Two-Factor - Version 0.5.0

Version Description

Release Info

Developer	kasparsd
Plugin	Two-Factor
Version	0.5.0
Comparing to
See all releases

Code changes from version 0.7.0 to 0.5.0

Files changed (18) hide show

class-two-factor-compat.php +2 -9
class-two-factor-core.php +48 -288
docker-compose.yml +0 -11
includes/Google/u2f-api.js +5 -5
includes/Yubico/U2F.php +2 -2
includes/function.login-header.php +3 -3
providers/{class-two-factor-backup-codes.php → class.two-factor-backup-codes.php} +23 -43
providers/{class-two-factor-dummy.php → class.two-factor-dummy.php} +4 -10
providers/{class-two-factor-email.php → class.two-factor-email.php} +14 -112
providers/{class-two-factor-fido-u2f-admin-list-table.php → class.two-factor-fido-u2f-admin-list-table.php} +12 -20
providers/{class-two-factor-fido-u2f-admin.php → class.two-factor-fido-u2f-admin.php} +28 -45
providers/{class-two-factor-fido-u2f.php → class.two-factor-fido-u2f.php} +44 -57
providers/{class-two-factor-provider.php → class.two-factor-provider.php} +4 -10
providers/{class-two-factor-totp.php → class.two-factor-totp.php} +53 -102
providers/js/fido-u2f-admin-inline-edit.js +1 -2
readme.md +3 -11
readme.txt +3 -11
two-factor.php +4 -17

class-two-factor-compat.php CHANGED Viewed

	@@ -1,12 +1,7 @@
1	<?php
2	- /**
3	- * A compatibility layer for some of the most popular plugins.
4	- *
5	- * @package Two_Factor
6	- */
7
8	/**
9	- * A ~~compatibility~~ layer for some of the most popular plugins.
10	*
11	* Should be used with care because ideally we wouldn't need
12	* any integration specific code for this plugin. Everything should
	@@ -35,9 +30,7 @@ class Two_Factor_Compat {
35	* @return boolean
36	*/
37	public function jetpack_rememberme( $rememberme ) {
38	- $action = ~~filter_input(~~ ~~INPUT_GET,~~ 'action', ~~FILTER_SANITIZE_STRING~~ );
39	-
40	- if ( 'jetpack-sso' === $action && $this->jetpack_is_sso_active() ) {
41	return true;
42	}
43


1	<?php





2
3	/**
4	+ * A compatability layer for some of the most popular plugins.
5	*
6	* Should be used with care because ideally we wouldn't need
7	* any integration specific code for this plugin. Everything should

30	* @return boolean
31	*/
32	public function jetpack_rememberme( $rememberme ) {
33	+ if ( isset( $_GET['action'] ) && 'jetpack-sso' === $_GET['action'] && $this->jetpack_is_sso_active() ) {


34	return true;
35	}
36

class-two-factor-core.php CHANGED Viewed

	@@ -1,10 +1,4 @@
1	<?php
2	- /**
3	- * Two Factore Core Class.
4	- *
5	- * @package Two_Factor
6	- */
7	-
8	/**
9	* Class for creating two factor authorization.
10	*
	@@ -33,35 +27,11 @@ class Two_Factor_Core {
33	*
34	* @type string
35	*/
36	- const USER_META_NONCE_KEY = '_two_factor_nonce';
37	-
38	- /**
39	- * URL query paramater used for our custom actions.
40	- *
41	- * @var string
42	- */
43	- const USER_SETTINGS_ACTION_QUERY_VAR = 'two_factor_action';
44	-
45	- /**
46	- * Nonce key for user settings.
47	- *
48	- * @var string
49	- */
50	- const USER_SETTINGS_ACTION_NONCE_QUERY_ARG = '_two_factor_action_nonce';
51	-
52	- /**
53	- * Keep track of all the password-based authentication sessions that
54	- * need to invalidated before the second factor authentication.
55	- *
56	- * @var array
57	- */
58	- private static $password_auth_tokens = array();
59
60	/**
61	* Set up filters and actions.
62	*
63	- * @param object $compat A compaitbility later for plugins.
64	- *
65	* @since 0.1-dev
66	*/
67	public static function add_hooks( $compat ) {
	@@ -78,21 +48,9 @@ class Two_Factor_Core {
78	add_filter( 'wpmu_users_columns', array( __CLASS__, 'filter_manage_users_columns' ) );
79	add_filter( 'manage_users_custom_column', array( __CLASS__, 'manage_users_custom_column' ), 10, 3 );
80
81	- /**
82	- * Keep track of all the user sessions for which we need to invalidate the
83	- * authentication cookies set during the initial password check.
84	- *
85	- * Is there a better way of doing this?
86	- */
87	- add_action( 'set_auth_cookie', array( __CLASS__, 'collect_auth_cookie_tokens' ) );
88	- add_action( 'set_logged_in_cookie', array( __CLASS__, 'collect_auth_cookie_tokens' ) );
89	-
90	// Run only after the core wp_authenticate_username_password() check.
91	add_filter( 'authenticate', array( __CLASS__, 'filter_authenticate' ), 50 );
92
93	- add_action( 'admin_init', array( __CLASS__, 'trigger_user_settings_action' ) );
94	- add_filter( 'two_factor_providers', array( __CLASS__, 'enable_dummy_method_for_debug' ) );
95	-
96	$compat->init();
97	}
98
	@@ -114,11 +72,11 @@ class Two_Factor_Core {
114	*/
115	public static function get_providers() {
116	$providers = array(
117	- 'Two_Factor_Email' => TWO_FACTOR_DIR . 'providers/class-two-factor-email.php',
118	- 'Two_Factor_Totp' => TWO_FACTOR_DIR . 'providers/class-two-factor-totp.php',
119	- 'Two_Factor_FIDO_U2F' => TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f.php',
120	- 'Two_Factor_Backup_Codes' => TWO_FACTOR_DIR . 'providers/class-two-factor-backup-codes.php',
121	- 'Two_Factor_Dummy' => TWO_FACTOR_DIR . 'providers/class-two-factor-dummy.php',
122	);
123
124	/**
	@@ -135,20 +93,18 @@ class Two_Factor_Core {
135	// FIDO U2F is PHP 5.3+ only.
136	if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) {
137	unset( $providers['Two_Factor_FIDO_U2F'] );
138	- trigger_error( // ~~phpcs~~:~~ignore~~ ~~WordPress~~.~~PHP.DevelopmentFunctions.error_log_trigger_error~~
139	- sprintf(
140	/* translators: %s: version number */
141	- __( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ), ~~// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped~~
142	- PHP_VERSION
143	- )
144	- );
145	}
146
147	/**
148	* For each filtered provider,
149	*/
150	foreach ( $providers as $class => $path ) {
151	- include_once $path;
152
153	/**
154	* Confirm that it's been successfully included before instantiating.
	@@ -165,149 +121,6 @@ class Two_Factor_Core {
165	return $providers;
166	}
167
168	- /**
169	- * Enable the dummy method only during debugging.
170	- *
171	- * @param array $methods List of enabled methods.
172	- *
173	- * @return array
174	- */
175	- public static function enable_dummy_method_for_debug( $methods ) {
176	- if ( ! self::is_wp_debug() ) {
177	- unset( $methods['Two_Factor_Dummy'] );
178	- }
179	-
180	- return $methods;
181	- }
182	-
183	- /**
184	- * Check if the debug mode is enabled.
185	- *
186	- * @return boolean
187	- */
188	- protected static function is_wp_debug() {
189	- return ( defined( 'WP_DEBUG' ) && WP_DEBUG );
190	- }
191	-
192	- /**
193	- * Get the user settings page URL.
194	- *
195	- * Fetch this from the plugin core after we introduce proper dependency injection
196	- * and get away from the singletons at the provider level (should be handled by core).
197	- *
198	- * @param integer $user_id User ID.
199	- *
200	- * @return string
201	- */
202	- protected static function get_user_settings_page_url( $user_id ) {
203	- $page = 'user-edit.php';
204	-
205	- if ( defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) {
206	- $page = 'profile.php';
207	- }
208	-
209	- return add_query_arg(
210	- array(
211	- 'user_id' => intval( $user_id ),
212	- ),
213	- self_admin_url( $page )
214	- );
215	- }
216	-
217	- /**
218	- * Get the URL for resetting the secret token.
219	- *
220	- * @param integer $user_id User ID.
221	- * @param string $action Custom two factor action key.
222	- *
223	- * @return string
224	- */
225	- public static function get_user_update_action_url( $user_id, $action ) {
226	- return wp_nonce_url(
227	- add_query_arg(
228	- array(
229	- self::USER_SETTINGS_ACTION_QUERY_VAR => $action,
230	- ),
231	- self::get_user_settings_page_url( $user_id )
232	- ),
233	- sprintf( '%d-%s', $user_id, $action ),
234	- self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG
235	- );
236	- }
237	-
238	- /**
239	- * Check if a user action is valid.
240	- *
241	- * @param integer $user_id User ID.
242	- * @param string $action User action ID.
243	- *
244	- * @return boolean
245	- */
246	- public static function is_valid_user_action( $user_id, $action ) {
247	- $request_nonce = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG, FILTER_SANITIZE_STRING );
248	-
249	- return wp_verify_nonce(
250	- $request_nonce,
251	- sprintf( '%d-%s', $user_id, $action )
252	- );
253	- }
254	-
255	- /**
256	- * Get the ID of the user being edited.
257	- *
258	- * @return integer
259	- */
260	- public static function current_user_being_edited() {
261	- // Try to resolve the user ID from the request first.
262	- if ( ! empty( $_REQUEST['user_id'] ) ) {
263	- $user_id = intval( $_REQUEST['user_id'] );
264	-
265	- if ( current_user_can( 'edit_user', $user_id ) ) {
266	- return $user_id;
267	- }
268	- }
269	-
270	- return get_current_user_id();
271	- }
272	-
273	- /**
274	- * Trigger our custom update action if a valid
275	- * action request is detected and passes the nonce check.
276	- *
277	- * @return void
278	- */
279	- public static function trigger_user_settings_action() {
280	- $action = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_QUERY_VAR, FILTER_SANITIZE_STRING );
281	- $user_id = self::current_user_being_edited();
282	-
283	- if ( ! empty( $action ) && self::is_valid_user_action( $user_id, $action ) ) {
284	- /**
285	- * This action is triggered when a valid Two Factor settings
286	- * action is detected and it passes the nonce validation.
287	- *
288	- * @param integer $user_id User ID.
289	- * @param string $action Settings action.
290	- */
291	- do_action( 'two_factor_user_settings_action', $user_id, $action );
292	- }
293	- }
294	-
295	- /**
296	- * Keep track of all the authentication cookies that need to be
297	- * invalidated before the second factor authentication.
298	- *
299	- * @param string $cookie Cookie string.
300	- *
301	- * @return void
302	- */
303	- public static function collect_auth_cookie_tokens( $cookie ) {
304	- $parsed = wp_parse_auth_cookie( $cookie );
305	-
306	- if ( ! empty( $parsed['token'] ) ) {
307	- self::$password_auth_tokens[] = $parsed['token'];
308	- }
309	- }
310	-
311	/**
312	* Get all Two-Factor Auth providers that are enabled for the specified\|current user.
313	*
	@@ -326,13 +139,7 @@ class Two_Factor_Core {
326	}
327	$enabled_providers = array_intersect( $enabled_providers, array_keys( $providers ) );
328
329	- /**
330	- * Filter the enabled two-factor authentication providers for this user.
331	- *
332	- * @param array $enabled_providers The enabled providers.
333	- * @param int $user_id The user ID.
334	- */
335	- return apply_filters( 'two_factor_enabled_providers_for_user', $enabled_providers, $user->ID );
336	}
337
338	/**
	@@ -351,7 +158,7 @@ class Two_Factor_Core {
351	$configured_providers = array();
352
353	foreach ( $providers as $classname => $provider ) {
354	- if ( in_array( $classname, $enabled_providers, ~~true~~ ) && $provider->is_available_for_user( $user ) ) {
355	$configured_providers[ $classname ] = $provider;
356	}
357	}
	@@ -430,35 +237,12 @@ class Two_Factor_Core {
430	return;
431	}
432
433	- // Invalidate the current login session to prevent from being re-used.
434	- self::destroy_current_session_for_user( $user );
435	-
436	- // Also clear the cookies which are no longer valid.
437	wp_clear_auth_cookie();
438
439	self::show_two_factor_login( $user );
440	exit;
441	}
442
443	- /**
444	- * Destroy the known password-based authentication sessions for the current user.
445	- *
446	- * Is there a better way of finding the current session token without
447	- * having access to the authentication cookies which are just being set
448	- * on the first password-based authentication request.
449	- *
450	- * @param \WP_User $user User object.
451	- *
452	- * @return void
453	- */
454	- public static function destroy_current_session_for_user( $user ) {
455	- $session_manager = WP_Session_Tokens::get_instance( $user->ID );
456	-
457	- foreach ( self::$password_auth_tokens as $auth_token ) {
458	- $session_manager->destroy( $auth_token );
459	- }
460	- }
461	-
462	/**
463	* Prevent login through XML-RPC and REST API for users with at least one
464	* two-factor method enabled.
	@@ -536,33 +320,29 @@ class Two_Factor_Core {
536	* @since 0.1-dev
537	*/
538	public static function backup_2fa() {
539	- ~~$wp_auth_id~~ = ~~filter_input~~( ~~INPUT_GET~~, 'wp-auth-id', ~~FILTER_SANITIZE_NUMBER_INT~~ );
540	- $nonce = filter_input( INPUT_GET, 'wp-auth-nonce', FILTER_SANITIZE_STRING );
541	- $provider = filter_input( INPUT_GET, 'provider', FILTER_SANITIZE_STRING );
542	-
543	- if ( ! $wp_auth_id \|\| ! $nonce \|\| ! $provider ) {
544	return;
545	}
546
547	- $user = get_userdata( $~~wp_auth_id~~ );
548	if ( ! $user ) {
549	return;
550	}
551

552	if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
553	wp_safe_redirect( get_bloginfo( 'url' ) );
554	exit;
555	}
556
557	$providers = self::get_available_providers_for_user( $user );
558	- if ( isset( $providers[ $provider ] ) ) {
559	- $provider = $providers[ $provider ];
560	} else {
561	wp_die( esc_html__( 'Cheatin’ uh?', 'two-factor' ), 403 );
562	}
563
564	- ~~$redirect_to = filter_input~~( ~~INPUT_GET~~, 'redirect_to', ~~FILTER_SANITIZE_URL~~ );
565	- self::login_html( $user, $nonce, $redirect_to, '', $provider );
566
567	exit;
568	}
	@@ -588,14 +368,14 @@ class Two_Factor_Core {
588	$provider_class = get_class( $provider );
589
590	$available_providers = self::get_available_providers_for_user( $user );
591	- $backup_providers = array_diff_key( $available_providers, array( $provider_class => null ) );
592	- $interim_login = isset( $_REQUEST['interim-login'] ); // ~~phpcs~~:~~ignore~~ ~~WordPress~~.~~Security.NonceVerification.Recommended~~
593
594	$rememberme = intval( self::rememberme() );
595
596	if ( ! function_exists( 'login_header' ) ) {
597	// We really should migrate login_header() out of `wp-login.php` so it can be called from an includes file.
598	- include_once TWO_FACTOR_DIR . 'includes/function.login-header.php';
599	}
600
601	login_header();
	@@ -609,11 +389,11 @@ class Two_Factor_Core {
609	<input type="hidden" name="provider" id="provider" value="<?php echo esc_attr( $provider_class ); ?>" />
610	<input type="hidden" name="wp-auth-id" id="wp-auth-id" value="<?php echo esc_attr( $user->ID ); ?>" />
611	<input type="hidden" name="wp-auth-nonce" id="wp-auth-nonce" value="<?php echo esc_attr( $login_nonce ); ?>" />
612	- <?php if ( $interim_login ) { ?>
613	<input type="hidden" name="interim-login" value="1" />
614	- <?php } else { ?>
615	<input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
616	- <?php } ?>
617	<input type="hidden" name="rememberme" id="rememberme" value="<?php echo esc_attr( $rememberme ); ?>" />
618
619	<?php $provider->authentication_page( $user ); ?>
	@@ -622,8 +402,8 @@ class Two_Factor_Core {
622	<?php
623	if ( 1 === count( $backup_providers ) ) :
624	$backup_classname = key( $backup_providers );
625	- $backup_provider = $backup_providers[ $backup_classname ];
626	- $login_url = self::login_url(
627	array(
628	'action' => 'backup_2fa',
629	'provider' => $backup_classname,
	@@ -717,8 +497,7 @@ class Two_Factor_Core {
717
718	<?php
719	/** This action is documented in wp-login.php */
720	- do_action( 'login_footer' );
721	- ?>
722	<div class="clear"></div>
723	</body>
724	</html>
	@@ -752,11 +531,11 @@ class Two_Factor_Core {
752	* @return array
753	*/
754	public static function create_login_nonce( $user_id ) {
755	- $login_nonce = array();
756	try {
757	$login_nonce['key'] = bin2hex( random_bytes( 32 ) );
758	- } catch ( Exception $ex ) {
759	- $login_nonce['key'] = wp_hash( $user_id . ~~wp_rand~~() . microtime(), 'nonce' );
760	}
761	$login_nonce['expiration'] = time() + HOUR_IN_SECONDS;
762
	@@ -808,28 +587,25 @@ class Two_Factor_Core {
808	* @since 0.1-dev
809	*/
810	public static function login_form_validate_2fa() {
811	- ~~$wp_auth_id~~ = ~~filter_input~~( ~~INPUT_POST,~~ 'wp-auth-id', ~~FILTER_SANITIZE_NUMBER_INT~~ );
812	- $nonce = filter_input( INPUT_POST, 'wp-auth-nonce', FILTER_SANITIZE_STRING );
813	-
814	- if ( ! $wp_auth_id \|\| ! $nonce ) {
815	return;
816	}
817
818	- $user = get_userdata( $~~wp_auth_id~~ );
819	if ( ! $user ) {
820	return;
821	}
822

823	if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
824	wp_safe_redirect( get_bloginfo( 'url' ) );
825	exit;
826	}
827
828	- ~~$provider~~ = ~~filter_input~~( ~~INPUT_POST,~~ 'provider', ~~FILTER_SANITIZE_STRING~~ );
829	- if ( $provider ) {
830	$providers = self::get_available_providers_for_user( $user );
831	- if ( isset( $providers[ $provider ] ) ) {
832	- $provider = $providers[ $provider ];
833	} else {
834	wp_die( esc_html__( 'Cheatin’ uh?', 'two-factor' ), 403 );
835	}
	@@ -870,11 +646,9 @@ class Two_Factor_Core {
870
871	wp_set_auth_cookie( $user->ID, $rememberme );
872
873	- do_action( 'two_factor_user_authenticated', $user );
874	-
875	// Must be global because that's how login_header() uses it.
876	global $interim_login;
877	- $interim_login = isset( $_REQUEST['interim-login'] ); // ~~phpcs~~:~~ignore~~ ~~WordPress~~.~~WP.GlobalVariablesOverride.Prohibited,WordPress.Security.NonceVerification.Recommended~~
878
879	if ( $interim_login ) {
880	$customize_login = isset( $_REQUEST['customize-login'] );
	@@ -882,16 +656,14 @@ class Two_Factor_Core {
882	wp_enqueue_script( 'customize-base' );
883	}
884	$message = '<p class="message">' . __( 'You have logged in successfully.', 'two-factor' ) . '</p>';
885	- $interim_login = 'success'; // ~~phpcs~~:~~ignore~~ ~~WordPress~~.~~WP.GlobalVariablesOverride.Prohibited~~
886	- login_header( '', $message );
887	- ?>
888	</div>
889	<?php
890	/** This action is documented in wp-login.php */
891	- do_action( 'login_footer' );
892	- ?>
893	<?php if ( $customize_login ) : ?>
894	- <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo ~~esc_url(~~ wp_customize_url() ); ?>', channel: 'login' }).send('login') }, 1000 );</script>
895	<?php endif; ?>
896	</body></html>
897	<?php
	@@ -947,10 +719,10 @@ class Two_Factor_Core {
947	* @param WP_User $user WP_User object of the logged-in user.
948	*/
949	public static function user_two_factor_options( $user ) {
950	- wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ), ~~array(~~)~~, TWO_FACTOR_VERSION )~~;
951
952	$enabled_providers = array_keys( self::get_available_providers_for_user( $user ) );
953	- $primary_provider = self::get_primary_provider_for_user( $user->ID );
954
955	if ( ! empty( $primary_provider ) && is_object( $primary_provider ) ) {
956	$primary_provider_key = get_class( $primary_provider );
	@@ -979,24 +751,11 @@ class Two_Factor_Core {
979	<tbody>
980	<?php foreach ( self::get_providers() as $class => $object ) : ?>
981	<tr>
982	- <th scope="row"><input type="checkbox" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php echo esc_attr( $class ); ?>" <?php checked( in_array( $class, $enabled_providers, ~~true~~ ) ); ?> /></th>
983	<th scope="row"><input type="radio" name="<?php echo esc_attr( self::PROVIDER_USER_META_KEY ); ?>" value="<?php echo esc_attr( $class ); ?>" <?php checked( $class, $primary_provider_key ); ?> /></th>
984	<td>
985	- <?php
986	- $~~object->print_label(~~);
987	-
988	- /**
989	- * Fires after user options are shown.
990	- *
991	- * Use the {@see 'two_factor_user_options_' . $class } hook instead.
992	- *
993	- * @deprecated 0.7.0
994	- *
995	- * @param WP_User $user The user.
996	- */
997	- do_action_deprecated( 'two-factor-user-options-' . $class, array( $user ), '0.7.0', 'two_factor_user_options_' . $class );
998	- do_action( 'two_factor_user_options_' . $class, $user );
999	- ?>
1000	</td>
1001	</tr>
1002	<?php endforeach; ?>
	@@ -1065,3 +824,4 @@ class Two_Factor_Core {
1065	return (bool) apply_filters( 'two_factor_rememberme', $rememberme );
1066	}
1067	}


1	<?php






2	/**
3	* Class for creating two factor authorization.
4	*

27	*
28	* @type string
29	*/
30	+ const USER_META_NONCE_KEY = '_two_factor_nonce';






















31
32	/**
33	* Set up filters and actions.
34	*


35	* @since 0.1-dev
36	*/
37	public static function add_hooks( $compat ) {

48	add_filter( 'wpmu_users_columns', array( __CLASS__, 'filter_manage_users_columns' ) );
49	add_filter( 'manage_users_custom_column', array( __CLASS__, 'manage_users_custom_column' ), 10, 3 );
50









51	// Run only after the core wp_authenticate_username_password() check.
52	add_filter( 'authenticate', array( __CLASS__, 'filter_authenticate' ), 50 );
53



54	$compat->init();
55	}
56

72	*/
73	public static function get_providers() {
74	$providers = array(
75	+ 'Two_Factor_Email' => TWO_FACTOR_DIR . 'providers/class.two-factor-email.php',
76	+ 'Two_Factor_Totp' => TWO_FACTOR_DIR . 'providers/class.two-factor-totp.php',
77	+ 'Two_Factor_FIDO_U2F' => TWO_FACTOR_DIR . 'providers/class.two-factor-fido-u2f.php',
78	+ 'Two_Factor_Backup_Codes' => TWO_FACTOR_DIR . 'providers/class.two-factor-backup-codes.php',
79	+ 'Two_Factor_Dummy' => TWO_FACTOR_DIR . 'providers/class.two-factor-dummy.php',
80	);
81
82	/**

93	// FIDO U2F is PHP 5.3+ only.
94	if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) {
95	unset( $providers['Two_Factor_FIDO_U2F'] );
96	+ trigger_error( sprintf( // WPCS: XSS OK.

97	/* translators: %s: version number */
98	+ __( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ),
99	+ PHP_VERSION
100	+ ) );

101	}
102
103	/**
104	* For each filtered provider,
105	*/
106	foreach ( $providers as $class => $path ) {
107	+ include_once( $path );
108
109	/**
110	* Confirm that it's been successfully included before instantiating.

121	return $providers;
122	}
123















































































































































124	/**
125	* Get all Two-Factor Auth providers that are enabled for the specified\|current user.
126	*

139	}
140	$enabled_providers = array_intersect( $enabled_providers, array_keys( $providers ) );
141
142	+ return $enabled_providers;






143	}
144
145	/**

158	$configured_providers = array();
159
160	foreach ( $providers as $classname => $provider ) {
161	+ if ( in_array( $classname, $enabled_providers ) && $provider->is_available_for_user( $user ) ) {
162	$configured_providers[ $classname ] = $provider;
163	}
164	}

237	return;
238	}
239




240	wp_clear_auth_cookie();
241
242	self::show_two_factor_login( $user );
243	exit;
244	}
245



















246	/**
247	* Prevent login through XML-RPC and REST API for users with at least one
248	* two-factor method enabled.

320	* @since 0.1-dev
321	*/
322	public static function backup_2fa() {
323	+ if ( ! isset( $_GET['wp-auth-id'], $_GET['wp-auth-nonce'], $_GET['provider'] ) ) {




324	return;
325	}
326
327	+ $user = get_userdata( $_GET['wp-auth-id'] );
328	if ( ! $user ) {
329	return;
330	}
331
332	+ $nonce = $_GET['wp-auth-nonce'];
333	if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
334	wp_safe_redirect( get_bloginfo( 'url' ) );
335	exit;
336	}
337
338	$providers = self::get_available_providers_for_user( $user );
339	+ if ( isset( $providers[ $_GET['provider'] ] ) ) {
340	+ $provider = $providers[ $_GET['provider'] ];
341	} else {
342	wp_die( esc_html__( 'Cheatin’ uh?', 'two-factor' ), 403 );
343	}
344
345	+ self::login_html( $user, $_GET['wp-auth-nonce'], $_GET['redirect_to'], '', $provider );

346
347	exit;
348	}

368	$provider_class = get_class( $provider );
369
370	$available_providers = self::get_available_providers_for_user( $user );
371	+ $backup_providers = array_diff_key( $available_providers, array( $provider_class => null ) );
372	+ $interim_login = isset( $_REQUEST['interim-login'] ); // WPCS: CSRF ok.
373
374	$rememberme = intval( self::rememberme() );
375
376	if ( ! function_exists( 'login_header' ) ) {
377	// We really should migrate login_header() out of `wp-login.php` so it can be called from an includes file.
378	+ include_once( TWO_FACTOR_DIR . 'includes/function.login-header.php' );
379	}
380
381	login_header();

389	<input type="hidden" name="provider" id="provider" value="<?php echo esc_attr( $provider_class ); ?>" />
390	<input type="hidden" name="wp-auth-id" id="wp-auth-id" value="<?php echo esc_attr( $user->ID ); ?>" />
391	<input type="hidden" name="wp-auth-nonce" id="wp-auth-nonce" value="<?php echo esc_attr( $login_nonce ); ?>" />
392	+ <?php if ( $interim_login ) { ?>
393	<input type="hidden" name="interim-login" value="1" />
394	+ <?php } else { ?>
395	<input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
396	+ <?php } ?>
397	<input type="hidden" name="rememberme" id="rememberme" value="<?php echo esc_attr( $rememberme ); ?>" />
398
399	<?php $provider->authentication_page( $user ); ?>

402	<?php
403	if ( 1 === count( $backup_providers ) ) :
404	$backup_classname = key( $backup_providers );
405	+ $backup_provider = $backup_providers[ $backup_classname ];
406	+ $login_url = self::login_url(
407	array(
408	'action' => 'backup_2fa',
409	'provider' => $backup_classname,

497
498	<?php
499	/** This action is documented in wp-login.php */
500	+ do_action( 'login_footer' ); ?>

501	<div class="clear"></div>
502	</body>
503	</html>

531	* @return array
532	*/
533	public static function create_login_nonce( $user_id ) {
534	+ $login_nonce = array();
535	try {
536	$login_nonce['key'] = bin2hex( random_bytes( 32 ) );
537	+ } catch (Exception $ex) {
538	+ $login_nonce['key'] = wp_hash( $user_id . mt_rand() . microtime(), 'nonce' );
539	}
540	$login_nonce['expiration'] = time() + HOUR_IN_SECONDS;
541

587	* @since 0.1-dev
588	*/
589	public static function login_form_validate_2fa() {
590	+ if ( ! isset( $_POST['wp-auth-id'], $_POST['wp-auth-nonce'] ) ) {



591	return;
592	}
593
594	+ $user = get_userdata( $_POST['wp-auth-id'] );
595	if ( ! $user ) {
596	return;
597	}
598
599	+ $nonce = $_POST['wp-auth-nonce'];
600	if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
601	wp_safe_redirect( get_bloginfo( 'url' ) );
602	exit;
603	}
604
605	+ if ( isset( $_POST['provider'] ) ) {

606	$providers = self::get_available_providers_for_user( $user );
607	+ if ( isset( $providers[ $_POST['provider'] ] ) ) {
608	+ $provider = $providers[ $_POST['provider'] ];
609	} else {
610	wp_die( esc_html__( 'Cheatin’ uh?', 'two-factor' ), 403 );
611	}

646
647	wp_set_auth_cookie( $user->ID, $rememberme );
648


649	// Must be global because that's how login_header() uses it.
650	global $interim_login;
651	+ $interim_login = isset( $_REQUEST['interim-login'] ); // WPCS: override ok.
652
653	if ( $interim_login ) {
654	$customize_login = isset( $_REQUEST['customize-login'] );

656	wp_enqueue_script( 'customize-base' );
657	}
658	$message = '<p class="message">' . __( 'You have logged in successfully.', 'two-factor' ) . '</p>';
659	+ $interim_login = 'success'; // WPCS: override ok.
660	+ login_header( '', $message ); ?>

661	</div>
662	<?php
663	/** This action is documented in wp-login.php */
664	+ do_action( 'login_footer' ); ?>

665	<?php if ( $customize_login ) : ?>
666	+ <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); /* WPCS: XSS OK. */ ?>', channel: 'login' }).send('login') }, 1000 );</script>
667	<?php endif; ?>
668	</body></html>
669	<?php

719	* @param WP_User $user WP_User object of the logged-in user.
720	*/
721	public static function user_two_factor_options( $user ) {
722	+ wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ) );
723
724	$enabled_providers = array_keys( self::get_available_providers_for_user( $user ) );
725	+ $primary_provider = self::get_primary_provider_for_user( $user->ID );
726
727	if ( ! empty( $primary_provider ) && is_object( $primary_provider ) ) {
728	$primary_provider_key = get_class( $primary_provider );

751	<tbody>
752	<?php foreach ( self::get_providers() as $class => $object ) : ?>
753	<tr>
754	+ <th scope="row"><input type="checkbox" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php echo esc_attr( $class ); ?>" <?php checked( in_array( $class, $enabled_providers ) ); ?> /></th>
755	<th scope="row"><input type="radio" name="<?php echo esc_attr( self::PROVIDER_USER_META_KEY ); ?>" value="<?php echo esc_attr( $class ); ?>" <?php checked( $class, $primary_provider_key ); ?> /></th>
756	<td>
757	+ <?php $object->print_label(); ?>
758	+ <?php do_action( 'two-factor-user-options-' . $class, $user ); ?>













759	</td>
760	</tr>
761	<?php endforeach; ?>

824	return (bool) apply_filters( 'two_factor_rememberme', $rememberme );
825	}
826	}
827	+

docker-compose.yml DELETED Viewed

@@ -1,11 +0,0 @@
-            -
            version: '3.6'
-            -
-            -
            services:
-            -
-            -
              wpdevlib:
-            -
                build: ./tests/docker/wp-dev-lib
-            -
                working_dir: /var/www/html
-            -
                volumes:
-            -
                  - .:/var/www/html
-            -
                environment:
-            -
                  CHECK_SCOPE: all

includes/Google/u2f-api.js CHANGED Viewed

	@@ -288,7 +288,7 @@ u2f.WrappedChromeRuntimePort_ = function(port) {
288	u2f.formatSignRequest_ =
289	function(appId, challenge, registeredKeys, timeoutSeconds, reqId) {
290	if (js_api_version === undefined \|\| js_api_version < 1.1) {
291	- // Adapt request to the 1.0 JS API.
292	var signRequests = [];
293	for (var i = 0; i < registeredKeys.length; i++) {
294	signRequests[i] = {
	@@ -305,7 +305,7 @@ u2f.formatSignRequest_ =
305	requestId: reqId
306	};
307	}
308	- // JS 1.1 API.
309	return {
310	type: u2f.MessageTypes.U2F_SIGN_REQUEST,
311	appId: appId,
	@@ -327,7 +327,7 @@ u2f.formatSignRequest_ =
327	u2f.formatRegisterRequest_ =
328	function(appId, registeredKeys, registerRequests, timeoutSeconds, reqId) {
329	if (js_api_version === undefined \|\| js_api_version < 1.1) {
330	- // Adapt request to the 1.0 JS API.
331	for (var i = 0; i < registerRequests.length; i++) {
332	registerRequests[i].appId = appId;
333	}
	@@ -348,7 +348,7 @@ u2f.formatRegisterRequest_ =
348	requestId: reqId
349	};
350	}
351	- // JS 1.1 API.
352	return {
353	type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
354	appId: appId,
	@@ -380,7 +380,7 @@ u2f.WrappedChromeRuntimePort_.prototype.addEventListener =
380	var name = eventName.toLowerCase();
381	if (name == 'message' \|\| name == 'onmessage') {
382	this.port_.onMessage.addListener(function(message) {
383	- // Emulate a minimal MessageEvent object.
384	handler({'data': message});
385	});
386	} else {


288	u2f.formatSignRequest_ =
289	function(appId, challenge, registeredKeys, timeoutSeconds, reqId) {
290	if (js_api_version === undefined \|\| js_api_version < 1.1) {
291	+ // Adapt request to the 1.0 JS API
292	var signRequests = [];
293	for (var i = 0; i < registeredKeys.length; i++) {
294	signRequests[i] = {

305	requestId: reqId
306	};
307	}
308	+ // JS 1.1 API
309	return {
310	type: u2f.MessageTypes.U2F_SIGN_REQUEST,
311	appId: appId,

327	u2f.formatRegisterRequest_ =
328	function(appId, registeredKeys, registerRequests, timeoutSeconds, reqId) {
329	if (js_api_version === undefined \|\| js_api_version < 1.1) {
330	+ // Adapt request to the 1.0 JS API
331	for (var i = 0; i < registerRequests.length; i++) {
332	registerRequests[i].appId = appId;
333	}

348	requestId: reqId
349	};
350	}
351	+ // JS 1.1 API
352	return {
353	type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
354	appId: appId,

380	var name = eventName.toLowerCase();
381	if (name == 'message' \|\| name == 'onmessage') {
382	this.port_.onMessage.addListener(function(message) {
383	+ // Emulate a minimal MessageEvent object
384	handler({'data': message});
385	});
386	} else {

includes/Yubico/U2F.php CHANGED Viewed

	@@ -164,7 +164,7 @@ class U2F
164	$offs = 1;
165	$pubKey = substr($rawReg, $offs, PUBKEY_LEN);
166	$offs += PUBKEY_LEN;
167	- // ~~Decode~~ the pubKey to make sure it's good.
168	$tmpKey = $this->pubkey_to_pem($pubKey);
169	if($tmpKey === null) {
170	throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
	@@ -175,7 +175,7 @@ class U2F
175	$offs += $khLen;
176	$registration->keyHandle = $this->base64u_encode($kh);
177
178	- // length of certificate is stored in byte 3 and 4 (excluding the first 4 bytes).
179	$certLen = 4;
180	$certLen += ($regData[$offs + 2] << 8);
181	$certLen += $regData[$offs + 3];


164	$offs = 1;
165	$pubKey = substr($rawReg, $offs, PUBKEY_LEN);
166	$offs += PUBKEY_LEN;
167	+ // decode the pubKey to make sure it's good
168	$tmpKey = $this->pubkey_to_pem($pubKey);
169	if($tmpKey === null) {
170	throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );

175	$offs += $khLen;
176	$registration->keyHandle = $this->base64u_encode($kh);
177
178	+ // length of certificate is stored in byte 3 and 4 (excluding the first 4 bytes)
179	$certLen = 4;
180	$certLen += ($regData[$offs + 2] << 8);
181	$certLen += $regData[$offs + 3];

includes/function.login-header.php CHANGED Viewed

	@@ -14,7 +14,7 @@
14	function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
15	global $error, $interim_login, $action;
16
17	- // Don't index any of these forms.
18	add_action( 'login_head', 'wp_no_robots' );
19
20	add_action( 'login_head', 'wp_login_viewport_meta' );
	@@ -179,7 +179,7 @@ function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
179	if ( !empty( $message ) )
180	echo $message . "\n";
181
182	- // In case a plugin uses $error rather than the $wp_errors object.
183	if ( !empty( $error ) ) {
184	$wp_error->add('error', $error);
185	unset($error);
	@@ -218,7 +218,7 @@ function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
218	echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
219	}
220	}
221	- } // End of login_header().
222
223	function wp_login_viewport_meta() {
224	?>


14	function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
15	global $error, $interim_login, $action;
16
17	+ // Don't index any of these forms
18	add_action( 'login_head', 'wp_no_robots' );
19
20	add_action( 'login_head', 'wp_login_viewport_meta' );

179	if ( !empty( $message ) )
180	echo $message . "\n";
181
182	+ // In case a plugin uses $error rather than the $wp_errors object
183	if ( !empty( $error ) ) {
184	$wp_error->add('error', $error);
185	unset($error);

218	echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
219	}
220	}
221	+ } // End of login_header()
222
223	function wp_login_viewport_meta() {
224	?>

providers/{class-two-factor-backup-codes.php → class.two-factor-backup-codes.php} RENAMED Viewed

	@@ -1,10 +1,4 @@
1	<?php
2	- /**
3	- * Class for creating a backup codes provider.
4	- *
5	- * @package Two_Factor
6	- */
7	-
8	/**
9	* Class for creating a backup codes provider.
10	*
	@@ -33,11 +27,11 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
33	*
34	* @since 0.1-dev
35	*/
36	- ~~public~~ static function get_instance() {
37	static $instance;
38	$class = __CLASS__;
39	if ( ! is_a( $instance, $class ) ) {
40	- $instance = new $class();
41	}
42	return $instance;
43	}
	@@ -48,7 +42,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
48	* @since 0.1-dev
49	*/
50	protected function __construct() {
51	- add_action( '~~two_factor_user_options_~~' . __CLASS__, array( $this, 'user_options' ) );
52	add_action( 'admin_notices', array( $this, 'admin_notices' ) );
53	add_action( 'wp_ajax_two_factor_backup_codes_generate', array( $this, 'ajax_generate_json' ) );
54
	@@ -64,7 +58,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
64	$user = wp_get_current_user();
65
66	// Return if the provider is not enabled.
67	- if ( ! in_array( __CLASS__, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ), ~~true~~ ) ) {
68	return;
69	}
70
	@@ -77,13 +71,9 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
77	<p>
78	<span>
79	<?php
80	- ~~wp_kses~~(
81	- ~~sprintf~~(
82	- /* ~~translators:~~ ~~%s:~~ ~~URL~~ ~~for~~ ~~code~~ ~~regeneration */~~
83	- __( 'Two-Factor: You are out of backup codes and need to <a href="%s">regenerate!</a>', 'two-factor' ),
84	- esc_url( get_edit_user_link( $user->ID ) . '#two-factor-backup-codes' )
85	- ),
86	- array( 'a' => array( 'href' => true ) )
87	);
88	?>
89	<span>
	@@ -126,23 +116,19 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
126	*/
127	public function user_options( $user ) {
128	$ajax_nonce = wp_create_nonce( 'two-factor-backup-codes-generate-json-' . $user->ID );
129	- $count = self::codes_remaining_for_user( $user );
130	?>
131	<p id="two-factor-backup-codes">
132	<button type="button" class="button button-two-factor-backup-codes-generate button-secondary hide-if-no-js">
133	<?php esc_html_e( 'Generate Verification Codes', 'two-factor' ); ?>
134	</button>
135	- <span class="two-factor-backup-codes-count">
136	- ~~<?php~~
137	- echo esc_html(
138	- sprintf(
139	/* translators: %s: count */
140	- _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ),
141	- $count
142	- )
143	- );
144	- ?>
145	- </span>
146	</p>
147	<div class="two-factor-backup-codes-wrapper" style="display:none;">
148	<ol class="two-factor-backup-codes-unused-codes"></ol>
	@@ -177,7 +163,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
177	// Update counter.
178	$( '.two-factor-backup-codes-count' ).html( response.data.i18n.count );
179
180	- // Build the download link.
181	var txt_data = 'data:application/text;charset=utf-8,' + '\n';
182	txt_data += response.data.i18n.title.replace( /%s/g, document.domain ) + '\n\n';
183
	@@ -204,7 +190,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
204	* @return array
205	*/
206	public function generate_codes( $user, $args = '' ) {
207	- $codes = array();
208	$codes_hashed = array();
209
210	// Check for arguments.
	@@ -220,9 +206,9 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
220	}
221
222	for ( $i = 0; $i < $num_codes; $i++ ) {
223	- $code = $this->get_code();
224	$codes_hashed[] = wp_hash_password( $code );
225	- $codes[] = $code;
226	unset( $code );
227	}
228
	@@ -238,13 +224,13 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
238	* @since 0.1-dev
239	*/
240	public function ajax_generate_json() {
241	- $user = get_user_by( 'id', ~~filter_input~~( ~~INPUT_POST,~~ 'user_id', ~~FILTER_SANITIZE_NUMBER_INT~~ ) );
242	check_ajax_referer( 'two-factor-backup-codes-generate-json-' . $user->ID, 'nonce' );
243
244	// Setup the return data.
245	$codes = $this->generate_codes( $user );
246	$count = self::codes_remaining_for_user( $user );
247	- $i18n = array(
248	/* translators: %s: count */
249	'count' => esc_html( sprintf( _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ), $count ) ),
250	/* translators: %s: the site's domain */
	@@ -252,12 +238,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
252	);
253
254	// Send the response.
255	- wp_send_json_success(
256	- array(
257	- 'codes' => $codes,
258	- 'i18n' => $i18n,
259	- )
260	- );
261	}
262
263	/**
	@@ -282,7 +263,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
282	* @param WP_User $user WP_User object of the logged-in user.
283	*/
284	public function authentication_page( $user ) {
285	- require_once ABSPATH . '/wp-admin/includes/template.php';
286	?>
287	<p><?php esc_html_e( 'Enter a backup verification code.', 'two-factor' ); ?></p><br/>
288	<p>
	@@ -304,8 +285,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
304	* @return boolean
305	*/
306	public function validate_authentication( $user ) {
307	- $~~backup_code = isset~~( $~~_POST['two-factor-backup-code']~~ ~~) ? sanitize_text_field( wp_unslash(~~ $_POST['two-factor-backup-code'] ) ~~) : false~~;
308	- return $this->validate_code( $user, filter_var( $backup_code, FILTER_SANITIZE_STRING ) );
309	}
310
311	/**


1	<?php






2	/**
3	* Class for creating a backup codes provider.
4	*

27	*
28	* @since 0.1-dev
29	*/
30	+ static function get_instance() {
31	static $instance;
32	$class = __CLASS__;
33	if ( ! is_a( $instance, $class ) ) {
34	+ $instance = new $class;
35	}
36	return $instance;
37	}

42	* @since 0.1-dev
43	*/
44	protected function __construct() {
45	+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_options' ) );
46	add_action( 'admin_notices', array( $this, 'admin_notices' ) );
47	add_action( 'wp_ajax_two_factor_backup_codes_generate', array( $this, 'ajax_generate_json' ) );
48

58	$user = wp_get_current_user();
59
60	// Return if the provider is not enabled.
61	+ if ( ! in_array( __CLASS__, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ) ) ) {
62	return;
63	}
64

71	<p>
72	<span>
73	<?php
74	+ printf( // WPCS: XSS OK.
75	+ __( 'Two-Factor: You are out of backup codes and need to <a href="%s">regenerate!</a>', 'two-factor' ),
76	+ esc_url( get_edit_user_link( $user->ID ) . '#two-factor-backup-codes' )




77	);
78	?>
79	<span>

116	*/
117	public function user_options( $user ) {
118	$ajax_nonce = wp_create_nonce( 'two-factor-backup-codes-generate-json-' . $user->ID );
119	+ $count = self::codes_remaining_for_user( $user );
120	?>
121	<p id="two-factor-backup-codes">
122	<button type="button" class="button button-two-factor-backup-codes-generate button-secondary hide-if-no-js">
123	<?php esc_html_e( 'Generate Verification Codes', 'two-factor' ); ?>
124	</button>
125	+ <span class="two-factor-backup-codes-count"><?php
126	+ echo esc_html( sprintf(


127	/* translators: %s: count */
128	+ _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ),
129	+ $count
130	+ ) );
131	+ ?></span>


132	</p>
133	<div class="two-factor-backup-codes-wrapper" style="display:none;">
134	<ol class="two-factor-backup-codes-unused-codes"></ol>

163	// Update counter.
164	$( '.two-factor-backup-codes-count' ).html( response.data.i18n.count );
165
166	+ // Build the download link
167	var txt_data = 'data:application/text;charset=utf-8,' + '\n';
168	txt_data += response.data.i18n.title.replace( /%s/g, document.domain ) + '\n\n';
169

190	* @return array
191	*/
192	public function generate_codes( $user, $args = '' ) {
193	+ $codes = array();
194	$codes_hashed = array();
195
196	// Check for arguments.

206	}
207
208	for ( $i = 0; $i < $num_codes; $i++ ) {
209	+ $code = $this->get_code();
210	$codes_hashed[] = wp_hash_password( $code );
211	+ $codes[] = $code;
212	unset( $code );
213	}
214

224	* @since 0.1-dev
225	*/
226	public function ajax_generate_json() {
227	+ $user = get_user_by( 'id', sanitize_text_field( $_POST['user_id'] ) );
228	check_ajax_referer( 'two-factor-backup-codes-generate-json-' . $user->ID, 'nonce' );
229
230	// Setup the return data.
231	$codes = $this->generate_codes( $user );
232	$count = self::codes_remaining_for_user( $user );
233	+ $i18n = array(
234	/* translators: %s: count */
235	'count' => esc_html( sprintf( _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ), $count ) ),
236	/* translators: %s: the site's domain */

238	);
239
240	// Send the response.
241	+ wp_send_json_success( array( 'codes' => $codes, 'i18n' => $i18n ) );





242	}
243
244	/**

263	* @param WP_User $user WP_User object of the logged-in user.
264	*/
265	public function authentication_page( $user ) {
266	+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
267	?>
268	<p><?php esc_html_e( 'Enter a backup verification code.', 'two-factor' ); ?></p><br/>
269	<p>

285	* @return boolean
286	*/
287	public function validate_authentication( $user ) {
288	+ return $this->validate_code( $user, $_POST['two-factor-backup-code'] );

289	}
290
291	/**

providers/{class-two-factor-dummy.php → class.two-factor-dummy.php} RENAMED Viewed

	@@ -1,10 +1,4 @@
1	<?php
2	- /**
3	- * Class for creating a dummy provider.
4	- *
5	- * @package Two_Factor
6	- */
7	-
8	/**
9	* Class for creating a dummy provider.
10	*
	@@ -19,11 +13,11 @@ class Two_Factor_Dummy extends Two_Factor_Provider {
19	*
20	* @since 0.1-dev
21	*/
22	- ~~public~~ static function get_instance() {
23	static $instance;
24	$class = __CLASS__;
25	if ( ! is_a( $instance, $class ) ) {
26	- $instance = new $class();
27	}
28	return $instance;
29	}
	@@ -34,7 +28,7 @@ class Two_Factor_Dummy extends Two_Factor_Provider {
34	* @since 0.1-dev
35	*/
36	protected function __construct() {
37	- add_action( '~~two_factor_user_options_~~' . __CLASS__, array( $this, 'user_options' ) );
38	return parent::__construct();
39	}
40
	@@ -55,7 +49,7 @@ class Two_Factor_Dummy extends Two_Factor_Provider {
55	* @param WP_User $user WP_User object of the logged-in user.
56	*/
57	public function authentication_page( $user ) {
58	- require_once ABSPATH . '/wp-admin/includes/template.php';
59	?>
60	<p><?php esc_html_e( 'Are you really you?', 'two-factor' ); ?></p>
61	<?php


1	<?php






2	/**
3	* Class for creating a dummy provider.
4	*

13	*
14	* @since 0.1-dev
15	*/
16	+ static function get_instance() {
17	static $instance;
18	$class = __CLASS__;
19	if ( ! is_a( $instance, $class ) ) {
20	+ $instance = new $class;
21	}
22	return $instance;
23	}

28	* @since 0.1-dev
29	*/
30	protected function __construct() {
31	+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_options' ) );
32	return parent::__construct();
33	}
34

49	* @param WP_User $user WP_User object of the logged-in user.
50	*/
51	public function authentication_page( $user ) {
52	+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
53	?>
54	<p><?php esc_html_e( 'Are you really you?', 'two-factor' ); ?></p>
55	<?php

providers/{class-two-factor-email.php → class.two-factor-email.php} RENAMED Viewed

	@@ -1,10 +1,4 @@
1	<?php
2	- /**
3	- * Class for creating an email provider.
4	- *
5	- * @package Two_Factor
6	- */
7	-
8	/**
9	* Class for creating an email provider.
10	*
	@@ -17,17 +11,10 @@ class Two_Factor_Email extends Two_Factor_Provider {
17	/**
18	* The user meta token key.
19	*
20	- * @~~var~~ string
21	*/
22	const TOKEN_META_KEY = '_two_factor_email_token';
23
24	- /**
25	- * Store the timestamp when the token was generated.
26	- *
27	- * @var string
28	- */
29	- const TOKEN_META_KEY_TIMESTAMP = '_two_factor_email_token_timestamp';
30	-
31	/**
32	* Name of the input field used for code resend.
33	*
	@@ -40,11 +27,11 @@ class Two_Factor_Email extends Two_Factor_Provider {
40	*
41	* @since 0.1-dev
42	*/
43	- ~~public~~ static function get_instance() {
44	static $instance;
45	$class = __CLASS__;
46	if ( ! is_a( $instance, $class ) ) {
47	- $instance = new $class();
48	}
49	return $instance;
50	}
	@@ -55,7 +42,7 @@ class Two_Factor_Email extends Two_Factor_Provider {
55	* @since 0.1-dev
56	*/
57	protected function __construct() {
58	- add_action( '~~two_factor_user_options_~~' . __CLASS__, array( $this, 'user_options' ) );
59	return parent::__construct();
60	}
61
	@@ -78,10 +65,7 @@ class Two_Factor_Email extends Two_Factor_Provider {
78	*/
79	public function generate_token( $user_id ) {
80	$token = $this->get_code();
81	-
82	- update_user_meta( $user_id, self::TOKEN_META_KEY_TIMESTAMP, time() );
83	update_user_meta( $user_id, self::TOKEN_META_KEY, wp_hash( $token ) );
84	-
85	return $token;
86	}
87
	@@ -96,65 +80,9 @@ class Two_Factor_Email extends Two_Factor_Provider {
96
97	if ( ! empty( $hashed_token ) ) {
98	return true;
99	- }
100	-
101	- return false;
102	- }
103	-
104	- /**
105	- * Has the user token validity timestamp expired.
106	- *
107	- * @param integer $user_id User ID.
108	- *
109	- * @return boolean
110	- */
111	- public function user_token_has_expired( $user_id ) {
112	- $token_lifetime = $this->user_token_lifetime( $user_id );
113	- $token_ttl = $this->user_token_ttl( $user_id );
114	-
115	- // Invalid token lifetime is considered an expired token.
116	- if ( is_int( $token_lifetime ) && $token_lifetime <= $token_ttl ) {
117	return false;
118	}
119	-
120	- return true;
121	- }
122	-
123	- /**
124	- * Get the lifetime of a user token in seconds.
125	- *
126	- * @param integer $user_id User ID.
127	- *
128	- * @return integer\|null Return `null` if the lifetime can't be measured.
129	- */
130	- public function user_token_lifetime( $user_id ) {
131	- $timestamp = intval( get_user_meta( $user_id, self::TOKEN_META_KEY_TIMESTAMP, true ) );
132	-
133	- if ( ! empty( $timestamp ) ) {
134	- return time() - $timestamp;
135	- }
136	-
137	- return null;
138	- }
139	-
140	- /**
141	- * Return the token time-to-live for a user.
142	- *
143	- * @param integer $user_id User ID.
144	- *
145	- * @return integer
146	- */
147	- public function user_token_ttl( $user_id ) {
148	- $token_ttl = 15 * MINUTE_IN_SECONDS;
149	-
150	- /**
151	- * Number of seconds the token is considered valid
152	- * after the generation.
153	- *
154	- * @param integer $token_ttl Token time-to-live in seconds.
155	- * @param integer $user_id User ID.
156	- */
157	- return (int) apply_filters( 'two_factor_token_ttl', $token_ttl, $user_id );
158	}
159
160	/**
	@@ -191,11 +119,7 @@ class Two_Factor_Email extends Two_Factor_Provider {
191	return false;
192	}
193
194	- if ( ~~$this->user_token_has_expired(~~ ~~$user_id~~ ) ) {
195	- return false;
196	- }
197	-
198	- // Ensure the token can be used only once.
199	$this->delete_token( $user_id );
200
201	return true;
	@@ -228,23 +152,6 @@ class Two_Factor_Email extends Two_Factor_Provider {
228	/* translators: %s: token */
229	$message = wp_strip_all_tags( sprintf( __( 'Enter %s to log in.', 'two-factor' ), $token ) );
230
231	- /**
232	- * Filter the token email subject.
233	- *
234	- * @param string $subject The email subject line.
235	- * @param int $user_id The ID of the user.
236	- */
237	- $subject = apply_filters( 'two_factor_token_email_subject', $subject, $user->ID );
238	-
239	- /**
240	- * Filter the token email message.
241	- *
242	- * @param string $message The email message.
243	- * @param string $token The token.
244	- * @param int $user_id The ID of the user.
245	- */
246	- $message = apply_filters( 'two_factor_token_email_message', $message, $token, $user->ID );
247	-
248	return wp_mail( $user->user_email, $subject, $message );
249	}
250
	@@ -260,16 +167,16 @@ class Two_Factor_Email extends Two_Factor_Provider {
260	return;
261	}
262
263	- if ( ! $this->user_has_token( $user->ID ) ~~\|\| $this->user_token_has_expired( $user->ID~~ ) ) {
264	$this->generate_and_email_token( $user );
265	}
266
267	- require_once ABSPATH . '/wp-admin/includes/template.php';
268	?>
269	<p><?php esc_html_e( 'A verification code has been sent to the email address associated with your account.', 'two-factor' ); ?></p>
270	<p>
271	<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
272	- <input type="tel" name="two-factor-email-code" id="authcode" class="input" value="" size="20" />
273	<?php submit_button( __( 'Log In', 'two-factor' ) ); ?>
274	</p>
275	<p class="two-factor-email-resend">
	@@ -317,10 +224,7 @@ class Two_Factor_Email extends Two_Factor_Provider {
317	return false;
318	}
319
320	- // ~~Ensure~~ ~~there~~ ~~are~~ ~~no spaces or line breaks around the code.~~
321	- $code = trim( sanitize_text_field( $_REQUEST['two-factor-email-code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already.
322	-
323	- return $this->validate_token( $user->ID, $code );
324	}
325
326	/**
	@@ -347,13 +251,11 @@ class Two_Factor_Email extends Two_Factor_Provider {
347	?>
348	<div>
349	<?php
350	- echo esc_html(
351	- sprintf(
352	/* translators: %s: email address */
353	- __( 'Authentication codes will be sent to %s.', 'two-factor' ),
354	- $email
355	- )
356	- );
357	?>
358	</div>
359	<?php


1	<?php






2	/**
3	* Class for creating an email provider.
4	*

11	/**
12	* The user meta token key.
13	*
14	+ * @type string
15	*/
16	const TOKEN_META_KEY = '_two_factor_email_token';
17







18	/**
19	* Name of the input field used for code resend.
20	*

27	*
28	* @since 0.1-dev
29	*/
30	+ static function get_instance() {
31	static $instance;
32	$class = __CLASS__;
33	if ( ! is_a( $instance, $class ) ) {
34	+ $instance = new $class;
35	}
36	return $instance;
37	}

42	* @since 0.1-dev
43	*/
44	protected function __construct() {
45	+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_options' ) );
46	return parent::__construct();
47	}
48

65	*/
66	public function generate_token( $user_id ) {
67	$token = $this->get_code();


68	update_user_meta( $user_id, self::TOKEN_META_KEY, wp_hash( $token ) );

69	return $token;
70	}
71

80
81	if ( ! empty( $hashed_token ) ) {
82	return true;
83	+ } else {

















84	return false;
85	}







































86	}
87
88	/**

119	return false;
120	}
121
122	+ // Ensure that the token can't be re-used.




123	$this->delete_token( $user_id );
124
125	return true;

152	/* translators: %s: token */
153	$message = wp_strip_all_tags( sprintf( __( 'Enter %s to log in.', 'two-factor' ), $token ) );
154

















155	return wp_mail( $user->user_email, $subject, $message );
156	}
157

167	return;
168	}
169
170	+ if ( ! $this->user_has_token( $user->ID ) ) {
171	$this->generate_and_email_token( $user );
172	}
173
174	+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
175	?>
176	<p><?php esc_html_e( 'A verification code has been sent to the email address associated with your account.', 'two-factor' ); ?></p>
177	<p>
178	<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
179	+ <input type="tel" name="two-factor-email-code" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
180	<?php submit_button( __( 'Log In', 'two-factor' ) ); ?>
181	</p>
182	<p class="two-factor-email-resend">

224	return false;
225	}
226
227	+ return $this->validate_token( $user->ID, $_REQUEST['two-factor-email-code'] );



228	}
229
230	/**

251	?>
252	<div>
253	<?php
254	+ echo esc_html( sprintf(

255	/* translators: %s: email address */
256	+ __( 'Authentication codes will be sent to %s.', 'two-factor' ),
257	+ $email
258	+ ) );

259	?>
260	</div>
261	<?php

providers/{class-two-factor-fido-u2f-admin-list-table.php → class.two-factor-fido-u2f-admin-list-table.php} RENAMED Viewed

	@@ -1,10 +1,4 @@
1	<?php
2	- /**
3	- * Class for displaying the list of security key items.
4	- *
5	- * @package Two_Factor
6	- */
7	-
8	// Load the parent class if it doesn't exist.
9	if ( ! class_exists( 'WP_List_Table' ) ) {
10	require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
	@@ -41,10 +35,10 @@ class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
41	* @since 0.1-dev
42	*/
43	public function prepare_items() {
44	- $columns = $this->get_columns();
45	- $hidden = array();
46	- $sortable = array();
47	- $primary = 'name';
48	$this->_column_headers = array( $columns, $hidden, $sortable, $primary );
49	}
50
	@@ -61,20 +55,20 @@ class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
61	protected function column_default( $item, $column_name ) {
62	switch ( $column_name ) {
63	case 'name':
64	- $out = '<div class="hidden" id="inline_' . esc_attr( $item->keyHandle ) . '">'; ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
65	$out .= '<div class="name">' . esc_html( $item->name ) . '</div>';
66	$out .= '</div>';
67
68	$actions = array(
69	'rename hide-if-no-js' => Two_Factor_FIDO_U2F_Admin::rename_link( $item ),
70	- 'delete' => Two_Factor_FIDO_U2F_Admin::delete_link( $item ),
71	);
72
73	return esc_html( $item->name ) . $out . self::row_actions( $actions );
74	case 'added':
75	- return ~~gmdate~~( get_option( 'date_format', 'r' ), $item->added );
76	case 'last_used':
77	- return ~~gmdate~~( get_option( 'date_format', 'r' ), $item->last_used );
78	default:
79	return 'WTF^^?';
80	}
	@@ -102,7 +96,7 @@ class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
102	*/
103	public function single_row( $item ) {
104	?>
105	- <tr id="key-<?php echo esc_attr( $item->keyHandle ); ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~ ?>">
106	<?php $this->single_row_columns( $item ); ?>
107	</tr>
108	<?php
	@@ -121,6 +115,8 @@ class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
121	<td colspan="<?php echo esc_attr( $this->get_column_count() ); ?>" class="colspanchange">
122	<fieldset>
123	<div class="inline-edit-col">


124	<label>
125	<span class="title"><?php esc_html_e( 'Name', 'two-factor' ); ?></span>
126	<span class="input-text-wrap"><input type="text" name="name" class="ptitle" value="" /></span>
	@@ -128,11 +124,7 @@ class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
128	</div>
129	</fieldset>
130	<?php
131	- $core_columns = array(
132	- 'name' => true,
133	- 'added' => true,
134	- 'last_used' => true,
135	- );
136	list( $columns ) = $this->get_column_info();
137	foreach ( $columns as $column_name => $column_display_name ) {
138	if ( isset( $core_columns[ $column_name ] ) ) {


1	<?php






2	// Load the parent class if it doesn't exist.
3	if ( ! class_exists( 'WP_List_Table' ) ) {
4	require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';

35	* @since 0.1-dev
36	*/
37	public function prepare_items() {
38	+ $columns = $this->get_columns();
39	+ $hidden = array();
40	+ $sortable = array();
41	+ $primary = 'name';
42	$this->_column_headers = array( $columns, $hidden, $sortable, $primary );
43	}
44

55	protected function column_default( $item, $column_name ) {
56	switch ( $column_name ) {
57	case 'name':
58	+ $out = '<div class="hidden" id="inline_' . esc_attr( $item->keyHandle ) . '">';
59	$out .= '<div class="name">' . esc_html( $item->name ) . '</div>';
60	$out .= '</div>';
61
62	$actions = array(
63	'rename hide-if-no-js' => Two_Factor_FIDO_U2F_Admin::rename_link( $item ),
64	+ 'delete' => Two_Factor_FIDO_U2F_Admin::delete_link( $item ),
65	);
66
67	return esc_html( $item->name ) . $out . self::row_actions( $actions );
68	case 'added':
69	+ return date( get_option( 'date_format', 'r' ), $item->added );
70	case 'last_used':
71	+ return date( get_option( 'date_format', 'r' ), $item->last_used );
72	default:
73	return 'WTF^^?';
74	}

96	*/
97	public function single_row( $item ) {
98	?>
99	+ <tr id="key-<?php echo esc_attr( $item->keyHandle ); ?>">
100	<?php $this->single_row_columns( $item ); ?>
101	</tr>
102	<?php

115	<td colspan="<?php echo esc_attr( $this->get_column_count() ); ?>" class="colspanchange">
116	<fieldset>
117	<div class="inline-edit-col">
118	+ <h4><?php esc_html_e( 'Quick Edit', 'two-factor' ); ?></h4>
119	+
120	<label>
121	<span class="title"><?php esc_html_e( 'Name', 'two-factor' ); ?></span>
122	<span class="input-text-wrap"><input type="text" name="name" class="ptitle" value="" /></span>

124	</div>
125	</fieldset>
126	<?php
127	+ $core_columns = array( 'name' => true, 'added' => true, 'last_used' => true );




128	list( $columns ) = $this->get_column_info();
129	foreach ( $columns as $column_name => $column_display_name ) {
130	if ( isset( $core_columns[ $column_name ] ) ) {

providers/{class-two-factor-fido-u2f-admin.php → class.two-factor-fido-u2f-admin.php} RENAMED Viewed

	@@ -1,10 +1,4 @@
1	<?php
2	- /**
3	- * Class for registering & modifying FIDO U2F security keys.
4	- *
5	- * @package Two_Factor
6	- */
7	-
8	/**
9	* Class for registering & modifying FIDO U2F security keys.
10	*
	@@ -30,13 +24,13 @@ class Two_Factor_FIDO_U2F_Admin {
30	* @static
31	*/
32	public static function add_hooks() {
33	- add_action( 'admin_enqueue_scripts', array( __CLASS__, 'enqueue_assets' ) );
34	add_action( 'show_user_security_settings', array( __CLASS__, 'show_user_profile' ) );
35	- add_action( 'personal_options_update', array( __CLASS__, 'catch_submission' ), 0 );
36	- add_action( 'edit_user_profile_update', array( __CLASS__, 'catch_submission' ), 0 );
37	- add_action( 'load-profile.php', array( __CLASS__, 'catch_delete_security_key' ) );
38	- add_action( 'load-user-edit.php', array( __CLASS__, 'catch_delete_security_key' ) );
39	- add_action( 'wp_ajax_inline-save-key', array( __CLASS__, 'wp_ajax_inline_save' ) );
40	}
41
42	/**
	@@ -50,20 +44,16 @@ class Two_Factor_FIDO_U2F_Admin {
50	* @param string $hook Current page.
51	*/
52	public static function enqueue_assets( $hook ) {
53	- if ( ! in_array( $hook, array( 'user-edit.php', 'profile.php' ), ~~true~~ ) ) {
54	- return;
55	- }
56	-
57	- $user_id = Two_Factor_Core::current_user_being_edited();
58	- if ( ! $user_id ) {
59	return;
60	}
61

62	$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
63
64	- // @todo Ensure that scripts don't fail because of missing u2fL10n.
65	try {
66	- $data = Two_Factor_FIDO_U2F::$u2f->getRegisterData( $security_keys );
67	list( $req,$sigs ) = $data;
68
69	update_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, $req );
	@@ -91,15 +81,14 @@ class Two_Factor_FIDO_U2F_Admin {
91	*/
92
93	$translation_array = array(
94	- 'user_id' => $user_id,
95	'register' => array(
96	'request' => $req,
97	- 'sigs' => $sigs,
98	),
99	- 'text' => array(
100	- 'insert' => esc_html__( 'Now insert (and tap) your Security Key.', 'two-factor' ),
101	- 'error' => esc_html__( 'U2F request failed.', 'two-factor' ),
102	- 'error_codes' => array(
103	// Map u2f.ErrorCodes to error messages.
104	0 => esc_html__( 'Request OK.', 'two-factor' ),
105	1 => esc_html__( 'Other U2F error.', 'two-factor' ),
	@@ -208,8 +197,8 @@ class Two_Factor_FIDO_U2F_Admin {
208	<p><a href="https://support.google.com/accounts/answer/6103523"><?php esc_html_e( 'You can find FIDO U2F Security Key devices for sale from here.', 'two-factor' ); ?></a></p>
209
210	<?php
211	- require TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin-list-table.php';
212	- $u2f_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
213	$u2f_list_table->items = $security_keys;
214	$u2f_list_table->prepare_items();
215	$u2f_list_table->display();
	@@ -238,7 +227,7 @@ class Two_Factor_FIDO_U2F_Admin {
238
239	try {
240	$response = json_decode( stripslashes( $_POST['u2f_response'] ) );
241	- $reg = Two_Factor_FIDO_U2F::$u2f->doRegister( get_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, true ), $response );
242	$reg->new = true;
243
244	Two_Factor_FIDO_U2F::add_security_key( $user_id, $reg );
	@@ -248,14 +237,9 @@ class Two_Factor_FIDO_U2F_Admin {
248
249	delete_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY );
250
251	- wp_safe_redirect(
252	- ~~add_query_arg(~~
253	- ~~array~~(
254	- 'new_app_pass' => 1,
255	- ),
256	- wp_get_referer()
257	- ) . '#security-keys-section'
258	- );
259	exit;
260	}
261	}
	@@ -271,11 +255,9 @@ class Two_Factor_FIDO_U2F_Admin {
271	* @static
272	*/
273	public static function catch_delete_security_key() {
274	- $user_id = ~~Two_Factor_Core::current_user_being_edited~~();
275	-
276	- if ( ! empty( $user_id ) && ! empty( $_REQUEST['delete_security_key'] ) ) {
277	$slug = $_REQUEST['delete_security_key'];
278	-
279	check_admin_referer( "delete_security_key-{$slug}", '_nonce_delete_security_key' );
280
281	Two_Factor_FIDO_U2F::delete_security_key( $user_id, $slug );
	@@ -311,7 +293,7 @@ class Two_Factor_FIDO_U2F_Admin {
311	* @return string
312	*/
313	public static function delete_link( $item ) {
314	- $delete_link = add_query_arg( 'delete_security_key', $item->keyHandle ); ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
315	$delete_link = wp_nonce_url( $delete_link, "delete_security_key-{$item->keyHandle}", '_nonce_delete_security_key' );
316	return sprintf( '<a href="%1$s">%2$s</a>', esc_url( $delete_link ), esc_html__( 'Delete', 'two-factor' ) );
317	}
	@@ -327,21 +309,22 @@ class Two_Factor_FIDO_U2F_Admin {
327	public static function wp_ajax_inline_save() {
328	check_ajax_referer( 'keyinlineeditnonce', '_inline_edit' );
329
330	- require TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin-list-table.php';
331	$wp_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
332
333	if ( ! isset( $_POST['keyHandle'] ) ) {
334	wp_die();
335	}
336
337	- $user_id = ~~Two_Factor_Core::current_user_being_edited~~();

338	$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
339	if ( ! $security_keys ) {
340	wp_die();
341	}
342
343	foreach ( $security_keys as &$key ) {
344	- if ( $key->keyHandle === $_POST['keyHandle'] ) { ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
345	break;
346	}
347	}


1	<?php






2	/**
3	* Class for registering & modifying FIDO U2F security keys.
4	*

24	* @static
25	*/
26	public static function add_hooks() {
27	+ add_action( 'admin_enqueue_scripts', array( __CLASS__, 'enqueue_assets' ) );
28	add_action( 'show_user_security_settings', array( __CLASS__, 'show_user_profile' ) );
29	+ add_action( 'personal_options_update', array( __CLASS__, 'catch_submission' ), 0 );
30	+ add_action( 'edit_user_profile_update', array( __CLASS__, 'catch_submission' ), 0 );
31	+ add_action( 'load-profile.php', array( __CLASS__, 'catch_delete_security_key' ) );
32	+ add_action( 'load-user-edit.php', array( __CLASS__, 'catch_delete_security_key' ) );
33	+ add_action( 'wp_ajax_inline-save-key', array( __CLASS__, 'wp_ajax_inline_save' ) );
34	}
35
36	/**

44	* @param string $hook Current page.
45	*/
46	public static function enqueue_assets( $hook ) {
47	+ if ( ! in_array( $hook, array( 'user-edit.php', 'profile.php' ) ) ) {





48	return;
49	}
50
51	+ $user_id = get_current_user_id();
52	$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
53
54	+ // @todo Ensure that scripts don't fail because of missing u2fL10n
55	try {
56	+ $data = Two_Factor_FIDO_U2F::$u2f->getRegisterData( $security_keys );
57	list( $req,$sigs ) = $data;
58
59	update_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, $req );

81	*/
82
83	$translation_array = array(

84	'register' => array(
85	'request' => $req,
86	+ 'sigs' => $sigs,
87	),
88	+ 'text' => array(
89	+ 'insert' => esc_html__( 'Now insert (and tap) your Security Key.', 'two-factor' ),
90	+ 'error' => esc_html__( 'U2F request failed.', 'two-factor' ),
91	+ 'error_codes' => array(
92	// Map u2f.ErrorCodes to error messages.
93	0 => esc_html__( 'Request OK.', 'two-factor' ),
94	1 => esc_html__( 'Other U2F error.', 'two-factor' ),

197	<p><a href="https://support.google.com/accounts/answer/6103523"><?php esc_html_e( 'You can find FIDO U2F Security Key devices for sale from here.', 'two-factor' ); ?></a></p>
198
199	<?php
200	+ require( TWO_FACTOR_DIR . 'providers/class.two-factor-fido-u2f-admin-list-table.php' );
201	+ $u2f_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
202	$u2f_list_table->items = $security_keys;
203	$u2f_list_table->prepare_items();
204	$u2f_list_table->display();

227
228	try {
229	$response = json_decode( stripslashes( $_POST['u2f_response'] ) );
230	+ $reg = Two_Factor_FIDO_U2F::$u2f->doRegister( get_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, true ), $response );
231	$reg->new = true;
232
233	Two_Factor_FIDO_U2F::add_security_key( $user_id, $reg );

237
238	delete_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY );
239
240	+ wp_safe_redirect( add_query_arg( array(
241	+ 'new_app_pass' => 1,
242	+ ), wp_get_referer() ) . '#security-keys-section' );





243	exit;
244	}
245	}

255	* @static
256	*/
257	public static function catch_delete_security_key() {
258	+ $user_id = get_current_user_id();
259	+ if ( ! empty( $_REQUEST['delete_security_key'] ) ) {

260	$slug = $_REQUEST['delete_security_key'];

261	check_admin_referer( "delete_security_key-{$slug}", '_nonce_delete_security_key' );
262
263	Two_Factor_FIDO_U2F::delete_security_key( $user_id, $slug );

293	* @return string
294	*/
295	public static function delete_link( $item ) {
296	+ $delete_link = add_query_arg( 'delete_security_key', $item->keyHandle );
297	$delete_link = wp_nonce_url( $delete_link, "delete_security_key-{$item->keyHandle}", '_nonce_delete_security_key' );
298	return sprintf( '<a href="%1$s">%2$s</a>', esc_url( $delete_link ), esc_html__( 'Delete', 'two-factor' ) );
299	}

309	public static function wp_ajax_inline_save() {
310	check_ajax_referer( 'keyinlineeditnonce', '_inline_edit' );
311
312	+ require( TWO_FACTOR_DIR . 'providers/class.two-factor-fido-u2f-admin-list-table.php' );
313	$wp_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
314
315	if ( ! isset( $_POST['keyHandle'] ) ) {
316	wp_die();
317	}
318
319	+ $user_id = get_current_user_id();
320	+
321	$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
322	if ( ! $security_keys ) {
323	wp_die();
324	}
325
326	foreach ( $security_keys as &$key ) {
327	+ if ( $key->keyHandle === $_POST['keyHandle'] ) {
328	break;
329	}
330	}

providers/{class-two-factor-fido-u2f.php → class.two-factor-fido-u2f.php} RENAMED Viewed

	@@ -1,10 +1,4 @@
1	<?php
2	- /**
3	- * Class for creating a FIDO Universal 2nd Factor provider.
4	- *
5	- * @package Two_Factor
6	- */
7	-
8	/**
9	* Class for creating a FIDO Universal 2nd Factor provider.
10	*
	@@ -40,14 +34,14 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
40	*
41	* @var string
42	*/
43	- const U2F_ASSET_VERSION = '0.2.1';
44
45	/**
46	* Ensures only one instance of this class exists in memory at any one time.
47	*
48	* @return \Two_Factor_FIDO_U2F
49	*/
50	- ~~public~~ static function get_instance() {
51	static $instance;
52
53	if ( ! isset( $instance ) ) {
	@@ -67,18 +61,29 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
67	return;
68	}
69
70	- require_once TWO_FACTOR_DIR . 'includes/Yubico/U2F.php';
71	self::$u2f = new u2flib_server\U2F( self::get_u2f_app_id() );
72
73	- require_once TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin.php';
74	Two_Factor_FIDO_U2F_Admin::add_hooks();
75
76	- ~~// Ensure the script dependencies have been registered before they're enqueued at a later priority.~~
77	- ~~add_action(~~ '~~admin_enqueue_scripts~~', ~~array( __CLASS__, 'enqueue_scripts' ), 5 );~~
78	- ~~add_action~~( '~~wp_enqueue_scripts~~', ~~array~~( ~~__CLASS__,~~ ~~'enqueue_scripts'~~ ), ~~5 );~~
79	- ~~add_action( 'login_enqueue_scripts'~~, ~~array( __CLASS__, 'enqueue_scripts' ), 5 );~~











80
81	- add_action( '~~two_factor_user_options_~~' . __CLASS__, array( $this, 'user_options' ) );
82
83	return parent::__construct();
84	}
	@@ -116,31 +121,16 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
116	* @since 0.1-dev
117	*/
118	public function get_label() {
119	- return _x( 'FIDO ~~U2F~~ ~~Security~~ ~~Keys~~', 'Provider Label', 'two-factor' );
120	}
121
122	/**
123	- * ~~Register~~ ~~script~~ ~~dependencies~~ ~~used during~~ login ~~and when~~
124	- * registering keys in the WP admin.
125	*
126	- * @~~return~~ ~~void~~
127	*/
128	- public ~~static~~ function ~~enqueue_scripts~~() {
129	- ~~wp_register_script~~(
130	- 'fido-u2f-api',
131	- plugins_url( 'includes/Google/u2f-api.js', dirname( __FILE__ ) ),
132	- null,
133	- self::asset_version(),
134	- true
135	- );
136	-
137	- wp_register_script(
138	- 'fido-u2f-login',
139	- plugins_url( 'js/fido-u2f-login.js', __FILE__ ),
140	- array( 'jquery', 'fido-u2f-api' ),
141	- self::asset_version(),
142	- true
143	- );
144	}
145
146	/**
	@@ -152,9 +142,9 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
152	* @return null
153	*/
154	public function authentication_page( $user ) {
155	- require_once ABSPATH . '/wp-admin/includes/template.php';
156
157	- // U2F doesn't work without HTTPS.
158	if ( ! is_ssl() ) {
159	?>
160	<p><?php esc_html_e( 'U2F requires an HTTPS connection. Please use an alternative 2nd factor method.', 'two-factor' ); ?></p>
	@@ -208,7 +198,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
208	try {
209	$reg = self::$u2f->doAuthenticate( $requests, $keys, $response );
210
211	- $reg->last_used = ~~time~~();
212
213	self::update_security_key( $user->ID, $reg );
214
	@@ -261,8 +251,8 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
261
262	if (
263	! is_object( $register )
264	- \|\| ! property_exists( $register, 'keyHandle' ) \|\| empty( $register->keyHandle ) ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
265	- \|\| ! property_exists( $register, 'publicKey' ) \|\| empty( $register->publicKey ) ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
266	\|\| ! property_exists( $register, 'certificate' ) \|\| empty( $register->certificate )
267	\|\| ! property_exists( $register, 'counter' ) \|\| ( -1 > $register->counter )
268	) {
	@@ -270,14 +260,14 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
270	}
271
272	$register = array(
273	- 'keyHandle' => $register->keyHandle, ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
274	- 'publicKey' => $register->publicKey, ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
275	'certificate' => $register->certificate,
276	'counter' => $register->counter,
277	);
278
279	$register['name'] = __( 'New Security Key', 'two-factor' );
280	- $register['added'] = ~~time~~();
281	$register['last_used'] = $register['added'];
282
283	return add_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, $register );
	@@ -328,8 +318,8 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
328
329	if (
330	! is_object( $data )
331	- \|\| ! property_exists( $data, 'keyHandle' ) \|\| empty( $data->keyHandle ) ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
332	- \|\| ! property_exists( $data, 'publicKey' ) \|\| empty( $data->publicKey ) ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
333	\|\| ! property_exists( $data, 'certificate' ) \|\| empty( $data->certificate )
334	\|\| ! property_exists( $data, 'counter' ) \|\| ( -1 > $data->counter )
335	) {
	@@ -339,7 +329,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
339	$keys = self::get_security_keys( $user_id );
340	if ( $keys ) {
341	foreach ( $keys as $key ) {
342	- if ( $key->keyHandle === $data->keyHandle ) { ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase~~
343	return update_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, (array) $data, (array) $key );
344	}
345	}
	@@ -357,7 +347,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
357	* @param string $keyHandle Optional. Key handle.
358	* @return bool True on success, false on failure.
359	*/
360	- public static function delete_security_key( $user_id, $keyHandle = null ) { ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase~~
361	global $wpdb;
362
363	if ( ! is_numeric( $user_id ) ) {
	@@ -369,21 +359,18 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
369	return false;
370	}
371
372	- $~~keyHandle~~ = ~~wp_unslash(~~ $~~keyHandle )~~; ~~// phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase~~
373	- $keyHandle = maybe_serialize( $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
374
375	- $~~query~~ = ~~$wpdb->prepare~~( ~~"SELECT umeta_id FROM {~~$~~wpdb->usermeta}~~ ~~WHERE meta_key = %s AND user_id = %d", self::REGISTERED_KEY_USER_META_KEY, $user_id~~ );

376
377	- if ( $~~keyHandle~~ ) { // ~~phpcs:ignore~~ ~~WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase~~
378	- $key_handle_lookup = sprintf( ':"%s";s:', $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
379
380	- $~~query~~ .= ~~$wpdb->prepare(~~
381	- ' AND meta_value LIKE %s',
382	- '%' . $wpdb->esc_like( $key_handle_lookup ) . '%'
383	- );
384	}
385
386	- $meta_ids = $wpdb->get_col( $query ); ~~// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared~~
387	if ( ! count( $meta_ids ) ) {
388	return false;
389	}


1	<?php






2	/**
3	* Class for creating a FIDO Universal 2nd Factor provider.
4	*

34	*
35	* @var string
36	*/
37	+ const U2F_ASSET_VERSION = '0.2.0';
38
39	/**
40	* Ensures only one instance of this class exists in memory at any one time.
41	*
42	* @return \Two_Factor_FIDO_U2F
43	*/
44	+ static function get_instance() {
45	static $instance;
46
47	if ( ! isset( $instance ) ) {

61	return;
62	}
63
64	+ require_once( TWO_FACTOR_DIR . 'includes/Yubico/U2F.php' );
65	self::$u2f = new u2flib_server\U2F( self::get_u2f_app_id() );
66
67	+ require_once( TWO_FACTOR_DIR . 'providers/class.two-factor-fido-u2f-admin.php' );
68	Two_Factor_FIDO_U2F_Admin::add_hooks();
69
70	+ wp_register_script(
71	+ 'fido-u2f-api',
72	+ plugins_url( 'includes/Google/u2f-api.js', dirname( __FILE__ ) ),
73	+ null,
74	+ self::asset_version(),
75	+ true
76	+ );
77	+
78	+ wp_register_script(
79	+ 'fido-u2f-login',
80	+ plugins_url( 'js/fido-u2f-login.js', __FILE__ ),
81	+ array( 'jquery', 'fido-u2f-api' ),
82	+ self::asset_version(),
83	+ true
84	+ );
85
86	+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_options' ) );
87
88	return parent::__construct();
89	}

121	* @since 0.1-dev
122	*/
123	public function get_label() {
124	+ return _x( 'FIDO Universal 2nd Factor (U2F)', 'Provider Label', 'two-factor' );
125	}
126
127	/**
128	+ * Enqueue assets for login form.

129	*
130	+ * @since 0.1-dev
131	*/
132	+ public function login_enqueue_assets() {
133	+ wp_enqueue_script( 'fido-u2f-login' );














134	}
135
136	/**

142	* @return null
143	*/
144	public function authentication_page( $user ) {
145	+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
146
147	+ // U2F doesn't work without HTTPS
148	if ( ! is_ssl() ) {
149	?>
150	<p><?php esc_html_e( 'U2F requires an HTTPS connection. Please use an alternative 2nd factor method.', 'two-factor' ); ?></p>

198	try {
199	$reg = self::$u2f->doAuthenticate( $requests, $keys, $response );
200
201	+ $reg->last_used = current_time( 'timestamp' );
202
203	self::update_security_key( $user->ID, $reg );
204

251
252	if (
253	! is_object( $register )
254	+ \|\| ! property_exists( $register, 'keyHandle' ) \|\| empty( $register->keyHandle )
255	+ \|\| ! property_exists( $register, 'publicKey' ) \|\| empty( $register->publicKey )
256	\|\| ! property_exists( $register, 'certificate' ) \|\| empty( $register->certificate )
257	\|\| ! property_exists( $register, 'counter' ) \|\| ( -1 > $register->counter )
258	) {

260	}
261
262	$register = array(
263	+ 'keyHandle' => $register->keyHandle,
264	+ 'publicKey' => $register->publicKey,
265	'certificate' => $register->certificate,
266	'counter' => $register->counter,
267	);
268
269	$register['name'] = __( 'New Security Key', 'two-factor' );
270	+ $register['added'] = current_time( 'timestamp' );
271	$register['last_used'] = $register['added'];
272
273	return add_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, $register );

318
319	if (
320	! is_object( $data )
321	+ \|\| ! property_exists( $data, 'keyHandle' ) \|\| empty( $data->keyHandle )
322	+ \|\| ! property_exists( $data, 'publicKey' ) \|\| empty( $data->publicKey )
323	\|\| ! property_exists( $data, 'certificate' ) \|\| empty( $data->certificate )
324	\|\| ! property_exists( $data, 'counter' ) \|\| ( -1 > $data->counter )
325	) {

329	$keys = self::get_security_keys( $user_id );
330	if ( $keys ) {
331	foreach ( $keys as $key ) {
332	+ if ( $key->keyHandle === $data->keyHandle ) {
333	return update_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, (array) $data, (array) $key );
334	}
335	}

347	* @param string $keyHandle Optional. Key handle.
348	* @return bool True on success, false on failure.
349	*/
350	+ public static function delete_security_key( $user_id, $keyHandle = null ) {
351	global $wpdb;
352
353	if ( ! is_numeric( $user_id ) ) {

359	return false;
360	}
361
362	+ $table = $wpdb->usermeta;

363
364	+ $keyHandle = wp_unslash( $keyHandle );
365	+ $keyHandle = maybe_serialize( $keyHandle );
366
367	+ $query = $wpdb->prepare( "SELECT umeta_id FROM $table WHERE meta_key = '%s' AND user_id = %d", self::REGISTERED_KEY_USER_META_KEY, $user_id );

368
369	+ if ( $keyHandle ) {
370	+ $query .= $wpdb->prepare( ' AND meta_value LIKE %s', '%:"' . $keyHandle . '";s:%' );


371	}
372
373	+ $meta_ids = $wpdb->get_col( $query );
374	if ( ! count( $meta_ids ) ) {
375	return false;
376	}

providers/{class-two-factor-provider.php → class.two-factor-provider.php} RENAMED Viewed

	@@ -1,10 +1,4 @@
1	<?php
2	- /**
3	- * Abstract class for creating two factor authentication providers.
4	- *
5	- * @package Two_Factor
6	- */
7	-
8	/**
9	* Abstract class for creating two factor authentication providers.
10	*
	@@ -30,7 +24,7 @@ abstract class Two_Factor_Provider {
30	*
31	* @return string
32	*/
33	- abstract ~~public~~ function get_label();
34
35	/**
36	* Prints the name of the provider.
	@@ -48,7 +42,7 @@ abstract class Two_Factor_Provider {
48	*
49	* @param WP_User $user WP_User object of the logged-in user.
50	*/
51	- abstract ~~public~~ function authentication_page( $user );
52
53	/**
54	* Allow providers to do extra processing before the authentication.
	@@ -70,7 +64,7 @@ abstract class Two_Factor_Provider {
70	* @param WP_User $user WP_User object of the logged-in user.
71	* @return boolean
72	*/
73	- abstract ~~public~~ function validate_authentication( $user );
74
75	/**
76	* Whether this Two Factor provider is configured and available for the user specified.
	@@ -78,7 +72,7 @@ abstract class Two_Factor_Provider {
78	* @param WP_User $user WP_User object of the logged-in user.
79	* @return boolean
80	*/
81	- abstract ~~public~~ function is_available_for_user( $user );
82
83	/**
84	* Generate a random eight-digit string to send out as an auth code.


1	<?php






2	/**
3	* Abstract class for creating two factor authentication providers.
4	*

24	*
25	* @return string
26	*/
27	+ abstract function get_label();
28
29	/**
30	* Prints the name of the provider.

42	*
43	* @param WP_User $user WP_User object of the logged-in user.
44	*/
45	+ abstract function authentication_page( $user );
46
47	/**
48	* Allow providers to do extra processing before the authentication.

64	* @param WP_User $user WP_User object of the logged-in user.
65	* @return boolean
66	*/
67	+ abstract function validate_authentication( $user );
68
69	/**
70	* Whether this Two Factor provider is configured and available for the user specified.

72	* @param WP_User $user WP_User object of the logged-in user.
73	* @return boolean
74	*/
75	+ abstract function is_available_for_user( $user );
76
77	/**
78	* Generate a random eight-digit string to send out as an auth code.

providers/{class-two-factor-totp.php → class.two-factor-totp.php} RENAMED Viewed

	@@ -24,35 +24,20 @@ class Two_Factor_Totp extends Two_Factor_Provider {
24	*/
25	const NOTICES_META_KEY = '_two_factor_totp_notices';
26
27	- /**
28	- * ~~Action~~ ~~name~~ ~~for resetting the secret token.~~
29	- *
30	- * ~~@var~~ ~~string~~
31	- */
32	- const ACTION_SECRET_DELETE = 'totp-delete';
33	-
34	- const DEFAULT_KEY_BIT_SIZE = 160;
35	- const DEFAULT_CRYPTO = 'sha1';
36	- const DEFAULT_DIGIT_COUNT = 6;
37	- const DEFAULT_TIME_STEP_SEC = 30;
38	const DEFAULT_TIME_STEP_ALLOWANCE = 4;
39	-
40	- /**
41	- * Chracters used in base32 encoding.
42	- *
43	- * @var string
44	- */
45	- private static $base_32_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
46
47	/**
48	* Class constructor. Sets up hooks, etc.
49	*/
50	protected function __construct() {
51	- add_action( '~~two_factor_user_options_~~' . __CLASS__, array( $this, 'user_two_factor_options' ) );
52	- add_action( 'personal_options_update', array( $this, 'user_two_factor_options_update' ) );
53	- add_action( 'edit_user_profile_update', array( $this, 'user_two_factor_options_update' ) );
54	- add_action( 'two_factor_user_settings_action', array( $this, 'user_settings_action' ), 10, 2 );
55	-
56	return parent::__construct();
57	}
58
	@@ -71,32 +56,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
71	* Returns the name of the provider.
72	*/
73	public function get_label() {
74	- return _x( 'Time Based One-Time Password (~~TOTP~~)', 'Provider Label', 'two-factor' );
75	- }
76	-
77	- /**
78	- * Trigger our custom user settings actions.
79	- *
80	- * @param integer $user_id User ID.
81	- * @param string $action Action ID.
82	- *
83	- * @return void
84	- */
85	- public function user_settings_action( $user_id, $action ) {
86	- if ( self::ACTION_SECRET_DELETE === $action ) {
87	- $this->delete_user_totp_key( $user_id );
88	- }
89	- }
90	-
91	- /**
92	- * Get the URL for deleting the secret token.
93	- *
94	- * @param integer $user_id User ID.
95	- *
96	- * @return string
97	- */
98	- protected function get_token_delete_url_for_user( $user_id ) {
99	- return Two_Factor_Core::get_user_update_action_url( $user_id, self::ACTION_SECRET_DELETE );
100	}
101
102	/**
	@@ -113,14 +73,13 @@ class Two_Factor_Totp extends Two_Factor_Provider {
113	wp_nonce_field( 'user_two_factor_totp_options', '_nonce_user_two_factor_totp_options', false );
114
115	$key = $this->get_user_totp_key( $user->ID );
116	- $this->admin_notices( ~~$user->ID~~ );
117
118	?>
119	<div id="two-factor-totp-options">
120	- <?php
121	- ~~if ( empty(~~ $key ) ) :
122	- $~~key~~ = ~~$this->generate_key~~();
123	- $site_name = get_bloginfo( 'name', 'display' );
124	$totp_title = apply_filters( 'two_factor_totp_title', $site_name . ':' . $user->user_login, $user );
125	?>
126	<p>
	@@ -142,10 +101,10 @@ class Two_Factor_Totp extends Two_Factor_Provider {
142	</p>
143	<?php else : ?>
144	<p class="success">
145	- <?php esc_html_e( 'Secret key is configured and registered. ~~It is not possible to view it again for security reasons.~~', 'two-factor' ); ?>
146	</p>
147	<p>
148	- <a class="button" ~~href~~="~~<?php~~ ~~echo esc_url( self::get_token_delete_url_for_user( $user->ID ) ); ?>~~"~~><?~~php ~~esc_html_e~~( 'Reset Key', 'two-factor' ); ~~?></a>~~
149	<em class="description">
150	<?php esc_html_e( 'You will have to re-scan the QR code on all devices as the previous codes will stop working.', 'two-factor' ); ?>
151	</em>
	@@ -159,25 +118,27 @@ class Two_Factor_Totp extends Two_Factor_Provider {
159	* Save the options specified in `::user_two_factor_options()`
160	*
161	* @param integer $user_id The user ID whose options are being updated.
162	- *
163	- * @return void
164	*/
165	public function user_two_factor_options_update( $user_id ) {
166	$notices = array();
167	- $errors = array();


168
169	if ( isset( $_POST['_nonce_user_two_factor_totp_options'] ) ) {
170	check_admin_referer( 'user_two_factor_totp_options', '_nonce_user_two_factor_totp_options' );
171





172	// Validate and store a new secret key.
173	if ( ! empty( $_POST['two-factor-totp-authcode'] ) && ! empty( $_POST['two-factor-totp-key'] ) ) {
174	- // ~~Don't~~ ~~use filter_input~~() ~~because we can~~'t ~~mock~~ it ~~during tests for now.~~
175	- ~~$authcode~~ ~~= filter_var~~( ~~sanitize_text_field~~( $_POST['two-factor-totp-authcode'] ), ~~FILTER_SANITIZE_NUMBER_INT~~ );
176	- ~~$key =~~ ~~sanitize_text_field~~( $_POST['two-factor-totp-key'] );
177	-
178	- if ( $this->is_valid_key( $key ) ) {
179	- if ( $this->is_valid_authcode( $key, $authcode ) ) {
180	- if ( ! $this->set_user_totp_key( $user_id, $key ) ) {
181	$errors[] = __( 'Unable to save Two Factor Authentication code. Please re-scan the QR code and enter the code provided by your application.', 'two-factor' );
182	}
183	} else {
	@@ -240,7 +201,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
240	* @return boolean
241	*/
242	public function is_valid_key( $key ) {
243	- $check = sprintf( '/^[%s]+$/', self::$~~base_32_chars~~ );
244
245	if ( 1 === preg_match( $check, $key ) ) {
246	return true;
	@@ -251,20 +212,15 @@ class Two_Factor_Totp extends Two_Factor_Provider {
251
252	/**
253	* Display any available admin notices.
254	- *
255	- * @param integer $user_id User ID.
256	- *
257	- * @return void
258	*/
259	- public function admin_notices( ~~$user_id~~ ) {
260	- $notices = get_user_meta( ~~$user_id~~, self::NOTICES_META_KEY, true );
261
262	if ( ! empty( $notices ) ) {
263	- delete_user_meta( ~~$user_id~~, self::NOTICES_META_KEY );
264	-
265	foreach ( $notices as $class => $messages ) {
266	?>
267	- <div class="<?php echo esc_attr( $class ); ?>">
268	<?php
269	foreach ( $messages as $msg ) {
270	?>
	@@ -288,10 +244,10 @@ class Two_Factor_Totp extends Two_Factor_Provider {
288	* @return bool Whether the user gave a valid code
289	*/
290	public function validate_authentication( $user ) {
291	- if ( ! empty( $_REQUEST['authcode'] ) ) {
292	return $this->is_valid_authcode(
293	$this->get_user_totp_key( $user->ID ),
294	- sanitize_text_field( $_REQUEST['authcode'] )
295	);
296	}
297
	@@ -313,12 +269,9 @@ class Two_Factor_Totp extends Two_Factor_Provider {
313	* Ticks are the allowed offset from the correct time in 30 second increments,
314	* so the default of 4 allows codes that are two minutes to either side of server time
315	*
316	- * @deprecated 0.7.0 Use {@see 'two_factor_totp_time_step_allowance'} instead.
317	* @param int $max_ticks Max ticks of time correction to allow. Default 4.
318	*/
319	- $max_ticks = ~~apply_filters_deprecated~~( 'two-factor-totp-time-step-allowance', ~~array(~~ self::DEFAULT_TIME_STEP_ALLOWANCE )~~, '0.7.0', 'two_factor_totp_time_step_allowance' )~~;
320	-
321	- $max_ticks = apply_filters( 'two_factor_totp_time_step_allowance', self::DEFAULT_TIME_STEP_ALLOWANCE );
322
323	// Array of all ticks to allow, sorted using absolute value to test closest match first.
324	$ticks = range( - $max_ticks, $max_ticks );
	@@ -343,7 +296,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
343	* @return string $bitsize long string composed of available base32 chars.
344	*/
345	public static function generate_key( $bitsize = self::DEFAULT_KEY_BIT_SIZE ) {
346	- $bytes = ceil( $bitsize / 8 );
347	$secret = wp_generate_password( $bytes, true, true );
348
349	return self::base32_encode( $secret );
	@@ -373,8 +326,8 @@ class Two_Factor_Totp extends Two_Factor_Provider {
373	$higher = 0;
374	}
375
376	- $lowmap = 0xffffffff;
377	- $lower = $value & $lowmap;
378
379	return pack( 'NN', $higher, $lower );
380	}
	@@ -424,7 +377,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
424	*/
425	public static function get_google_qr_code( $name, $key, $title = null ) {
426	// Encode to support spaces, question marks and other characters.
427	- $name = rawurlencode( $name );
428	$google_url = urlencode( 'otpauth://totp/' . $name . '?secret=' . $key );
429	if ( isset( $title ) ) {
430	$google_url .= urlencode( '&issuer=' . rawurlencode( $title ) );
	@@ -452,20 +405,18 @@ class Two_Factor_Totp extends Two_Factor_Provider {
452	* @param WP_User $user WP_User object of the logged-in user.
453	*/
454	public function authentication_page( $user ) {
455	- require_once ABSPATH . '/wp-admin/includes/template.php';
456	?>
457	- <p>
458	- <?php esc_html_e( 'Please enter the code generated by your authenticator app.', 'two-factor' ); ?>
459	- </p>
460	<p>
461	<label for="authcode"><?php esc_html_e( 'Authentication Code:', 'two-factor' ); ?></label>
462	- <input type="tel" ~~autocomplete="off"~~ name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
463	</p>
464	<script type="text/javascript">
465	setTimeout( function(){
466	var d;
467	try{
468	d = document.getElementById('authcode');

469	d.focus();
470	} catch(e){}
471	}, 200);
	@@ -493,10 +444,10 @@ class Two_Factor_Totp extends Two_Factor_Provider {
493	}
494
495	$five_bit_sections = str_split( $binary_string, 5 );
496	- $base32_string = '';
497
498	foreach ( $five_bit_sections as $five_bit_section ) {
499	- $base32_string .= self::$~~base_32_chars~~[ base_convert( str_pad( $five_bit_section, 5, '0' ), 2, 10 ) ];
500	}
501
502	return $base32_string;
	@@ -513,25 +464,25 @@ class Two_Factor_Totp extends Two_Factor_Provider {
513	*/
514	public static function base32_decode( $base32_string ) {
515
516	- $base32_string = strtoupper( $base32_string );
517
518	- if ( ! preg_match( '/^[' . self::$~~base_32_chars~~ . ']+$/', $base32_string, $match ) ) {
519	throw new Exception( 'Invalid characters in the base32 string.' );
520	}
521
522	- $l = strlen( $base32_string );
523	- $n = 0;
524	- $j = 0;
525	$binary = '';
526
527	for ( $i = 0; $i < $l; $i++ ) {
528
529	- $n = $n << 5; // Move buffer left by 5 to make room.
530	- $n = $n + strpos( self::$~~base_32_chars~~, $base32_string[ $i ] ); // Add value into buffer.
531	$j += 5; // Keep track of number of bits in buffer.
532
533	if ( $j >= 8 ) {
534	- $j -= 8;
535	$binary .= chr( ( $n & ( 0xFF << $j ) ) >> $j );
536	}
537	}
	@@ -553,6 +504,6 @@ class Two_Factor_Totp extends Two_Factor_Provider {
553	if ( $a === $b ) {
554	return 0;
555	}
556	- return ( $a < $b ) ? -1 : 1;
557	}
558	}


24	*/
25	const NOTICES_META_KEY = '_two_factor_totp_notices';
26
27	+ const DEFAULT_KEY_BIT_SIZE = 160;
28	+ const DEFAULT_CRYPTO = 'sha1';
29	+ const DEFAULT_DIGIT_COUNT = 6;
30	+ const DEFAULT_TIME_STEP_SEC = 30;







31	const DEFAULT_TIME_STEP_ALLOWANCE = 4;
32	+ private static $_base_32_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';






33
34	/**
35	* Class constructor. Sets up hooks, etc.
36	*/
37	protected function __construct() {
38	+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_two_factor_options' ) );
39	+ add_action( 'personal_options_update', array( $this, 'user_two_factor_options_update' ) );
40	+ add_action( 'edit_user_profile_update', array( $this, 'user_two_factor_options_update' ) );


41	return parent::__construct();
42	}
43

56	* Returns the name of the provider.
57	*/
58	public function get_label() {
59	+ return _x( 'Time Based One-Time Password (Google Authenticator)', 'Provider Label', 'two-factor' );

























60	}
61
62	/**

73	wp_nonce_field( 'user_two_factor_totp_options', '_nonce_user_two_factor_totp_options', false );
74
75	$key = $this->get_user_totp_key( $user->ID );
76	+ $this->admin_notices();
77
78	?>
79	<div id="two-factor-totp-options">
80	+ <?php if ( empty( $key ) ) :
81	+ $key = $this->generate_key();
82	+ $site_name = get_bloginfo( 'name', 'display' );

83	$totp_title = apply_filters( 'two_factor_totp_title', $site_name . ':' . $user->user_login, $user );
84	?>
85	<p>

101	</p>
102	<?php else : ?>
103	<p class="success">
104	+ <?php esc_html_e( 'Secret key configured and registered.', 'two-factor' ); ?>
105	</p>
106	<p>
107	+ <input type="submit" class="button" name="two-factor-totp-delete" value="<?php esc_attr_e( 'Reset Key', 'two-factor' ); ?>" />
108	<em class="description">
109	<?php esc_html_e( 'You will have to re-scan the QR code on all devices as the previous codes will stop working.', 'two-factor' ); ?>
110	</em>

118	* Save the options specified in `::user_two_factor_options()`
119	*
120	* @param integer $user_id The user ID whose options are being updated.
121	+ * @return false

122	*/
123	public function user_two_factor_options_update( $user_id ) {
124	$notices = array();
125	+ $errors = array();
126	+
127	+ $current_key = $this->get_user_totp_key( $user_id );
128
129	if ( isset( $_POST['_nonce_user_two_factor_totp_options'] ) ) {
130	check_admin_referer( 'user_two_factor_totp_options', '_nonce_user_two_factor_totp_options' );
131
132	+ // Delete the secret key.
133	+ if ( ! empty( $current_key ) && isset( $_POST['two-factor-totp-delete'] ) ) {
134	+ $this->delete_user_totp_key( $user_id );
135	+ }
136	+
137	// Validate and store a new secret key.
138	if ( ! empty( $_POST['two-factor-totp-authcode'] ) && ! empty( $_POST['two-factor-totp-key'] ) ) {
139	+ if ( $this->is_valid_key( $_POST['two-factor-totp-key'] ) ) {
140	+ if ( $this->is_valid_authcode( $_POST['two-factor-totp-key'], $_POST['two-factor-totp-authcode'] ) ) {
141	+ if ( ! $this->set_user_totp_key( $user_id, $_POST['two-factor-totp-key'] ) ) {




142	$errors[] = __( 'Unable to save Two Factor Authentication code. Please re-scan the QR code and enter the code provided by your application.', 'two-factor' );
143	}
144	} else {

201	* @return boolean
202	*/
203	public function is_valid_key( $key ) {
204	+ $check = sprintf( '/^[%s]+$/', self::$_base_32_chars );
205
206	if ( 1 === preg_match( $check, $key ) ) {
207	return true;

212
213	/**
214	* Display any available admin notices.




215	*/
216	+ public function admin_notices() {
217	+ $notices = get_user_meta( get_current_user_id(), self::NOTICES_META_KEY, true );
218
219	if ( ! empty( $notices ) ) {
220	+ delete_user_meta( get_current_user_id(), self::NOTICES_META_KEY );

221	foreach ( $notices as $class => $messages ) {
222	?>
223	+ <div class="<?php echo esc_attr( $class ) ?>">
224	<?php
225	foreach ( $messages as $msg ) {
226	?>

244	* @return bool Whether the user gave a valid code
245	*/
246	public function validate_authentication( $user ) {
247	+ if ( ! empty( $_REQUEST['authcode'] ) ) { // WPCS: CSRF ok, nonce verified by login_form_validate_2fa().
248	return $this->is_valid_authcode(
249	$this->get_user_totp_key( $user->ID ),
250	+ sanitize_text_field( $_REQUEST['authcode'] ) // WPCS: CSRF ok, nonce verified by login_form_validate_2fa().
251	);
252	}
253

269	* Ticks are the allowed offset from the correct time in 30 second increments,
270	* so the default of 4 allows codes that are two minutes to either side of server time
271	*

272	* @param int $max_ticks Max ticks of time correction to allow. Default 4.
273	*/
274	+ $max_ticks = apply_filters( 'two-factor-totp-time-step-allowance', self::DEFAULT_TIME_STEP_ALLOWANCE );


275
276	// Array of all ticks to allow, sorted using absolute value to test closest match first.
277	$ticks = range( - $max_ticks, $max_ticks );

296	* @return string $bitsize long string composed of available base32 chars.
297	*/
298	public static function generate_key( $bitsize = self::DEFAULT_KEY_BIT_SIZE ) {
299	+ $bytes = ceil( $bitsize / 8 );
300	$secret = wp_generate_password( $bytes, true, true );
301
302	return self::base32_encode( $secret );

326	$higher = 0;
327	}
328
329	+ $lowmap = 0xffffffff;
330	+ $lower = $value & $lowmap;
331
332	return pack( 'NN', $higher, $lower );
333	}

377	*/
378	public static function get_google_qr_code( $name, $key, $title = null ) {
379	// Encode to support spaces, question marks and other characters.
380	+ $name = rawurlencode( $name );
381	$google_url = urlencode( 'otpauth://totp/' . $name . '?secret=' . $key );
382	if ( isset( $title ) ) {
383	$google_url .= urlencode( '&issuer=' . rawurlencode( $title ) );

405	* @param WP_User $user WP_User object of the logged-in user.
406	*/
407	public function authentication_page( $user ) {
408	+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
409	?>



410	<p>
411	<label for="authcode"><?php esc_html_e( 'Authentication Code:', 'two-factor' ); ?></label>
412	+ <input type="tel" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
413	</p>
414	<script type="text/javascript">
415	setTimeout( function(){
416	var d;
417	try{
418	d = document.getElementById('authcode');
419	+ d.value = '';
420	d.focus();
421	} catch(e){}
422	}, 200);

444	}
445
446	$five_bit_sections = str_split( $binary_string, 5 );
447	+ $base32_string = '';
448
449	foreach ( $five_bit_sections as $five_bit_section ) {
450	+ $base32_string .= self::$_base_32_chars[ base_convert( str_pad( $five_bit_section, 5, '0' ), 2, 10 ) ];
451	}
452
453	return $base32_string;

464	*/
465	public static function base32_decode( $base32_string ) {
466
467	+ $base32_string = strtoupper( $base32_string );
468
469	+ if ( ! preg_match( '/^[' . self::$_base_32_chars . ']+$/', $base32_string, $match ) ) {
470	throw new Exception( 'Invalid characters in the base32 string.' );
471	}
472
473	+ $l = strlen( $base32_string );
474	+ $n = 0;
475	+ $j = 0;
476	$binary = '';
477
478	for ( $i = 0; $i < $l; $i++ ) {
479
480	+ $n = $n << 5; // Move buffer left by 5 to make room.
481	+ $n = $n + strpos( self::$_base_32_chars, $base32_string[ $i ] ); // Add value into buffer.
482	$j += 5; // Keep track of number of bits in buffer.
483
484	if ( $j >= 8 ) {
485	+ $j -= 8;
486	$binary .= chr( ( $n & ( 0xFF << $j ) ) >> $j );
487	}
488	}

504	if ( $a === $b ) {
505	return 0;
506	}
507	+ return ($a < $b) ? -1 : 1;
508	}
509	}

providers/js/fido-u2f-admin-inline-edit.js CHANGED Viewed

	@@ -80,8 +80,7 @@ var inlineEditKey;
80
81	params = {
82	action: 'inline-save-key',
83	- keyHandle: id,
84	- user_id: window.u2fL10n.user_id
85	};
86
87	fields = $( '#edit-' + id ).find( ':input' ).serialize();


80
81	params = {
82	action: 'inline-save-key',
83	+ keyHandle: id

84	};
85
86	fields = $( '#edit-' + id ).find( ':input' ).serialize();

readme.md CHANGED Viewed

	@@ -4,10 +4,10 @@
4	![Banner](assets/banner-1544x500.png)
5	Enable Two-Factor Authentication using time-based one-time passwords (OTP, Google Authenticator), Universal 2nd Factor (FIDO U2F, YubiKey), email and backup verification codes.
6
7	- Contributors: [georgestephanis](https://profiles.wordpress.org/georgestephanis), [valendesigns](https://profiles.wordpress.org/valendesigns), [stevenkword](https://profiles.wordpress.org/stevenkword), [extendwings](https://profiles.wordpress.org/extendwings), [sgrant](https://profiles.wordpress.org/sgrant), [aaroncampbell](https://profiles.wordpress.org/aaroncampbell), [johnbillion](https://profiles.wordpress.org/johnbillion), [stevegrunwell](https://profiles.wordpress.org/stevegrunwell), [netweb](https://profiles.wordpress.org/netweb), [kasparsd](https://profiles.wordpress.org/kasparsd), [alihusnainarshad](https://profiles.wordpress.org/alihusnainarshad)~~, [passoniate](https://profiles.wordpress.org/passoniate)~~
8	Tags: [two factor](https://wordpress.org/plugins/tags/two-factor), [two step](https://wordpress.org/plugins/tags/two-step), [authentication](https://wordpress.org/plugins/tags/authentication), [login](https://wordpress.org/plugins/tags/login), [totp](https://wordpress.org/plugins/tags/totp), [fido u2f](https://wordpress.org/plugins/tags/fido-u2f), [u2f](https://wordpress.org/plugins/tags/u2f), [email](https://wordpress.org/plugins/tags/email), [backup codes](https://wordpress.org/plugins/tags/backup-codes), [2fa](https://wordpress.org/plugins/tags/2fa), [yubikey](https://wordpress.org/plugins/tags/yubikey)
9	Requires at least: 4.3
10	- Tested up to: 5.5
11	Stable tag: trunk (master)
12	Requires PHP: 5.6
13
	@@ -23,15 +23,7 @@ Use the "Two-Factor Options" section under "Users" → "Your Profile" to enable
23	- Backup Codes
24	- Dummy Method (only for testing purposes)
25
26	- For more history, see [this post](https://~~georgestephanis~~.~~wordpress.com~~/2013/08/14/two-cents-on-two-factor/).
27	- ### Actions & Filters ###
28	- Here is a list of action and filter hooks provided by the plugin:
29	-
30	- - `two_factor_providers` filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.
31	- - `two_factor_enabled_providers_for_user` filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.
32	- - `two_factor_user_authenticated` action which receives the logged in `WP_User` object as the first argument for determining the logged in user right after the authentication workflow.
33	- - `two_factor_token_ttl` filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the `WP_User` object being authenticated.
34	-
35
36	## Screenshots ##
37


4	![Banner](assets/banner-1544x500.png)
5	Enable Two-Factor Authentication using time-based one-time passwords (OTP, Google Authenticator), Universal 2nd Factor (FIDO U2F, YubiKey), email and backup verification codes.
6
7	+ Contributors: [georgestephanis](https://profiles.wordpress.org/georgestephanis), [valendesigns](https://profiles.wordpress.org/valendesigns), [stevenkword](https://profiles.wordpress.org/stevenkword), [extendwings](https://profiles.wordpress.org/extendwings), [sgrant](https://profiles.wordpress.org/sgrant), [aaroncampbell](https://profiles.wordpress.org/aaroncampbell), [johnbillion](https://profiles.wordpress.org/johnbillion), [stevegrunwell](https://profiles.wordpress.org/stevegrunwell), [netweb](https://profiles.wordpress.org/netweb), [kasparsd](https://profiles.wordpress.org/kasparsd), [alihusnainarshad](https://profiles.wordpress.org/alihusnainarshad)
8	Tags: [two factor](https://wordpress.org/plugins/tags/two-factor), [two step](https://wordpress.org/plugins/tags/two-step), [authentication](https://wordpress.org/plugins/tags/authentication), [login](https://wordpress.org/plugins/tags/login), [totp](https://wordpress.org/plugins/tags/totp), [fido u2f](https://wordpress.org/plugins/tags/fido-u2f), [u2f](https://wordpress.org/plugins/tags/u2f), [email](https://wordpress.org/plugins/tags/email), [backup codes](https://wordpress.org/plugins/tags/backup-codes), [2fa](https://wordpress.org/plugins/tags/2fa), [yubikey](https://wordpress.org/plugins/tags/yubikey)
9	Requires at least: 4.3
10	+ Tested up to: 5.3
11	Stable tag: trunk (master)
12	Requires PHP: 5.6
13

23	- Backup Codes
24	- Dummy Method (only for testing purposes)
25
26	+ For more history, see [this post](https://stephanis.info/2013/08/14/two-cents-on-two-factor/).








27
28	## Screenshots ##
29

readme.txt CHANGED Viewed

	@@ -1,8 +1,8 @@
1	=== Two-Factor ===
2	- Contributors: georgestephanis, valendesigns, stevenkword, extendwings, sgrant, aaroncampbell, johnbillion, stevegrunwell, netweb, kasparsd, alihusnainarshad~~, passoniate~~
3	Tags: two factor, two step, authentication, login, totp, fido u2f, u2f, email, backup codes, 2fa, yubikey
4	Requires at least: 4.3
5	- Tested up to: 5.5
6	Requires PHP: 5.6
7	Stable tag: trunk
8
	@@ -18,16 +18,8 @@ Use the "Two-Factor Options" section under "Users" → "Your Profile" to enable
18	- Backup Codes
19	- Dummy Method (only for testing purposes)
20
21	- For more history, see [this post](https://~~georgestephanis~~.~~wordpress.com~~/2013/08/14/two-cents-on-two-factor/).
22
23	- = Actions & Filters =
24	-
25	- Here is a list of action and filter hooks provided by the plugin:
26	-
27	- - `two_factor_providers` filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.
28	- - `two_factor_enabled_providers_for_user` filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.
29	- - `two_factor_user_authenticated` action which receives the logged in `WP_User` object as the first argument for determining the logged in user right after the authentication workflow.
30	- - `two_factor_token_ttl` filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the `WP_User` object being authenticated.
31
32	== Screenshots ==
33


1	=== Two-Factor ===
2	+ Contributors: georgestephanis, valendesigns, stevenkword, extendwings, sgrant, aaroncampbell, johnbillion, stevegrunwell, netweb, kasparsd, alihusnainarshad
3	Tags: two factor, two step, authentication, login, totp, fido u2f, u2f, email, backup codes, 2fa, yubikey
4	Requires at least: 4.3
5	+ Tested up to: 5.3
6	Requires PHP: 5.6
7	Stable tag: trunk
8

18	- Backup Codes
19	- Dummy Method (only for testing purposes)
20
21	+ For more history, see [this post](https://stephanis.info/2013/08/14/two-cents-on-two-factor/).
22








23
24	== Screenshots ==
25

two-factor.php CHANGED Viewed

	@@ -1,18 +1,10 @@
1	<?php
2	/**
3	- * Two Factor
4	- *
5	- * @package Two_Factor
6	- * @author Plugin Contributors
7	- * @copyright 2020 Plugin Contributors
8	- * @license GPL-2.0-or-later
9	- *
10	- * @wordpress-plugin
11	* Plugin Name: Two Factor
12	* Plugin URI: https://wordpress.org/plugins/two-factor/
13	* Description: Two-Factor Authentication using time-based one-time passwords, Universal 2nd Factor (FIDO U2F), email and backup verification codes.
14	* Author: Plugin Contributors
15	- * Version: 0.7.0
16	* Author URI: https://github.com/wordpress/two-factor/graphs/contributors
17	* Network: True
18	* Text Domain: two-factor
	@@ -23,25 +15,20 @@
23	*/
24	define( 'TWO_FACTOR_DIR', plugin_dir_path( __FILE__ ) );
25
26	- /**
27	- * Version of the plugin.
28	- */
29	- define( 'TWO_FACTOR_VERSION', '0.7.0' );
30	-
31	/**
32	* Include the base class here, so that other plugins can also extend it.
33	*/
34	- require_once TWO_FACTOR_DIR . 'providers/class-two-factor-provider.php';
35
36	/**
37	* Include the core that handles the common bits.
38	*/
39	- require_once TWO_FACTOR_DIR . 'class-two-factor-core.php';
40
41	/**
42	* A compatability layer for some of the most-used plugins out there.
43	*/
44	- require_once TWO_FACTOR_DIR . 'class-two-factor-compat.php';
45
46	$two_factor_compat = new Two_Factor_Compat();
47


1	<?php
2	/**








3	* Plugin Name: Two Factor
4	* Plugin URI: https://wordpress.org/plugins/two-factor/
5	* Description: Two-Factor Authentication using time-based one-time passwords, Universal 2nd Factor (FIDO U2F), email and backup verification codes.
6	* Author: Plugin Contributors
7	+ * Version: 0.5.0
8	* Author URI: https://github.com/wordpress/two-factor/graphs/contributors
9	* Network: True
10	* Text Domain: two-factor

15	*/
16	define( 'TWO_FACTOR_DIR', plugin_dir_path( __FILE__ ) );
17





18	/**
19	* Include the base class here, so that other plugins can also extend it.
20	*/
21	+ require_once( TWO_FACTOR_DIR . 'providers/class.two-factor-provider.php' );
22
23	/**
24	* Include the core that handles the common bits.
25	*/
26	+ require_once( TWO_FACTOR_DIR . 'class-two-factor-core.php' );
27
28	/**
29	* A compatability layer for some of the most-used plugins out there.
30	*/
31	+ require_once( TWO_FACTOR_DIR . 'class-two-factor-compat.php' );
32
33	$two_factor_compat = new Two_Factor_Compat();
34