 0.9.0
*
* @return int|false The last time the two-factor was validated on success, false if not currently using a 2FA session.
*/
public static function is_current_user_session_two_factor() {
$session = self::get_current_user_session();
if ( empty( $session['two-factor-login'] ) ) {
return false;
}
return (int) $session['two-factor-login'];
}
/**
* Determine if the current user session can update Two-Factor settings.
*
* @param string $context The context in use, 'display' or 'save'. Save has twice the grace time.
*
* @return bool
*/
public static function current_user_can_update_two_factor_options( $context = 'display' ) {
$user_id = get_current_user_id();
$is_two_factor_session = self::is_current_user_session_two_factor();
// If the user isn't logged in, bail.
if ( ! $user_id ) {
return false;
}
// If the current user is not using two-factor, they can adjust the settings.
if ( ! self::is_user_using_two_factor( $user_id ) ) {
return true;
}
// Else, if the session is not two-factor, the user should not be able to update settings.
if ( ! $is_two_factor_session ) {
return false;
}
/**
* Filter the grace time for two factor revalidation.
*
* Return a falsey value (false, 0) if you wish to never require revalidation.
*
* @param int $two_factor_revalidate_time The grace time between last validation time and when it'll be accepted. Default 10 minutes (in seconds).
* @param string $context The context in use, 'display' or 'save'. Save has twice the grace time.
*/
$two_factor_revalidate_time = apply_filters( 'two_factor_revalidate_time', 10 * MINUTE_IN_SECONDS, $user_id, $context );
if ( $context === 'save' ) {
$two_factor_revalidate_time *= 2;
}
// If the revalidate time is falsey, don't enable revalidation.
if ( ! $two_factor_revalidate_time ) {
return true;
}
// If the user last-2fa'd within the last 10 (or 20) minutes, allow.
$seconds_ago = time() - $is_two_factor_session;
if ( $seconds_ago <= $two_factor_revalidate_time ) {
return true;
}
// Otherwise the user cannot update the options.
return false;
}
/**
* Validate that the current user can edit the specified user. If two-factor is required by the account, also verify that it's within the revalidation grace period.
*
* @param int $user_id The user ID being updated.
*
* @return bool|\WP_Error
*/
public static function rest_api_can_edit_user_and_update_two_factor_options( $user_id ) {
if ( ! current_user_can( 'edit_user', $user_id ) ) {
return false;
}
if ( ! self::current_user_can_update_two_factor_options( 'save' ) ) {
return new WP_Error( 'revalidation_required', __( 'Two Factor Revalidation required.', 'two-factor' ) );
}
return true;
}
/**
* Login form validation handler.
*
* @since 0.1-dev
*/
public static function login_form_validate_2fa() {
$wp_auth_id = ! empty( $_REQUEST['wp-auth-id'] ) ? absint( $_REQUEST['wp-auth-id'] ) : 0;
$nonce = ! empty( $_REQUEST['wp-auth-nonce'] ) ? wp_unslash( $_REQUEST['wp-auth-nonce'] ) : '';
$provider = ! empty( $_REQUEST['provider'] ) ? wp_unslash( $_REQUEST['provider'] ) : '';
$redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? wp_unslash( $_REQUEST['redirect_to'] ) : '';
$is_post_request = ( 'POST' === strtoupper( $_SERVER['REQUEST_METHOD'] ) );
$user = get_user_by( 'id', $wp_auth_id );
if ( ! $wp_auth_id || ! $nonce || ! $user ) {
return;
}
self::_login_form_validate_2fa( $user, $nonce, $provider, $redirect_to, $is_post_request );
exit;
}
/**
* Login form validation.
*
* This function exists for unit testing, as `exit` prevents testing.
* This function expects the caller exiting after calling.
*
* @since 0.9.0
*
* @param WP_User $user The WP_User instance.
* @param string $nonce The nonce provided.
* @param string $provider The provider to use, if known.
* @param string $redirect_to The redirection location.
* @param bool $is_post_request Whether the incoming request was a POST request or not.
* @return void
*/
public static function _login_form_validate_2fa( $user, $nonce = '', $provider = '', $redirect_to = '', $is_post_request = false ) {
// Validate the request.
if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
wp_safe_redirect( home_url() );
return;
}
$provider = self::get_provider_for_user( $user, $provider );
if ( ! $provider ) {
wp_die( __( 'Cheatin’ uh?', 'two-factor' ) );
}
// Run the provider processing.
$result = self::process_provider( $provider, $user, $is_post_request );
if ( true !== $result ) {
$error = '';
if ( is_wp_error( $result ) ) {
do_action( 'wp_login_failed', $user->user_login, $result );
$error = $result->get_error_message();
}
$login_nonce = self::create_login_nonce( $user->ID );
if ( ! $login_nonce ) {
wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) );
}
self::login_html( $user, $login_nonce['key'], $redirect_to, $error, $provider );
return;
}
self::delete_login_nonce( $user->ID );
delete_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY );
delete_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY );
$rememberme = false;
if ( isset( $_REQUEST['rememberme'] ) && $_REQUEST['rememberme'] ) {
$rememberme = true;
}
$session_information_callback = static function( $session, $user_id ) use( $provider, $user ) {
if ( $user->ID === $user_id ) {
$session['two-factor-login'] = time();
$session['two-factor-provider'] = $provider->get_key();
}
return $session;
};
add_filter( 'attach_session_information', $session_information_callback, 10, 2 );
/*
* NOTE: This filter removal is not normally required, this is included for protection against
* a plugin/two factor provider which runs the `authenticate` filter during it's validation.
* Such a plugin would cause self::filter_authenticate_block_cookies() to run and add this filter.
*/
remove_filter( 'send_auth_cookies', '__return_false', PHP_INT_MAX );
wp_set_auth_cookie( $user->ID, $rememberme );
do_action( 'two_factor_user_authenticated', $user, $provider );
remove_filter( 'attach_session_information', $session_information_callback );
// Must be global because that's how login_header() uses it.
global $interim_login;
$interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited,WordPress.Security.NonceVerification.Recommended
if ( $interim_login ) {
$customize_login = isset( $_REQUEST['customize-login'] );
if ( $customize_login ) {
wp_enqueue_script( 'customize-base' );
}
$message = '' . __( 'You have logged in successfully.', 'two-factor' ) . '
';
$interim_login = 'success'; // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
login_header( '', $message );
?>