init(); } /** * Loads the plugin's text domain. * * Sites on WordPress 4.6+ benefit from just-in-time loading of translations. */ public static function load_textdomain() { load_plugin_textdomain( 'two-factor' ); } /** * For each provider, include it and then instantiate it. * * @since 0.1-dev * * @return array */ public static function get_providers() { $providers = array( 'Two_Factor_Email' => TWO_FACTOR_DIR . 'providers/class-two-factor-email.php', 'Two_Factor_Totp' => TWO_FACTOR_DIR . 'providers/class-two-factor-totp.php', 'Two_Factor_FIDO_U2F' => TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f.php', 'Two_Factor_Backup_Codes' => TWO_FACTOR_DIR . 'providers/class-two-factor-backup-codes.php', 'Two_Factor_Dummy' => TWO_FACTOR_DIR . 'providers/class-two-factor-dummy.php', ); /** * Filter the supplied providers. * * This lets third-parties either remove providers (such as Email), or * add their own providers (such as text message or Clef). * * @param array $providers A key-value array where the key is the class name, and * the value is the path to the file containing the class. */ $providers = apply_filters( 'two_factor_providers', $providers ); // FIDO U2F is PHP 5.3+ only. if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) { unset( $providers['Two_Factor_FIDO_U2F'] ); trigger_error( // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_trigger_error sprintf( /* translators: %s: version number */ __( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped PHP_VERSION ) ); } /** * For each filtered provider, */ foreach ( $providers as $class => $path ) { include_once $path; /** * Confirm that it's been successfully included before instantiating. */ if ( class_exists( $class ) ) { try { $providers[ $class ] = call_user_func( array( $class, 'get_instance' ) ); } catch ( Exception $e ) { unset( $providers[ $class ] ); } } } return $providers; } /** * Enable the dummy method only during debugging. * * @param array $methods List of enabled methods. * * @return array */ public static function enable_dummy_method_for_debug( $methods ) { if ( ! self::is_wp_debug() ) { unset( $methods['Two_Factor_Dummy'] ); } return $methods; } /** * Check if the debug mode is enabled. * * @return boolean */ protected static function is_wp_debug() { return ( defined( 'WP_DEBUG' ) && WP_DEBUG ); } /** * Get the user settings page URL. * * Fetch this from the plugin core after we introduce proper dependency injection * and get away from the singletons at the provider level (should be handled by core). * * @param integer $user_id User ID. * * @return string */ protected static function get_user_settings_page_url( $user_id ) { $page = 'user-edit.php'; if ( defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) { $page = 'profile.php'; } return add_query_arg( array( 'user_id' => intval( $user_id ), ), self_admin_url( $page ) ); } /** * Get the URL for resetting the secret token. * * @param integer $user_id User ID. * @param string $action Custom two factor action key. * * @return string */ public static function get_user_update_action_url( $user_id, $action ) { return wp_nonce_url( add_query_arg( array( self::USER_SETTINGS_ACTION_QUERY_VAR => $action, ), self::get_user_settings_page_url( $user_id ) ), sprintf( '%d-%s', $user_id, $action ), self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG ); } /** * Check if a user action is valid. * * @param integer $user_id User ID. * @param string $action User action ID. * * @return boolean */ public static function is_valid_user_action( $user_id, $action ) { $request_nonce = isset( $_REQUEST[ self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG ] ) ? wp_unslash( $_REQUEST[ self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG ] ) : ''; if ( ! $user_id || ! $action || ! $request_nonce ) { return false; } return wp_verify_nonce( $request_nonce, sprintf( '%d-%s', $user_id, $action ) ); } /** * Get the ID of the user being edited. * * @return integer */ public static function current_user_being_edited() { // Try to resolve the user ID from the request first. if ( ! empty( $_REQUEST['user_id'] ) ) { $user_id = intval( $_REQUEST['user_id'] ); if ( current_user_can( 'edit_user', $user_id ) ) { return $user_id; } } return get_current_user_id(); } /** * Trigger our custom update action if a valid * action request is detected and passes the nonce check. * * @return void */ public static function trigger_user_settings_action() { $action = isset( $_REQUEST[ self::USER_SETTINGS_ACTION_QUERY_VAR ] ) ? wp_unslash( $_REQUEST[ self::USER_SETTINGS_ACTION_QUERY_VAR ] ) : ''; $user_id = self::current_user_being_edited(); if ( self::is_valid_user_action( $user_id, $action ) ) { /** * This action is triggered when a valid Two Factor settings * action is detected and it passes the nonce validation. * * @param integer $user_id User ID. * @param string $action Settings action. */ do_action( 'two_factor_user_settings_action', $user_id, $action ); } } /** * Keep track of all the authentication cookies that need to be * invalidated before the second factor authentication. * * @param string $cookie Cookie string. * * @return void */ public static function collect_auth_cookie_tokens( $cookie ) { $parsed = wp_parse_auth_cookie( $cookie ); if ( ! empty( $parsed['token'] ) ) { self::$password_auth_tokens[] = $parsed['token']; } } /** * Fetch the WP_User object for a provided input. * * @since 0.8.0 * * @param int|WP_User $user Optional. The WP_User or user ID. Defaults to current user. * * @return false|WP_User WP_User on success, false on failure. */ public static function fetch_user( $user = null ) { if ( null === $user ) { $user = wp_get_current_user(); } elseif ( ! ( $user instanceof WP_User ) ) { $user = get_user_by( 'id', $user ); } if ( ! $user || ! $user->exists() ) { return false; } return $user; } /** * Get all Two-Factor Auth providers that are enabled for the specified|current user. * * @param int|WP_User $user Optonal. User ID, or WP_User object of the the user. Defaults to current user. * @return array */ public static function get_enabled_providers_for_user( $user = null ) { $user = self::fetch_user( $user ); if ( ! $user ) { return array(); } $providers = self::get_providers(); $enabled_providers = get_user_meta( $user->ID, self::ENABLED_PROVIDERS_USER_META_KEY, true ); if ( empty( $enabled_providers ) ) { $enabled_providers = array(); } $enabled_providers = array_intersect( $enabled_providers, array_keys( $providers ) ); /** * Filter the enabled two-factor authentication providers for this user. * * @param array $enabled_providers The enabled providers. * @param int $user_id The user ID. */ return apply_filters( 'two_factor_enabled_providers_for_user', $enabled_providers, $user->ID ); } /** * Get all Two-Factor Auth providers that are both enabled and configured for the specified|current user. * * @param int|WP_User $user Optonal. User ID, or WP_User object of the the user. Defaults to current user. * @return array */ public static function get_available_providers_for_user( $user = null ) { $user = self::fetch_user( $user ); if ( ! $user ) { return array(); } $providers = self::get_providers(); $enabled_providers = self::get_enabled_providers_for_user( $user ); $configured_providers = array(); foreach ( $providers as $classname => $provider ) { if ( in_array( $classname, $enabled_providers, true ) && $provider->is_available_for_user( $user ) ) { $configured_providers[ $classname ] = $provider; } } return $configured_providers; } /** * Gets the Two-Factor Auth provider for the specified|current user. * * @since 0.1-dev * * @param int|WP_User $user Optonal. User ID, or WP_User object of the the user. Defaults to current user. * @return object|null */ public static function get_primary_provider_for_user( $user = null ) { $user = self::fetch_user( $user ); if ( ! $user ) { return null; } $providers = self::get_providers(); $available_providers = self::get_available_providers_for_user( $user ); // If there's only one available provider, force that to be the primary. if ( empty( $available_providers ) ) { return null; } elseif ( 1 === count( $available_providers ) ) { $provider = key( $available_providers ); } else { $provider = get_user_meta( $user->ID, self::PROVIDER_USER_META_KEY, true ); // If the provider specified isn't enabled, just grab the first one that is. if ( ! isset( $available_providers[ $provider ] ) ) { $provider = key( $available_providers ); } } /** * Filter the two-factor authentication provider used for this user. * * @param string $provider The provider currently being used. * @param int $user_id The user ID. */ $provider = apply_filters( 'two_factor_primary_provider_for_user', $provider, $user->ID ); if ( isset( $providers[ $provider ] ) ) { return $providers[ $provider ]; } return null; } /** * Quick boolean check for whether a given user is using two-step. * * @since 0.1-dev * * @param int|WP_User $user Optonal. User ID, or WP_User object of the the user. Defaults to current user. * @return bool */ public static function is_user_using_two_factor( $user = null ) { $provider = self::get_primary_provider_for_user( $user ); return ! empty( $provider ); } /** * Handle the browser-based login. * * @since 0.1-dev * * @param string $user_login Username. * @param WP_User $user WP_User object of the logged-in user. */ public static function wp_login( $user_login, $user ) { if ( ! self::is_user_using_two_factor( $user->ID ) ) { return; } // Invalidate the current login session to prevent from being re-used. self::destroy_current_session_for_user( $user ); // Also clear the cookies which are no longer valid. wp_clear_auth_cookie(); self::show_two_factor_login( $user ); exit; } /** * Destroy the known password-based authentication sessions for the current user. * * Is there a better way of finding the current session token without * having access to the authentication cookies which are just being set * on the first password-based authentication request. * * @param \WP_User $user User object. * * @return void */ public static function destroy_current_session_for_user( $user ) { $session_manager = WP_Session_Tokens::get_instance( $user->ID ); foreach ( self::$password_auth_tokens as $auth_token ) { $session_manager->destroy( $auth_token ); } } /** * Prevent login through XML-RPC and REST API for users with at least one * two-factor method enabled. * * @param WP_User|WP_Error $user Valid WP_User only if the previous filters * have verified and confirmed the * authentication credentials. * * @return WP_User|WP_Error */ public static function filter_authenticate( $user ) { if ( $user instanceof WP_User && self::is_api_request() && self::is_user_using_two_factor( $user->ID ) && ! self::is_user_api_login_enabled( $user->ID ) ) { return new WP_Error( 'invalid_application_credentials', __( 'Error: API login for user disabled.', 'two-factor' ) ); } return $user; } /** * Prevent login cookies being set on login for Two Factor users. * * This makes it so that Core never sends the auth cookies. `login_form_validate_2fa()` will send them manually once the 2nd factor has been verified. * * @param WP_User|WP_Error $user Valid WP_User only if the previous filters * have verified and confirmed the * authentication credentials. * * @return WP_User|WP_Error */ public static function filter_authenticate_block_cookies( $user ) { /* * NOTE: The `login_init` action is checked for here to ensure we're within the regular login flow, * rather than through an unsupported 3rd-party login process which this plugin doesn't support. */ if ( $user instanceof WP_User && self::is_user_using_two_factor( $user->ID ) && did_action( 'login_init' ) ) { add_filter( 'send_auth_cookies', '__return_false', PHP_INT_MAX ); } return $user; } /** * If the current user can login via API requests such as XML-RPC and REST. * * @param integer $user_id User ID. * * @return boolean */ public static function is_user_api_login_enabled( $user_id ) { return (bool) apply_filters( 'two_factor_user_api_login_enable', false, $user_id ); } /** * Is the current request an XML-RPC or REST request. * * @return boolean */ public static function is_api_request() { if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) { return true; } if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) { return true; } return false; } /** * Display the login form. * * @since 0.1-dev * * @param WP_User $user WP_User object of the logged-in user. */ public static function show_two_factor_login( $user ) { if ( ! $user ) { $user = wp_get_current_user(); } $login_nonce = self::create_login_nonce( $user->ID ); if ( ! $login_nonce ) { wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) ); } $redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : admin_url(); self::login_html( $user, $login_nonce['key'], $redirect_to ); } /** * Displays a message informing the user that their account has had failed login attempts. * * @param WP_User $user WP_User object of the logged-in user. */ public static function maybe_show_last_login_failure_notice( $user ) { $last_failed_two_factor_login = (int) get_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY, true ); $failed_login_count = (int) get_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY, true ); if ( $last_failed_two_factor_login ) { echo '
'; printf( _n( 'WARNING: Your account has attempted to login without providing a valid two factor token. The last failed login occured %2$s ago. If this wasn\'t you, you should reset your password.', 'WARNING: Your account has attempted to login %1$s times without providing a valid two factor token. The last failed login occured %2$s ago. If this wasn\'t you, you should reset your password.', $failed_login_count, 'two-factor' ), number_format_i18n( $failed_login_count ), human_time_diff( $last_failed_two_factor_login, time() ) ); echo '
'; } } /** * Show the password reset notice if the user's password was reset. * * They were also sent an email notification in `send_password_reset_email()`, but email sent from a typical * web server is not reliable enough to trust completely. * * @param WP_Error $errors */ public static function maybe_show_reset_password_notice( $errors ) { if ( 'incorrect_password' !== $errors->get_error_code() ) { return $errors; } if ( ! isset( $_POST['log'] ) ) { return $errors; } $user_name = sanitize_user( wp_unslash( $_POST['log'] ) ); $attempted_user = get_user_by( 'login', $user_name ); if ( ! $attempted_user && str_contains( $user_name, '@' ) ) { $attempted_user = get_user_by( 'email', $user_name ); } if ( ! $attempted_user ) { return $errors; } $password_was_reset = get_user_meta( $attempted_user->ID, self::USER_PASSWORD_WAS_RESET_KEY, true ); if ( ! $password_was_reset ) { return $errors; } $errors->remove( 'incorrect_password' ); $errors->add( 'two_factor_password_reset', sprintf( __( 'Your password was reset because of too many failed Two Factor attempts. You will need to create a new password to regain access. Please check your email for more information.', 'two-factor' ), esc_url( add_query_arg( 'action', 'lostpassword', wp_login_url() ) ) ) ); return $errors; } /** * Clear the password reset notice after the user resets their password. * * @param WP_User $user */ public static function clear_password_reset_notice( $user ) { delete_user_meta( $user->ID, self::USER_PASSWORD_WAS_RESET_KEY ); } /** * Generates the html form for the second step of the authentication process. * * @since 0.1-dev * * @param WP_User $user WP_User object of the logged-in user. * @param string $login_nonce A string nonce stored in usermeta. * @param string $redirect_to The URL to which the user would like to be redirected. * @param string $error_msg Optional. Login error message. * @param string|object $provider An override to the provider. */ public static function login_html( $user, $login_nonce, $redirect_to, $error_msg = '', $provider = null ) { if ( empty( $provider ) ) { $provider = self::get_primary_provider_for_user( $user->ID ); } elseif ( is_string( $provider ) && method_exists( $provider, 'get_instance' ) ) { $provider = call_user_func( array( $provider, 'get_instance' ) ); } $provider_class = get_class( $provider ); $available_providers = self::get_available_providers_for_user( $user ); $backup_providers = array_diff_key( $available_providers, array( $provider_class => null ) ); $interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended $rememberme = intval( self::rememberme() ); if ( ! function_exists( 'login_header' ) ) { // We really should migrate login_header() out of `wp-login.php` so it can be called from an includes file. include_once TWO_FACTOR_DIR . 'includes/function.login-header.php'; } login_header(); if ( ! empty( $error_msg ) ) { echo '
' . esc_html( $error_msg ) . '
'; } else { self::maybe_show_last_login_failure_notice( $user ); } ?>
authentication_page( $user ); ?>
'validate_2fa', 'provider' => $backup_classname, 'wp-auth-id' => $user->ID, 'wp-auth-nonce' => $login_nonce, 'redirect_to' => $redirect_to, 'rememberme' => $rememberme, ) ); ?>

get_label() ) ); ?>

$user_id, 'expiration' => time() + ( 10 * MINUTE_IN_SECONDS ), ); try { $login_nonce['key'] = bin2hex( random_bytes( 32 ) ); } catch ( Exception $ex ) { $login_nonce['key'] = wp_hash( $user_id . wp_rand() . microtime(), 'nonce' ); } // Store the nonce hashed to avoid leaking it via database access. $hashed_key = self::hash_login_nonce( $login_nonce ); if ( $hashed_key ) { $login_nonce_stored = array( 'expiration' => $login_nonce['expiration'], 'key' => $hashed_key, ); if ( update_user_meta( $user_id, self::USER_META_NONCE_KEY, $login_nonce_stored ) ) { return $login_nonce; } } return false; } /** * Delete the login nonce. * * @since 0.1-dev * * @param int $user_id User ID. * @return bool */ public static function delete_login_nonce( $user_id ) { return delete_user_meta( $user_id, self::USER_META_NONCE_KEY ); } /** * Verify the login nonce. * * @since 0.1-dev * * @param int $user_id User ID. * @param string $nonce Login nonce. * @return bool */ public static function verify_login_nonce( $user_id, $nonce ) { $login_nonce = get_user_meta( $user_id, self::USER_META_NONCE_KEY, true ); if ( ! $login_nonce || empty( $login_nonce['key'] ) || empty( $login_nonce['expiration'] ) ) { return false; } $unverified_nonce = array( 'user_id' => $user_id, 'expiration' => $login_nonce['expiration'], 'key' => $nonce, ); $unverified_hash = self::hash_login_nonce( $unverified_nonce ); $hashes_match = $unverified_hash && hash_equals( $login_nonce['key'], $unverified_hash ); if ( $hashes_match && time() < $login_nonce['expiration'] ) { return true; } // Require a fresh nonce if verification fails. self::delete_login_nonce( $user_id ); return false; } /** * Determine the minimum wait between two factor attempts for a user. * * This implements an increasing backoff, requiring an attacker to wait longer * each time to attempt to brute-force the login. * * @param WP_User $user The user being operated upon. * @return int Time delay in seconds between login attempts. */ public static function get_user_time_delay( $user ) { /** * Filter the minimum time duration between two factor attempts. * * @param int $rate_limit The number of seconds between two factor attempts. */ $rate_limit = apply_filters( 'two_factor_rate_limit', 1 ); $user_failed_logins = get_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY, true ); if ( $user_failed_logins ) { $rate_limit = pow( 2, $user_failed_logins ) * $rate_limit; /** * Filter the maximum time duration a user may be locked out from retrying two factor authentications. * * @param int $max_rate_limit The maximum number of seconds a user might be locked out for. Default 15 minutes. */ $max_rate_limit = apply_filters( 'two_factor_max_rate_limit', 15 * MINUTE_IN_SECONDS ); $rate_limit = min( $max_rate_limit, $rate_limit ); } /** * Filters the per-user time duration between two factor login attempts. * * @param int $rate_limit The number of seconds between two factor attempts. * @param WP_User $user The user attempting to login. */ return apply_filters( 'two_factor_user_rate_limit', $rate_limit, $user ); } /** * Determine if a time delay between user two factor login attempts should be triggered. * * @since 0.8.0 * * @param WP_User $user The User. * @return bool True if rate limit is okay, false if not. */ public static function is_user_rate_limited( $user ) { $rate_limit = self::get_user_time_delay( $user ); $last_failed = get_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY, true ); $rate_limited = false; if ( $last_failed && $last_failed + $rate_limit > time() ) { $rate_limited = true; } /** * Filter whether this login attempt is rate limited or not. * * This allows for dedicated plugins to rate limit two factor login attempts * based on their own rules. * * @param bool $rate_limited Whether the user login is rate limited. * @param WP_User $user The user attempting to login. */ return apply_filters( 'two_factor_is_user_rate_limited', $rate_limited, $user ); } /** * Login form validation. * * @since 0.1-dev */ public static function login_form_validate_2fa() { $wp_auth_id = ! empty( $_REQUEST['wp-auth-id'] ) ? absint( $_REQUEST['wp-auth-id'] ) : 0; $nonce = ! empty( $_REQUEST['wp-auth-nonce'] ) ? wp_unslash( $_REQUEST['wp-auth-nonce'] ) : ''; $provider = ! empty( $_REQUEST['provider'] ) ? wp_unslash( $_REQUEST['provider'] ) : false; $is_post_request = ( 'POST' === strtoupper( $_SERVER['REQUEST_METHOD'] ) ); if ( ! $wp_auth_id || ! $nonce ) { return; } $user = get_userdata( $wp_auth_id ); if ( ! $user ) { return; } if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) { wp_safe_redirect( home_url() ); exit; } if ( $provider ) { $providers = self::get_available_providers_for_user( $user ); if ( isset( $providers[ $provider ] ) ) { $provider = $providers[ $provider ]; } else { wp_die( esc_html__( 'Cheatin’ uh?', 'two-factor' ), 403 ); } } else { $provider = self::get_primary_provider_for_user( $user->ID ); } // Allow the provider to re-send codes, etc. if ( true === $provider->pre_process_authentication( $user ) ) { $login_nonce = self::create_login_nonce( $user->ID ); if ( ! $login_nonce ) { wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) ); } self::login_html( $user, $login_nonce['key'], $_REQUEST['redirect_to'], '', $provider ); exit; } // If the form hasn't been submitted, just display the auth form. if ( ! $is_post_request ) { $login_nonce = self::create_login_nonce( $user->ID ); if ( ! $login_nonce ) { wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) ); } self::login_html( $user, $login_nonce['key'], $_REQUEST['redirect_to'], '', $provider ); exit; } // Rate limit two factor authentication attempts. if ( true === self::is_user_rate_limited( $user ) ) { $time_delay = self::get_user_time_delay( $user ); $last_login = get_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY, true ); $error = new WP_Error( 'two_factor_too_fast', sprintf( __( 'ERROR: Too many invalid verification codes, you can try again in %s. This limit protects your account against automated attacks.', 'two-factor' ), human_time_diff( $last_login + $time_delay ) ) ); do_action( 'wp_login_failed', $user->user_login, $error ); $login_nonce = self::create_login_nonce( $user->ID ); if ( ! $login_nonce ) { wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) ); } self::login_html( $user, $login_nonce['key'], $_REQUEST['redirect_to'], esc_html( $error->get_error_message() ), $provider ); exit; } // Ask the provider to verify the second factor. if ( true !== $provider->validate_authentication( $user ) ) { do_action( 'wp_login_failed', $user->user_login, new WP_Error( 'two_factor_invalid', __( 'ERROR: Invalid verification code.', 'two-factor' ) ) ); // Store the last time a failed login occured. update_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY, time() ); // Store the number of failed login attempts. update_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY, 1 + (int) get_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY, true ) ); if ( self::should_reset_password( $user->ID ) ) { self::reset_compromised_password( $user ); self::send_password_reset_emails( $user ); self::show_password_reset_error(); exit; } $login_nonce = self::create_login_nonce( $user->ID ); if ( ! $login_nonce ) { wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) ); } self::login_html( $user, $login_nonce['key'], $_REQUEST['redirect_to'], esc_html__( 'ERROR: Invalid verification code.', 'two-factor' ), $provider ); exit; } self::delete_login_nonce( $user->ID ); delete_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY ); delete_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY ); $rememberme = false; if ( isset( $_REQUEST['rememberme'] ) && $_REQUEST['rememberme'] ) { $rememberme = true; } /* * NOTE: This filter removal is not normally required, this is included for protection against * a plugin/two factor provider which runs the `authenticate` filter during it's validation. * Such a plugin would cause self::filter_authenticate_block_cookies() to run and add this filter. */ remove_filter( 'send_auth_cookies', '__return_false', PHP_INT_MAX ); wp_set_auth_cookie( $user->ID, $rememberme ); do_action( 'two_factor_user_authenticated', $user ); // Must be global because that's how login_header() uses it. global $interim_login; $interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited,WordPress.Security.NonceVerification.Recommended if ( $interim_login ) { $customize_login = isset( $_REQUEST['customize-login'] ); if ( $customize_login ) { wp_enqueue_script( 'customize-base' ); } $message = '

' . __( 'You have logged in successfully.', 'two-factor' ) . '

'; $interim_login = 'success'; // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited login_header( '', $message ); ?> = $failed_attempt_limit; } /** * Reset a compromised password. * * If we know that the the password is compromised, we have the responsibility to reset it and inform the * user. `get_user_time_delay()` mitigates brute force attempts, but this acts as an extra layer of defense * which guarantees that attackers can't brute force it (unless they compromise the new password). * * @param WP_User $user The user who failed to login */ public static function reset_compromised_password( $user ) { // Unhook because `wp_password_change_notification()` wouldn't notify the site admin when // their password is compromised. remove_action( 'after_password_reset', 'wp_password_change_notification' ); reset_password( $user, wp_generate_password( 25 ) ); update_user_meta( $user->ID, self::USER_PASSWORD_WAS_RESET_KEY, true ); add_action( 'after_password_reset', 'wp_password_change_notification' ); self::delete_login_nonce( $user->ID ); delete_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY ); delete_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY ); } /** * Notify the user and admin that a password was reset for being compromised. * * @param WP_User $user The user whose password should be reset */ public static function send_password_reset_emails( $user ) { self::notify_user_password_reset( $user ); /** * Filters whether or not to email the site admin when a user's password has been * compromised and reset. * * @param bool $reset `true` to notify the admin, `false` to not notify them. */ $notify_admin = apply_filters( 'two_factor_notify_admin_user_password_reset', true ); $admin_email = get_option( 'admin_email' ); if ( $notify_admin && $admin_email !== $user->user_email ) { self::notify_admin_user_password_reset( $user ); } } /** * Notify the user that their password has been compromised and reset. * * @param WP_User $user The user to notify * * @return bool `true` if the email was sent, `false` if it failed. */ public static function notify_user_password_reset( $user ) { $user_message = sprintf( 'Hello %1$s, an unusually high number of failed login attempts have been detected on your account at %2$s. These attempts successfully entered your password, and were only blocked because they failed to enter your second authentication factor. Despite not being able to access your account, this behavior indicates that the attackers have compromised your password. The most common reasons for this are that your password was easy to guess, or was reused on another site which has been compromised. To protect your account, your password has been reset, and you will need to create a new one. For advice on setting a strong password, please read %3$s To pick a new password, please visit %4$s This is an automated notification. If you would like to speak to a site administrator, please contact them directly.', esc_html( $user->user_login ), home_url(), 'https://wordpress.org/documentation/article/password-best-practices/', esc_url( add_query_arg( 'action', 'lostpassword', wp_login_url() ) ) ); $user_message = str_replace( "\t", '', $user_message ); return wp_mail( $user->user_email, 'Your password was compromised and has been reset', $user_message ); } /** * Notify the admin that a user's password was compromised and reset. * * @param WP_User $user The user whose password was reset. * * @return bool `true` if the email was sent, `false` if it failed. */ public static function notify_admin_user_password_reset( $user ) { $admin_email = get_option( 'admin_email' ); $subject = sprintf( 'Compromised password for %s has been reset', esc_html( $user->user_login ) ); $message = sprintf( 'Hello, this is a notice from the Two Factor plugin to inform you that an unusually high number of failed login attempts have been detected on the %1$s account (ID %2$d). Those attempts successfully entered the user\'s password, and were only blocked because they entered invalid second authentication factors. To protect their account, the password has automatically been reset, and they have been notified that they will need to create a new one. If you do not wish to receive these notifications, you can disable them with the `two_factor_notify_admin_user_password_reset` filter. See %3$s for more information. Thank you', esc_html( $user->user_login ), $user->ID, 'https://developer.wordpress.org/plugins/hooks/' ); $message = str_replace( "\t", '', $message ); return wp_mail( $admin_email, $subject, $message ); } /** * Show the password reset error when on the login screen. */ public static function show_password_reset_error() { $error = new WP_Error( 'too_many_attempts', sprintf( '

%s

%s

', __( 'There have been too many failed two-factor authentication attempts, which often indicates that the password has been compromised. The password has been reset in order to protect the account.', 'two-factor' ), __( 'If you are the owner of this account, please check your email for instructions on regaining access.', 'two-factor' ) ) ); login_header( __( 'Password Reset', 'two-factor' ), '', $error ); login_footer(); } /** * Filter the columns on the Users admin screen. * * @param array $columns Available columns. * @return array Updated array of columns. */ public static function filter_manage_users_columns( array $columns ) { $columns['two-factor'] = __( 'Two-Factor', 'two-factor' ); return $columns; } /** * Output the 2FA column data on the Users screen. * * @param string $output The column output. * @param string $column_name The column ID. * @param int $user_id The user ID. * @return string The column output. */ public static function manage_users_custom_column( $output, $column_name, $user_id ) { if ( 'two-factor' !== $column_name ) { return $output; } if ( ! self::is_user_using_two_factor( $user_id ) ) { return sprintf( '%s', esc_html__( 'Disabled', 'two-factor' ) ); } else { $provider = self::get_primary_provider_for_user( $user_id ); return esc_html( $provider->get_label() ); } } /** * Add user profile fields. * * This executes during the `show_user_profile` & `edit_user_profile` actions. * * @since 0.1-dev * * @param WP_User $user WP_User object of the logged-in user. */ public static function user_two_factor_options( $user ) { wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ), array(), TWO_FACTOR_VERSION ); $enabled_providers = array_keys( self::get_available_providers_for_user( $user ) ); $primary_provider = self::get_primary_provider_for_user( $user->ID ); if ( ! empty( $primary_provider ) && is_object( $primary_provider ) ) { $primary_provider_key = get_class( $primary_provider ); } else { $primary_provider_key = null; } wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false ); ?>
$object ) : ?>
/> />
destroy_all(); } } } } /** * Should the login session persist between sessions. * * @return boolean */ public static function rememberme() { $rememberme = false; if ( ! empty( $_REQUEST['rememberme'] ) ) { $rememberme = true; } return (bool) apply_filters( 'two_factor_rememberme', $rememberme ); } }