Two-Factor - Version 0.6.0

Version Description

Download this release

Release Info

Developer kasparsd
Plugin Icon 128x128 Two-Factor
Version 0.6.0
Comparing to
See all releases

Code changes from version 0.7.0 to 0.6.0

class-two-factor-compat.php CHANGED
@@ -1,9 +1,4 @@
1
  <?php
2
- /**
3
- * A compatibility layer for some of the most popular plugins.
4
- *
5
- * @package Two_Factor
6
- */
7
 
8
  /**
9
  * A compatibility layer for some of the most popular plugins.
@@ -35,9 +30,7 @@ class Two_Factor_Compat {
35
  * @return boolean
36
  */
37
  public function jetpack_rememberme( $rememberme ) {
38
- $action = filter_input( INPUT_GET, 'action', FILTER_SANITIZE_STRING );
39
-
40
- if ( 'jetpack-sso' === $action && $this->jetpack_is_sso_active() ) {
41
  return true;
42
  }
43
 
1
  <?php
 
 
 
 
 
2
 
3
  /**
4
  * A compatibility layer for some of the most popular plugins.
30
  * @return boolean
31
  */
32
  public function jetpack_rememberme( $rememberme ) {
33
+ if ( isset( $_GET['action'] ) && 'jetpack-sso' === $_GET['action'] && $this->jetpack_is_sso_active() ) {
 
 
34
  return true;
35
  }
36
 
class-two-factor-core.php CHANGED
@@ -1,10 +1,4 @@
1
  <?php
2
- /**
3
- * Two Factore Core Class.
4
- *
5
- * @package Two_Factor
6
- */
7
-
8
  /**
9
  * Class for creating two factor authorization.
10
  *
@@ -60,8 +54,6 @@ class Two_Factor_Core {
60
  /**
61
  * Set up filters and actions.
62
  *
63
- * @param object $compat A compaitbility later for plugins.
64
- *
65
  * @since 0.1-dev
66
  */
67
  public static function add_hooks( $compat ) {
@@ -114,11 +106,11 @@ class Two_Factor_Core {
114
  */
115
  public static function get_providers() {
116
  $providers = array(
117
- 'Two_Factor_Email' => TWO_FACTOR_DIR . 'providers/class-two-factor-email.php',
118
- 'Two_Factor_Totp' => TWO_FACTOR_DIR . 'providers/class-two-factor-totp.php',
119
- 'Two_Factor_FIDO_U2F' => TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f.php',
120
- 'Two_Factor_Backup_Codes' => TWO_FACTOR_DIR . 'providers/class-two-factor-backup-codes.php',
121
- 'Two_Factor_Dummy' => TWO_FACTOR_DIR . 'providers/class-two-factor-dummy.php',
122
  );
123
 
124
  /**
@@ -135,20 +127,18 @@ class Two_Factor_Core {
135
  // FIDO U2F is PHP 5.3+ only.
136
  if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) {
137
  unset( $providers['Two_Factor_FIDO_U2F'] );
138
- trigger_error( // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_trigger_error
139
- sprintf(
140
  /* translators: %s: version number */
141
- __( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
142
- PHP_VERSION
143
- )
144
- );
145
  }
146
 
147
  /**
148
  * For each filtered provider,
149
  */
150
  foreach ( $providers as $class => $path ) {
151
- include_once $path;
152
 
153
  /**
154
  * Confirm that it's been successfully included before instantiating.
@@ -277,7 +267,7 @@ class Two_Factor_Core {
277
  * @return void
278
  */
279
  public static function trigger_user_settings_action() {
280
- $action = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_QUERY_VAR, FILTER_SANITIZE_STRING );
281
  $user_id = self::current_user_being_edited();
282
 
283
  if ( ! empty( $action ) && self::is_valid_user_action( $user_id, $action ) ) {
@@ -351,7 +341,7 @@ class Two_Factor_Core {
351
  $configured_providers = array();
352
 
353
  foreach ( $providers as $classname => $provider ) {
354
- if ( in_array( $classname, $enabled_providers, true ) && $provider->is_available_for_user( $user ) ) {
355
  $configured_providers[ $classname ] = $provider;
356
  }
357
  }
@@ -536,33 +526,29 @@ class Two_Factor_Core {
536
  * @since 0.1-dev
537
  */
538
  public static function backup_2fa() {
539
- $wp_auth_id = filter_input( INPUT_GET, 'wp-auth-id', FILTER_SANITIZE_NUMBER_INT );
540
- $nonce = filter_input( INPUT_GET, 'wp-auth-nonce', FILTER_SANITIZE_STRING );
541
- $provider = filter_input( INPUT_GET, 'provider', FILTER_SANITIZE_STRING );
542
-
543
- if ( ! $wp_auth_id || ! $nonce || ! $provider ) {
544
  return;
545
  }
546
 
547
- $user = get_userdata( $wp_auth_id );
548
  if ( ! $user ) {
549
  return;
550
  }
551
 
 
552
  if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
553
  wp_safe_redirect( get_bloginfo( 'url' ) );
554
  exit;
555
  }
556
 
557
  $providers = self::get_available_providers_for_user( $user );
558
- if ( isset( $providers[ $provider ] ) ) {
559
- $provider = $providers[ $provider ];
560
  } else {
561
  wp_die( esc_html__( 'Cheatin&#8217; uh?', 'two-factor' ), 403 );
562
  }
563
 
564
- $redirect_to = filter_input( INPUT_GET, 'redirect_to', FILTER_SANITIZE_URL );
565
- self::login_html( $user, $nonce, $redirect_to, '', $provider );
566
 
567
  exit;
568
  }
@@ -588,14 +574,14 @@ class Two_Factor_Core {
588
  $provider_class = get_class( $provider );
589
 
590
  $available_providers = self::get_available_providers_for_user( $user );
591
- $backup_providers = array_diff_key( $available_providers, array( $provider_class => null ) );
592
- $interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
593
 
594
  $rememberme = intval( self::rememberme() );
595
 
596
  if ( ! function_exists( 'login_header' ) ) {
597
  // We really should migrate login_header() out of `wp-login.php` so it can be called from an includes file.
598
- include_once TWO_FACTOR_DIR . 'includes/function.login-header.php';
599
  }
600
 
601
  login_header();
@@ -609,11 +595,11 @@ class Two_Factor_Core {
609
  <input type="hidden" name="provider" id="provider" value="<?php echo esc_attr( $provider_class ); ?>" />
610
  <input type="hidden" name="wp-auth-id" id="wp-auth-id" value="<?php echo esc_attr( $user->ID ); ?>" />
611
  <input type="hidden" name="wp-auth-nonce" id="wp-auth-nonce" value="<?php echo esc_attr( $login_nonce ); ?>" />
612
- <?php if ( $interim_login ) { ?>
613
  <input type="hidden" name="interim-login" value="1" />
614
- <?php } else { ?>
615
  <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
616
- <?php } ?>
617
  <input type="hidden" name="rememberme" id="rememberme" value="<?php echo esc_attr( $rememberme ); ?>" />
618
 
619
  <?php $provider->authentication_page( $user ); ?>
@@ -622,8 +608,8 @@ class Two_Factor_Core {
622
  <?php
623
  if ( 1 === count( $backup_providers ) ) :
624
  $backup_classname = key( $backup_providers );
625
- $backup_provider = $backup_providers[ $backup_classname ];
626
- $login_url = self::login_url(
627
  array(
628
  'action' => 'backup_2fa',
629
  'provider' => $backup_classname,
@@ -717,8 +703,7 @@ class Two_Factor_Core {
717
 
718
  <?php
719
  /** This action is documented in wp-login.php */
720
- do_action( 'login_footer' );
721
- ?>
722
  <div class="clear"></div>
723
  </body>
724
  </html>
@@ -752,11 +737,11 @@ class Two_Factor_Core {
752
  * @return array
753
  */
754
  public static function create_login_nonce( $user_id ) {
755
- $login_nonce = array();
756
  try {
757
  $login_nonce['key'] = bin2hex( random_bytes( 32 ) );
758
- } catch ( Exception $ex ) {
759
- $login_nonce['key'] = wp_hash( $user_id . wp_rand() . microtime(), 'nonce' );
760
  }
761
  $login_nonce['expiration'] = time() + HOUR_IN_SECONDS;
762
 
@@ -808,28 +793,25 @@ class Two_Factor_Core {
808
  * @since 0.1-dev
809
  */
810
  public static function login_form_validate_2fa() {
811
- $wp_auth_id = filter_input( INPUT_POST, 'wp-auth-id', FILTER_SANITIZE_NUMBER_INT );
812
- $nonce = filter_input( INPUT_POST, 'wp-auth-nonce', FILTER_SANITIZE_STRING );
813
-
814
- if ( ! $wp_auth_id || ! $nonce ) {
815
  return;
816
  }
817
 
818
- $user = get_userdata( $wp_auth_id );
819
  if ( ! $user ) {
820
  return;
821
  }
822
 
 
823
  if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
824
  wp_safe_redirect( get_bloginfo( 'url' ) );
825
  exit;
826
  }
827
 
828
- $provider = filter_input( INPUT_POST, 'provider', FILTER_SANITIZE_STRING );
829
- if ( $provider ) {
830
  $providers = self::get_available_providers_for_user( $user );
831
- if ( isset( $providers[ $provider ] ) ) {
832
- $provider = $providers[ $provider ];
833
  } else {
834
  wp_die( esc_html__( 'Cheatin&#8217; uh?', 'two-factor' ), 403 );
835
  }
@@ -874,7 +856,7 @@ class Two_Factor_Core {
874
 
875
  // Must be global because that's how login_header() uses it.
876
  global $interim_login;
877
- $interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited,WordPress.Security.NonceVerification.Recommended
878
 
879
  if ( $interim_login ) {
880
  $customize_login = isset( $_REQUEST['customize-login'] );
@@ -882,16 +864,14 @@ class Two_Factor_Core {
882
  wp_enqueue_script( 'customize-base' );
883
  }
884
  $message = '<p class="message">' . __( 'You have logged in successfully.', 'two-factor' ) . '</p>';
885
- $interim_login = 'success'; // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
886
- login_header( '', $message );
887
- ?>
888
  </div>
889
  <?php
890
  /** This action is documented in wp-login.php */
891
- do_action( 'login_footer' );
892
- ?>
893
  <?php if ( $customize_login ) : ?>
894
- <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo esc_url( wp_customize_url() ); ?>', channel: 'login' }).send('login') }, 1000 );</script>
895
  <?php endif; ?>
896
  </body></html>
897
  <?php
@@ -947,10 +927,10 @@ class Two_Factor_Core {
947
  * @param WP_User $user WP_User object of the logged-in user.
948
  */
949
  public static function user_two_factor_options( $user ) {
950
- wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ), array(), TWO_FACTOR_VERSION );
951
 
952
  $enabled_providers = array_keys( self::get_available_providers_for_user( $user ) );
953
- $primary_provider = self::get_primary_provider_for_user( $user->ID );
954
 
955
  if ( ! empty( $primary_provider ) && is_object( $primary_provider ) ) {
956
  $primary_provider_key = get_class( $primary_provider );
@@ -979,24 +959,11 @@ class Two_Factor_Core {
979
  <tbody>
980
  <?php foreach ( self::get_providers() as $class => $object ) : ?>
981
  <tr>
982
- <th scope="row"><input type="checkbox" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php echo esc_attr( $class ); ?>" <?php checked( in_array( $class, $enabled_providers, true ) ); ?> /></th>
983
  <th scope="row"><input type="radio" name="<?php echo esc_attr( self::PROVIDER_USER_META_KEY ); ?>" value="<?php echo esc_attr( $class ); ?>" <?php checked( $class, $primary_provider_key ); ?> /></th>
984
  <td>
985
- <?php
986
- $object->print_label();
987
-
988
- /**
989
- * Fires after user options are shown.
990
- *
991
- * Use the {@see 'two_factor_user_options_' . $class } hook instead.
992
- *
993
- * @deprecated 0.7.0
994
- *
995
- * @param WP_User $user The user.
996
- */
997
- do_action_deprecated( 'two-factor-user-options-' . $class, array( $user ), '0.7.0', 'two_factor_user_options_' . $class );
998
- do_action( 'two_factor_user_options_' . $class, $user );
999
- ?>
1000
  </td>
1001
  </tr>
1002
  <?php endforeach; ?>
1
  <?php
 
 
 
 
 
 
2
  /**
3
  * Class for creating two factor authorization.
4
  *
54
  /**
55
  * Set up filters and actions.
56
  *
 
 
57
  * @since 0.1-dev
58
  */
59
  public static function add_hooks( $compat ) {
106
  */
107
  public static function get_providers() {
108
  $providers = array(
109
+ 'Two_Factor_Email' => TWO_FACTOR_DIR . 'providers/class.two-factor-email.php',
110
+ 'Two_Factor_Totp' => TWO_FACTOR_DIR . 'providers/class.two-factor-totp.php',
111
+ 'Two_Factor_FIDO_U2F' => TWO_FACTOR_DIR . 'providers/class.two-factor-fido-u2f.php',
112
+ 'Two_Factor_Backup_Codes' => TWO_FACTOR_DIR . 'providers/class.two-factor-backup-codes.php',
113
+ 'Two_Factor_Dummy' => TWO_FACTOR_DIR . 'providers/class.two-factor-dummy.php',
114
  );
115
 
116
  /**
127
  // FIDO U2F is PHP 5.3+ only.
128
  if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) {
129
  unset( $providers['Two_Factor_FIDO_U2F'] );
130
+ trigger_error( sprintf( // WPCS: XSS OK.
 
131
  /* translators: %s: version number */
132
+ __( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ),
133
+ PHP_VERSION
134
+ ) );
 
135
  }
136
 
137
  /**
138
  * For each filtered provider,
139
  */
140
  foreach ( $providers as $class => $path ) {
141
+ include_once( $path );
142
 
143
  /**
144
  * Confirm that it's been successfully included before instantiating.
267
  * @return void
268
  */
269
  public static function trigger_user_settings_action() {
270
+ $action = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_QUERY_VAR, FILTER_SANITIZE_STRING );
271
  $user_id = self::current_user_being_edited();
272
 
273
  if ( ! empty( $action ) && self::is_valid_user_action( $user_id, $action ) ) {
341
  $configured_providers = array();
342
 
343
  foreach ( $providers as $classname => $provider ) {
344
+ if ( in_array( $classname, $enabled_providers ) && $provider->is_available_for_user( $user ) ) {
345
  $configured_providers[ $classname ] = $provider;
346
  }
347
  }
526
  * @since 0.1-dev
527
  */
528
  public static function backup_2fa() {
529
+ if ( ! isset( $_GET['wp-auth-id'], $_GET['wp-auth-nonce'], $_GET['provider'] ) ) {
 
 
 
 
530
  return;
531
  }
532
 
533
+ $user = get_userdata( $_GET['wp-auth-id'] );
534
  if ( ! $user ) {
535
  return;
536
  }
537
 
538
+ $nonce = $_GET['wp-auth-nonce'];
539
  if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
540
  wp_safe_redirect( get_bloginfo( 'url' ) );
541
  exit;
542
  }
543
 
544
  $providers = self::get_available_providers_for_user( $user );
545
+ if ( isset( $providers[ $_GET['provider'] ] ) ) {
546
+ $provider = $providers[ $_GET['provider'] ];
547
  } else {
548
  wp_die( esc_html__( 'Cheatin&#8217; uh?', 'two-factor' ), 403 );
549
  }
550
 
551
+ self::login_html( $user, $_GET['wp-auth-nonce'], $_GET['redirect_to'], '', $provider );
 
552
 
553
  exit;
554
  }
574
  $provider_class = get_class( $provider );
575
 
576
  $available_providers = self::get_available_providers_for_user( $user );
577
+ $backup_providers = array_diff_key( $available_providers, array( $provider_class => null ) );
578
+ $interim_login = isset( $_REQUEST['interim-login'] ); // WPCS: CSRF ok.
579
 
580
  $rememberme = intval( self::rememberme() );
581
 
582
  if ( ! function_exists( 'login_header' ) ) {
583
  // We really should migrate login_header() out of `wp-login.php` so it can be called from an includes file.
584
+ include_once( TWO_FACTOR_DIR . 'includes/function.login-header.php' );
585
  }
586
 
587
  login_header();
595
  <input type="hidden" name="provider" id="provider" value="<?php echo esc_attr( $provider_class ); ?>" />
596
  <input type="hidden" name="wp-auth-id" id="wp-auth-id" value="<?php echo esc_attr( $user->ID ); ?>" />
597
  <input type="hidden" name="wp-auth-nonce" id="wp-auth-nonce" value="<?php echo esc_attr( $login_nonce ); ?>" />
598
+ <?php if ( $interim_login ) { ?>
599
  <input type="hidden" name="interim-login" value="1" />
600
+ <?php } else { ?>
601
  <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
602
+ <?php } ?>
603
  <input type="hidden" name="rememberme" id="rememberme" value="<?php echo esc_attr( $rememberme ); ?>" />
604
 
605
  <?php $provider->authentication_page( $user ); ?>
608
  <?php
609
  if ( 1 === count( $backup_providers ) ) :
610
  $backup_classname = key( $backup_providers );
611
+ $backup_provider = $backup_providers[ $backup_classname ];
612
+ $login_url = self::login_url(
613
  array(
614
  'action' => 'backup_2fa',
615
  'provider' => $backup_classname,
703
 
704
  <?php
705
  /** This action is documented in wp-login.php */
706
+ do_action( 'login_footer' ); ?>
 
707
  <div class="clear"></div>
708
  </body>
709
  </html>
737
  * @return array
738
  */
739
  public static function create_login_nonce( $user_id ) {
740
+ $login_nonce = array();
741
  try {
742
  $login_nonce['key'] = bin2hex( random_bytes( 32 ) );
743
+ } catch (Exception $ex) {
744
+ $login_nonce['key'] = wp_hash( $user_id . mt_rand() . microtime(), 'nonce' );
745
  }
746
  $login_nonce['expiration'] = time() + HOUR_IN_SECONDS;
747
 
793
  * @since 0.1-dev
794
  */
795
  public static function login_form_validate_2fa() {
796
+ if ( ! isset( $_POST['wp-auth-id'], $_POST['wp-auth-nonce'] ) ) {
 
 
 
797
  return;
798
  }
799
 
800
+ $user = get_userdata( $_POST['wp-auth-id'] );
801
  if ( ! $user ) {
802
  return;
803
  }
804
 
805
+ $nonce = $_POST['wp-auth-nonce'];
806
  if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
807
  wp_safe_redirect( get_bloginfo( 'url' ) );
808
  exit;
809
  }
810
 
811
+ if ( isset( $_POST['provider'] ) ) {
 
812
  $providers = self::get_available_providers_for_user( $user );
813
+ if ( isset( $providers[ $_POST['provider'] ] ) ) {
814
+ $provider = $providers[ $_POST['provider'] ];
815
  } else {
816
  wp_die( esc_html__( 'Cheatin&#8217; uh?', 'two-factor' ), 403 );
817
  }
856
 
857
  // Must be global because that's how login_header() uses it.
858
  global $interim_login;
859
+ $interim_login = isset( $_REQUEST['interim-login'] ); // WPCS: override ok.
860
 
861
  if ( $interim_login ) {
862
  $customize_login = isset( $_REQUEST['customize-login'] );
864
  wp_enqueue_script( 'customize-base' );
865
  }
866
  $message = '<p class="message">' . __( 'You have logged in successfully.', 'two-factor' ) . '</p>';
867
+ $interim_login = 'success'; // WPCS: override ok.
868
+ login_header( '', $message ); ?>
 
869
  </div>
870
  <?php
871
  /** This action is documented in wp-login.php */
872
+ do_action( 'login_footer' ); ?>
 
873
  <?php if ( $customize_login ) : ?>
874
+ <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); /* WPCS: XSS OK. */ ?>', channel: 'login' }).send('login') }, 1000 );</script>
875
  <?php endif; ?>
876
  </body></html>
877
  <?php
927
  * @param WP_User $user WP_User object of the logged-in user.
928
  */
929
  public static function user_two_factor_options( $user ) {
930
+ wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ) );
931
 
932
  $enabled_providers = array_keys( self::get_available_providers_for_user( $user ) );
933
+ $primary_provider = self::get_primary_provider_for_user( $user->ID );
934
 
935
  if ( ! empty( $primary_provider ) && is_object( $primary_provider ) ) {
936
  $primary_provider_key = get_class( $primary_provider );
959
  <tbody>
960
  <?php foreach ( self::get_providers() as $class => $object ) : ?>
961
  <tr>
962
+ <th scope="row"><input type="checkbox" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php echo esc_attr( $class ); ?>" <?php checked( in_array( $class, $enabled_providers ) ); ?> /></th>
963
  <th scope="row"><input type="radio" name="<?php echo esc_attr( self::PROVIDER_USER_META_KEY ); ?>" value="<?php echo esc_attr( $class ); ?>" <?php checked( $class, $primary_provider_key ); ?> /></th>
964
  <td>
965
+ <?php $object->print_label(); ?>
966
+ <?php do_action( 'two-factor-user-options-' . $class, $user ); ?>
 
 
 
 
 
 
 
 
 
 
 
 
 
967
  </td>
968
  </tr>
969
  <?php endforeach; ?>
docker-compose.yml DELETED
@@ -1,11 +0,0 @@
1
- version: '3.6'
2
-
3
- services:
4
-
5
- wpdevlib:
6
- build: ./tests/docker/wp-dev-lib
7
- working_dir: /var/www/html
8
- volumes:
9
- - .:/var/www/html
10
- environment:
11
- CHECK_SCOPE: all
 
 
 
 
 
 
 
 
 
 
 
providers/{class-two-factor-backup-codes.php → class.two-factor-backup-codes.php} RENAMED
@@ -1,10 +1,4 @@
1
  <?php
2
- /**
3
- * Class for creating a backup codes provider.
4
- *
5
- * @package Two_Factor
6
- */
7
-
8
  /**
9
  * Class for creating a backup codes provider.
10
  *
@@ -33,11 +27,11 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
33
  *
34
  * @since 0.1-dev
35
  */
36
- public static function get_instance() {
37
  static $instance;
38
  $class = __CLASS__;
39
  if ( ! is_a( $instance, $class ) ) {
40
- $instance = new $class();
41
  }
42
  return $instance;
43
  }
@@ -48,7 +42,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
48
  * @since 0.1-dev
49
  */
50
  protected function __construct() {
51
- add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
52
  add_action( 'admin_notices', array( $this, 'admin_notices' ) );
53
  add_action( 'wp_ajax_two_factor_backup_codes_generate', array( $this, 'ajax_generate_json' ) );
54
 
@@ -64,7 +58,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
64
  $user = wp_get_current_user();
65
 
66
  // Return if the provider is not enabled.
67
- if ( ! in_array( __CLASS__, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ), true ) ) {
68
  return;
69
  }
70
 
@@ -77,13 +71,9 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
77
  <p>
78
  <span>
79
  <?php
80
- wp_kses(
81
- sprintf(
82
- /* translators: %s: URL for code regeneration */
83
- __( 'Two-Factor: You are out of backup codes and need to <a href="%s">regenerate!</a>', 'two-factor' ),
84
- esc_url( get_edit_user_link( $user->ID ) . '#two-factor-backup-codes' )
85
- ),
86
- array( 'a' => array( 'href' => true ) )
87
  );
88
  ?>
89
  <span>
@@ -126,23 +116,19 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
126
  */
127
  public function user_options( $user ) {
128
  $ajax_nonce = wp_create_nonce( 'two-factor-backup-codes-generate-json-' . $user->ID );
129
- $count = self::codes_remaining_for_user( $user );
130
  ?>
131
  <p id="two-factor-backup-codes">
132
  <button type="button" class="button button-two-factor-backup-codes-generate button-secondary hide-if-no-js">
133
  <?php esc_html_e( 'Generate Verification Codes', 'two-factor' ); ?>
134
  </button>
135
- <span class="two-factor-backup-codes-count">
136
- <?php
137
- echo esc_html(
138
- sprintf(
139
  /* translators: %s: count */
140
- _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ),
141
- $count
142
- )
143
- );
144
- ?>
145
- </span>
146
  </p>
147
  <div class="two-factor-backup-codes-wrapper" style="display:none;">
148
  <ol class="two-factor-backup-codes-unused-codes"></ol>
@@ -204,7 +190,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
204
  * @return array
205
  */
206
  public function generate_codes( $user, $args = '' ) {
207
- $codes = array();
208
  $codes_hashed = array();
209
 
210
  // Check for arguments.
@@ -220,9 +206,9 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
220
  }
221
 
222
  for ( $i = 0; $i < $num_codes; $i++ ) {
223
- $code = $this->get_code();
224
  $codes_hashed[] = wp_hash_password( $code );
225
- $codes[] = $code;
226
  unset( $code );
227
  }
228
 
@@ -238,13 +224,13 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
238
  * @since 0.1-dev
239
  */
240
  public function ajax_generate_json() {
241
- $user = get_user_by( 'id', filter_input( INPUT_POST, 'user_id', FILTER_SANITIZE_NUMBER_INT ) );
242
  check_ajax_referer( 'two-factor-backup-codes-generate-json-' . $user->ID, 'nonce' );
243
 
244
  // Setup the return data.
245
  $codes = $this->generate_codes( $user );
246
  $count = self::codes_remaining_for_user( $user );
247
- $i18n = array(
248
  /* translators: %s: count */
249
  'count' => esc_html( sprintf( _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ), $count ) ),
250
  /* translators: %s: the site's domain */
@@ -252,12 +238,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
252
  );
253
 
254
  // Send the response.
255
- wp_send_json_success(
256
- array(
257
- 'codes' => $codes,
258
- 'i18n' => $i18n,
259
- )
260
- );
261
  }
262
 
263
  /**
@@ -282,7 +263,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
282
  * @param WP_User $user WP_User object of the logged-in user.
283
  */
284
  public function authentication_page( $user ) {
285
- require_once ABSPATH . '/wp-admin/includes/template.php';
286
  ?>
287
  <p><?php esc_html_e( 'Enter a backup verification code.', 'two-factor' ); ?></p><br/>
288
  <p>
@@ -304,8 +285,7 @@ class Two_Factor_Backup_Codes extends Two_Factor_Provider {
304
  * @return boolean
305
  */
306
  public function validate_authentication( $user ) {
307
- $backup_code = isset( $_POST['two-factor-backup-code'] ) ? sanitize_text_field( wp_unslash( $_POST['two-factor-backup-code'] ) ) : false;
308
- return $this->validate_code( $user, filter_var( $backup_code, FILTER_SANITIZE_STRING ) );
309
  }
310
 
311
  /**
1
  <?php
 
 
 
 
 
 
2
  /**
3
  * Class for creating a backup codes provider.
4
  *
27
  *
28
  * @since 0.1-dev
29
  */
30
+ static function get_instance() {
31
  static $instance;
32
  $class = __CLASS__;
33
  if ( ! is_a( $instance, $class ) ) {
34
+ $instance = new $class;
35
  }
36
  return $instance;
37
  }
42
  * @since 0.1-dev
43
  */
44
  protected function __construct() {
45
+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_options' ) );
46
  add_action( 'admin_notices', array( $this, 'admin_notices' ) );
47
  add_action( 'wp_ajax_two_factor_backup_codes_generate', array( $this, 'ajax_generate_json' ) );
48
 
58
  $user = wp_get_current_user();
59
 
60
  // Return if the provider is not enabled.
61
+ if ( ! in_array( __CLASS__, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ) ) ) {
62
  return;
63
  }
64
 
71
  <p>
72
  <span>
73
  <?php
74
+ printf( // WPCS: XSS OK.
75
+ __( 'Two-Factor: You are out of backup codes and need to <a href="%s">regenerate!</a>', 'two-factor' ),
76
+ esc_url( get_edit_user_link( $user->ID ) . '#two-factor-backup-codes' )
 
 
 
 
77
  );
78
  ?>
79
  <span>
116
  */
117
  public function user_options( $user ) {
118
  $ajax_nonce = wp_create_nonce( 'two-factor-backup-codes-generate-json-' . $user->ID );
119
+ $count = self::codes_remaining_for_user( $user );
120
  ?>
121
  <p id="two-factor-backup-codes">
122
  <button type="button" class="button button-two-factor-backup-codes-generate button-secondary hide-if-no-js">
123
  <?php esc_html_e( 'Generate Verification Codes', 'two-factor' ); ?>
124
  </button>
125
+ <span class="two-factor-backup-codes-count"><?php
126
+ echo esc_html( sprintf(
 
 
127
  /* translators: %s: count */
128
+ _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ),
129
+ $count
130
+ ) );
131
+ ?></span>
 
 
132
  </p>
133
  <div class="two-factor-backup-codes-wrapper" style="display:none;">
134
  <ol class="two-factor-backup-codes-unused-codes"></ol>
190
  * @return array
191
  */
192
  public function generate_codes( $user, $args = '' ) {
193
+ $codes = array();
194
  $codes_hashed = array();
195
 
196
  // Check for arguments.
206
  }
207
 
208
  for ( $i = 0; $i < $num_codes; $i++ ) {
209
+ $code = $this->get_code();
210
  $codes_hashed[] = wp_hash_password( $code );
211
+ $codes[] = $code;
212
  unset( $code );
213
  }
214
 
224
  * @since 0.1-dev
225
  */
226
  public function ajax_generate_json() {
227
+ $user = get_user_by( 'id', sanitize_text_field( $_POST['user_id'] ) );
228
  check_ajax_referer( 'two-factor-backup-codes-generate-json-' . $user->ID, 'nonce' );
229
 
230
  // Setup the return data.
231
  $codes = $this->generate_codes( $user );
232
  $count = self::codes_remaining_for_user( $user );
233
+ $i18n = array(
234
  /* translators: %s: count */
235
  'count' => esc_html( sprintf( _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ), $count ) ),
236
  /* translators: %s: the site's domain */
238
  );
239
 
240
  // Send the response.
241
+ wp_send_json_success( array( 'codes' => $codes, 'i18n' => $i18n ) );
 
 
 
 
 
242
  }
243
 
244
  /**
263
  * @param WP_User $user WP_User object of the logged-in user.
264
  */
265
  public function authentication_page( $user ) {
266
+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
267
  ?>
268
  <p><?php esc_html_e( 'Enter a backup verification code.', 'two-factor' ); ?></p><br/>
269
  <p>
285
  * @return boolean
286
  */
287
  public function validate_authentication( $user ) {
288
+ return $this->validate_code( $user, $_POST['two-factor-backup-code'] );
 
289
  }
290
 
291
  /**
providers/{class-two-factor-dummy.php → class.two-factor-dummy.php} RENAMED
@@ -1,10 +1,4 @@
1
  <?php
2
- /**
3
- * Class for creating a dummy provider.
4
- *
5
- * @package Two_Factor
6
- */
7
-
8
  /**
9
  * Class for creating a dummy provider.
10
  *
@@ -19,11 +13,11 @@ class Two_Factor_Dummy extends Two_Factor_Provider {
19
  *
20
  * @since 0.1-dev
21
  */
22
- public static function get_instance() {
23
  static $instance;
24
  $class = __CLASS__;
25
  if ( ! is_a( $instance, $class ) ) {
26
- $instance = new $class();
27
  }
28
  return $instance;
29
  }
@@ -34,7 +28,7 @@ class Two_Factor_Dummy extends Two_Factor_Provider {
34
  * @since 0.1-dev
35
  */
36
  protected function __construct() {
37
- add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
38
  return parent::__construct();
39
  }
40
 
@@ -55,7 +49,7 @@ class Two_Factor_Dummy extends Two_Factor_Provider {
55
  * @param WP_User $user WP_User object of the logged-in user.
56
  */
57
  public function authentication_page( $user ) {
58
- require_once ABSPATH . '/wp-admin/includes/template.php';
59
  ?>
60
  <p><?php esc_html_e( 'Are you really you?', 'two-factor' ); ?></p>
61
  <?php
1
  <?php
 
 
 
 
 
 
2
  /**
3
  * Class for creating a dummy provider.
4
  *
13
  *
14
  * @since 0.1-dev
15
  */
16
+ static function get_instance() {
17
  static $instance;
18
  $class = __CLASS__;
19
  if ( ! is_a( $instance, $class ) ) {
20
+ $instance = new $class;
21
  }
22
  return $instance;
23
  }
28
  * @since 0.1-dev
29
  */
30
  protected function __construct() {
31
+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_options' ) );
32
  return parent::__construct();
33
  }
34
 
49
  * @param WP_User $user WP_User object of the logged-in user.
50
  */
51
  public function authentication_page( $user ) {
52
+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
53
  ?>
54
  <p><?php esc_html_e( 'Are you really you?', 'two-factor' ); ?></p>
55
  <?php
providers/{class-two-factor-email.php → class.two-factor-email.php} RENAMED
@@ -1,10 +1,4 @@
1
  <?php
2
- /**
3
- * Class for creating an email provider.
4
- *
5
- * @package Two_Factor
6
- */
7
-
8
  /**
9
  * Class for creating an email provider.
10
  *
@@ -40,11 +34,11 @@ class Two_Factor_Email extends Two_Factor_Provider {
40
  *
41
  * @since 0.1-dev
42
  */
43
- public static function get_instance() {
44
  static $instance;
45
  $class = __CLASS__;
46
  if ( ! is_a( $instance, $class ) ) {
47
- $instance = new $class();
48
  }
49
  return $instance;
50
  }
@@ -55,7 +49,7 @@ class Two_Factor_Email extends Two_Factor_Provider {
55
  * @since 0.1-dev
56
  */
57
  protected function __construct() {
58
- add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
59
  return parent::__construct();
60
  }
61
 
@@ -110,7 +104,7 @@ class Two_Factor_Email extends Two_Factor_Provider {
110
  */
111
  public function user_token_has_expired( $user_id ) {
112
  $token_lifetime = $this->user_token_lifetime( $user_id );
113
- $token_ttl = $this->user_token_ttl( $user_id );
114
 
115
  // Invalid token lifetime is considered an expired token.
116
  if ( is_int( $token_lifetime ) && $token_lifetime <= $token_ttl ) {
@@ -264,12 +258,12 @@ class Two_Factor_Email extends Two_Factor_Provider {
264
  $this->generate_and_email_token( $user );
265
  }
266
 
267
- require_once ABSPATH . '/wp-admin/includes/template.php';
268
  ?>
269
  <p><?php esc_html_e( 'A verification code has been sent to the email address associated with your account.', 'two-factor' ); ?></p>
270
  <p>
271
  <label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
272
- <input type="tel" name="two-factor-email-code" id="authcode" class="input" value="" size="20" />
273
  <?php submit_button( __( 'Log In', 'two-factor' ) ); ?>
274
  </p>
275
  <p class="two-factor-email-resend">
@@ -317,10 +311,7 @@ class Two_Factor_Email extends Two_Factor_Provider {
317
  return false;
318
  }
319
 
320
- // Ensure there are no spaces or line breaks around the code.
321
- $code = trim( sanitize_text_field( $_REQUEST['two-factor-email-code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already.
322
-
323
- return $this->validate_token( $user->ID, $code );
324
  }
325
 
326
  /**
@@ -347,13 +338,11 @@ class Two_Factor_Email extends Two_Factor_Provider {
347
  ?>
348
  <div>
349
  <?php
350
- echo esc_html(
351
- sprintf(
352
  /* translators: %s: email address */
353
- __( 'Authentication codes will be sent to %s.', 'two-factor' ),
354
- $email
355
- )
356
- );
357
  ?>
358
  </div>
359
  <?php
1
  <?php
 
 
 
 
 
 
2
  /**
3
  * Class for creating an email provider.
4
  *
34
  *
35
  * @since 0.1-dev
36
  */
37
+ static function get_instance() {
38
  static $instance;
39
  $class = __CLASS__;
40
  if ( ! is_a( $instance, $class ) ) {
41
+ $instance = new $class;
42
  }
43
  return $instance;
44
  }
49
  * @since 0.1-dev
50
  */
51
  protected function __construct() {
52
+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_options' ) );
53
  return parent::__construct();
54
  }
55
 
104
  */
105
  public function user_token_has_expired( $user_id ) {
106
  $token_lifetime = $this->user_token_lifetime( $user_id );
107
+ $token_ttl = $this->user_token_ttl( $user_id );
108
 
109
  // Invalid token lifetime is considered an expired token.
110
  if ( is_int( $token_lifetime ) && $token_lifetime <= $token_ttl ) {
258
  $this->generate_and_email_token( $user );
259
  }
260
 
261
+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
262
  ?>
263
  <p><?php esc_html_e( 'A verification code has been sent to the email address associated with your account.', 'two-factor' ); ?></p>
264
  <p>
265
  <label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
266
+ <input type="tel" name="two-factor-email-code" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
267
  <?php submit_button( __( 'Log In', 'two-factor' ) ); ?>
268
  </p>
269
  <p class="two-factor-email-resend">
311
  return false;
312
  }
313
 
314
+ return $this->validate_token( $user->ID, $_REQUEST['two-factor-email-code'] );
 
 
 
315
  }
316
 
317
  /**
338
  ?>
339
  <div>
340
  <?php
341
+ echo esc_html( sprintf(
 
342
  /* translators: %s: email address */
343
+ __( 'Authentication codes will be sent to %s.', 'two-factor' ),
344
+ $email
345
+ ) );
 
346
  ?>
347
  </div>
348
  <?php
providers/{class-two-factor-fido-u2f-admin-list-table.php → class.two-factor-fido-u2f-admin-list-table.php} RENAMED
@@ -1,10 +1,4 @@
1
  <?php
2
- /**
3
- * Class for displaying the list of security key items.
4
- *
5
- * @package Two_Factor
6
- */
7
-
8
  // Load the parent class if it doesn't exist.
9
  if ( ! class_exists( 'WP_List_Table' ) ) {
10
  require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
@@ -41,10 +35,10 @@ class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
41
  * @since 0.1-dev
42
  */
43
  public function prepare_items() {
44
- $columns = $this->get_columns();
45
- $hidden = array();
46
- $sortable = array();
47
- $primary = 'name';
48
  $this->_column_headers = array( $columns, $hidden, $sortable, $primary );
49
  }
50
 
@@ -61,20 +55,20 @@ class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
61
  protected function column_default( $item, $column_name ) {
62
  switch ( $column_name ) {
63
  case 'name':
64
- $out = '<div class="hidden" id="inline_' . esc_attr( $item->keyHandle ) . '">'; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
65
  $out .= '<div class="name">' . esc_html( $item->name ) . '</div>';
66
  $out .= '</div>';
67
 
68
  $actions = array(
69
  'rename hide-if-no-js' => Two_Factor_FIDO_U2F_Admin::rename_link( $item ),
70
- 'delete' => Two_Factor_FIDO_U2F_Admin::delete_link( $item ),
71
  );
72
 
73
  return esc_html( $item->name ) . $out . self::row_actions( $actions );
74
  case 'added':
75
- return gmdate( get_option( 'date_format', 'r' ), $item->added );
76
  case 'last_used':
77
- return gmdate( get_option( 'date_format', 'r' ), $item->last_used );
78
  default:
79
  return 'WTF^^?';
80
  }
@@ -102,7 +96,7 @@ class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
102
  */
103
  public function single_row( $item ) {
104
  ?>
105
- <tr id="key-<?php echo esc_attr( $item->keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase ?>">
106
  <?php $this->single_row_columns( $item ); ?>
107
  </tr>
108
  <?php
@@ -128,11 +122,7 @@ class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
128
  </div>
129
  </fieldset>
130
  <?php
131
- $core_columns = array(
132
- 'name' => true,
133
- 'added' => true,
134
- 'last_used' => true,
135
- );
136
  list( $columns ) = $this->get_column_info();
137
  foreach ( $columns as $column_name => $column_display_name ) {
138
  if ( isset( $core_columns[ $column_name ] ) ) {
1
  <?php
 
 
 
 
 
 
2
  // Load the parent class if it doesn't exist.
3
  if ( ! class_exists( 'WP_List_Table' ) ) {
4
  require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
35
  * @since 0.1-dev
36
  */
37
  public function prepare_items() {
38
+ $columns = $this->get_columns();
39
+ $hidden = array();
40
+ $sortable = array();
41
+ $primary = 'name';
42
  $this->_column_headers = array( $columns, $hidden, $sortable, $primary );
43
  }
44
 
55
  protected function column_default( $item, $column_name ) {
56
  switch ( $column_name ) {
57
  case 'name':
58
+ $out = '<div class="hidden" id="inline_' . esc_attr( $item->keyHandle ) . '">';
59
  $out .= '<div class="name">' . esc_html( $item->name ) . '</div>';
60
  $out .= '</div>';
61
 
62
  $actions = array(
63
  'rename hide-if-no-js' => Two_Factor_FIDO_U2F_Admin::rename_link( $item ),
64
+ 'delete' => Two_Factor_FIDO_U2F_Admin::delete_link( $item ),
65
  );
66
 
67
  return esc_html( $item->name ) . $out . self::row_actions( $actions );
68
  case 'added':
69
+ return date( get_option( 'date_format', 'r' ), $item->added );
70
  case 'last_used':
71
+ return date( get_option( 'date_format', 'r' ), $item->last_used );
72
  default:
73
  return 'WTF^^?';
74
  }
96
  */
97
  public function single_row( $item ) {
98
  ?>
99
+ <tr id="key-<?php echo esc_attr( $item->keyHandle ); ?>">
100
  <?php $this->single_row_columns( $item ); ?>
101
  </tr>
102
  <?php
122
  </div>
123
  </fieldset>
124
  <?php
125
+ $core_columns = array( 'name' => true, 'added' => true, 'last_used' => true );
 
 
 
 
126
  list( $columns ) = $this->get_column_info();
127
  foreach ( $columns as $column_name => $column_display_name ) {
128
  if ( isset( $core_columns[ $column_name ] ) ) {
providers/{class-two-factor-fido-u2f-admin.php → class.two-factor-fido-u2f-admin.php} RENAMED
@@ -1,10 +1,4 @@
1
  <?php
2
- /**
3
- * Class for registering & modifying FIDO U2F security keys.
4
- *
5
- * @package Two_Factor
6
- */
7
-
8
  /**
9
  * Class for registering & modifying FIDO U2F security keys.
10
  *
@@ -30,13 +24,13 @@ class Two_Factor_FIDO_U2F_Admin {
30
  * @static
31
  */
32
  public static function add_hooks() {
33
- add_action( 'admin_enqueue_scripts', array( __CLASS__, 'enqueue_assets' ) );
34
  add_action( 'show_user_security_settings', array( __CLASS__, 'show_user_profile' ) );
35
- add_action( 'personal_options_update', array( __CLASS__, 'catch_submission' ), 0 );
36
- add_action( 'edit_user_profile_update', array( __CLASS__, 'catch_submission' ), 0 );
37
- add_action( 'load-profile.php', array( __CLASS__, 'catch_delete_security_key' ) );
38
- add_action( 'load-user-edit.php', array( __CLASS__, 'catch_delete_security_key' ) );
39
- add_action( 'wp_ajax_inline-save-key', array( __CLASS__, 'wp_ajax_inline_save' ) );
40
  }
41
 
42
  /**
@@ -50,7 +44,7 @@ class Two_Factor_FIDO_U2F_Admin {
50
  * @param string $hook Current page.
51
  */
52
  public static function enqueue_assets( $hook ) {
53
- if ( ! in_array( $hook, array( 'user-edit.php', 'profile.php' ), true ) ) {
54
  return;
55
  }
56
 
@@ -63,7 +57,7 @@ class Two_Factor_FIDO_U2F_Admin {
63
 
64
  // @todo Ensure that scripts don't fail because of missing u2fL10n.
65
  try {
66
- $data = Two_Factor_FIDO_U2F::$u2f->getRegisterData( $security_keys );
67
  list( $req,$sigs ) = $data;
68
 
69
  update_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, $req );
@@ -94,12 +88,12 @@ class Two_Factor_FIDO_U2F_Admin {
94
  'user_id' => $user_id,
95
  'register' => array(
96
  'request' => $req,
97
- 'sigs' => $sigs,
98
  ),
99
- 'text' => array(
100
- 'insert' => esc_html__( 'Now insert (and tap) your Security Key.', 'two-factor' ),
101
- 'error' => esc_html__( 'U2F request failed.', 'two-factor' ),
102
- 'error_codes' => array(
103
  // Map u2f.ErrorCodes to error messages.
104
  0 => esc_html__( 'Request OK.', 'two-factor' ),
105
  1 => esc_html__( 'Other U2F error.', 'two-factor' ),
@@ -208,8 +202,8 @@ class Two_Factor_FIDO_U2F_Admin {
208
  <p><a href="https://support.google.com/accounts/answer/6103523"><?php esc_html_e( 'You can find FIDO U2F Security Key devices for sale from here.', 'two-factor' ); ?></a></p>
209
 
210
  <?php
211
- require TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin-list-table.php';
212
- $u2f_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
213
  $u2f_list_table->items = $security_keys;
214
  $u2f_list_table->prepare_items();
215
  $u2f_list_table->display();
@@ -238,7 +232,7 @@ class Two_Factor_FIDO_U2F_Admin {
238
 
239
  try {
240
  $response = json_decode( stripslashes( $_POST['u2f_response'] ) );
241
- $reg = Two_Factor_FIDO_U2F::$u2f->doRegister( get_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, true ), $response );
242
  $reg->new = true;
243
 
244
  Two_Factor_FIDO_U2F::add_security_key( $user_id, $reg );
@@ -248,14 +242,9 @@ class Two_Factor_FIDO_U2F_Admin {
248
 
249
  delete_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY );
250
 
251
- wp_safe_redirect(
252
- add_query_arg(
253
- array(
254
- 'new_app_pass' => 1,
255
- ),
256
- wp_get_referer()
257
- ) . '#security-keys-section'
258
- );
259
  exit;
260
  }
261
  }
@@ -311,7 +300,7 @@ class Two_Factor_FIDO_U2F_Admin {
311
  * @return string
312
  */
313
  public static function delete_link( $item ) {
314
- $delete_link = add_query_arg( 'delete_security_key', $item->keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
315
  $delete_link = wp_nonce_url( $delete_link, "delete_security_key-{$item->keyHandle}", '_nonce_delete_security_key' );
316
  return sprintf( '<a href="%1$s">%2$s</a>', esc_url( $delete_link ), esc_html__( 'Delete', 'two-factor' ) );
317
  }
@@ -327,21 +316,21 @@ class Two_Factor_FIDO_U2F_Admin {
327
  public static function wp_ajax_inline_save() {
328
  check_ajax_referer( 'keyinlineeditnonce', '_inline_edit' );
329
 
330
- require TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin-list-table.php';
331
  $wp_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
332
 
333
  if ( ! isset( $_POST['keyHandle'] ) ) {
334
  wp_die();
335
  }
336
 
337
- $user_id = Two_Factor_Core::current_user_being_edited();
338
  $security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
339
  if ( ! $security_keys ) {
340
  wp_die();
341
  }
342
 
343
  foreach ( $security_keys as &$key ) {
344
- if ( $key->keyHandle === $_POST['keyHandle'] ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
345
  break;
346
  }
347
  }
1
  <?php
 
 
 
 
 
 
2
  /**
3
  * Class for registering & modifying FIDO U2F security keys.
4
  *
24
  * @static
25
  */
26
  public static function add_hooks() {
27
+ add_action( 'admin_enqueue_scripts', array( __CLASS__, 'enqueue_assets' ) );
28
  add_action( 'show_user_security_settings', array( __CLASS__, 'show_user_profile' ) );
29
+ add_action( 'personal_options_update', array( __CLASS__, 'catch_submission' ), 0 );
30
+ add_action( 'edit_user_profile_update', array( __CLASS__, 'catch_submission' ), 0 );
31
+ add_action( 'load-profile.php', array( __CLASS__, 'catch_delete_security_key' ) );
32
+ add_action( 'load-user-edit.php', array( __CLASS__, 'catch_delete_security_key' ) );
33
+ add_action( 'wp_ajax_inline-save-key', array( __CLASS__, 'wp_ajax_inline_save' ) );
34
  }
35
 
36
  /**
44
  * @param string $hook Current page.
45
  */
46
  public static function enqueue_assets( $hook ) {
47
+ if ( ! in_array( $hook, array( 'user-edit.php', 'profile.php' ) ) ) {
48
  return;
49
  }
50
 
57
 
58
  // @todo Ensure that scripts don't fail because of missing u2fL10n.
59
  try {
60
+ $data = Two_Factor_FIDO_U2F::$u2f->getRegisterData( $security_keys );
61
  list( $req,$sigs ) = $data;
62
 
63
  update_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, $req );
88
  'user_id' => $user_id,
89
  'register' => array(
90
  'request' => $req,
91
+ 'sigs' => $sigs,
92
  ),
93
+ 'text' => array(
94
+ 'insert' => esc_html__( 'Now insert (and tap) your Security Key.', 'two-factor' ),
95
+ 'error' => esc_html__( 'U2F request failed.', 'two-factor' ),
96
+ 'error_codes' => array(
97
  // Map u2f.ErrorCodes to error messages.
98
  0 => esc_html__( 'Request OK.', 'two-factor' ),
99
  1 => esc_html__( 'Other U2F error.', 'two-factor' ),
202
  <p><a href="https://support.google.com/accounts/answer/6103523"><?php esc_html_e( 'You can find FIDO U2F Security Key devices for sale from here.', 'two-factor' ); ?></a></p>
203
 
204
  <?php
205
+ require( TWO_FACTOR_DIR . 'providers/class.two-factor-fido-u2f-admin-list-table.php' );
206
+ $u2f_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
207
  $u2f_list_table->items = $security_keys;
208
  $u2f_list_table->prepare_items();
209
  $u2f_list_table->display();
232
 
233
  try {
234
  $response = json_decode( stripslashes( $_POST['u2f_response'] ) );
235
+ $reg = Two_Factor_FIDO_U2F::$u2f->doRegister( get_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, true ), $response );
236
  $reg->new = true;
237
 
238
  Two_Factor_FIDO_U2F::add_security_key( $user_id, $reg );
242
 
243
  delete_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY );
244
 
245
+ wp_safe_redirect( add_query_arg( array(
246
+ 'new_app_pass' => 1,
247
+ ), wp_get_referer() ) . '#security-keys-section' );
 
 
 
 
 
248
  exit;
249
  }
250
  }
300
  * @return string
301
  */
302
  public static function delete_link( $item ) {
303
+ $delete_link = add_query_arg( 'delete_security_key', $item->keyHandle );
304
  $delete_link = wp_nonce_url( $delete_link, "delete_security_key-{$item->keyHandle}", '_nonce_delete_security_key' );
305
  return sprintf( '<a href="%1$s">%2$s</a>', esc_url( $delete_link ), esc_html__( 'Delete', 'two-factor' ) );
306
  }
316
  public static function wp_ajax_inline_save() {
317
  check_ajax_referer( 'keyinlineeditnonce', '_inline_edit' );
318
 
319
+ require( TWO_FACTOR_DIR . 'providers/class.two-factor-fido-u2f-admin-list-table.php' );
320
  $wp_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
321
 
322
  if ( ! isset( $_POST['keyHandle'] ) ) {
323
  wp_die();
324
  }
325
 
326
+ $user_id = Two_Factor_Core::current_user_being_edited();
327
  $security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
328
  if ( ! $security_keys ) {
329
  wp_die();
330
  }
331
 
332
  foreach ( $security_keys as &$key ) {
333
+ if ( $key->keyHandle === $_POST['keyHandle'] ) {
334
  break;
335
  }
336
  }
providers/{class-two-factor-fido-u2f.php → class.two-factor-fido-u2f.php} RENAMED
@@ -1,10 +1,4 @@
1
  <?php
2
- /**
3
- * Class for creating a FIDO Universal 2nd Factor provider.
4
- *
5
- * @package Two_Factor
6
- */
7
-
8
  /**
9
  * Class for creating a FIDO Universal 2nd Factor provider.
10
  *
@@ -47,7 +41,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
47
  *
48
  * @return \Two_Factor_FIDO_U2F
49
  */
50
- public static function get_instance() {
51
  static $instance;
52
 
53
  if ( ! isset( $instance ) ) {
@@ -67,18 +61,29 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
67
  return;
68
  }
69
 
70
- require_once TWO_FACTOR_DIR . 'includes/Yubico/U2F.php';
71
  self::$u2f = new u2flib_server\U2F( self::get_u2f_app_id() );
72
 
73
- require_once TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin.php';
74
  Two_Factor_FIDO_U2F_Admin::add_hooks();
75
 
76
- // Ensure the script dependencies have been registered before they're enqueued at a later priority.
77
- add_action( 'admin_enqueue_scripts', array( __CLASS__, 'enqueue_scripts' ), 5 );
78
- add_action( 'wp_enqueue_scripts', array( __CLASS__, 'enqueue_scripts' ), 5 );
79
- add_action( 'login_enqueue_scripts', array( __CLASS__, 'enqueue_scripts' ), 5 );
 
 
 
80
 
81
- add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
 
 
 
 
 
 
 
 
82
 
83
  return parent::__construct();
84
  }
@@ -116,31 +121,16 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
116
  * @since 0.1-dev
117
  */
118
  public function get_label() {
119
- return _x( 'FIDO U2F Security Keys', 'Provider Label', 'two-factor' );
120
  }
121
 
122
  /**
123
- * Register script dependencies used during login and when
124
- * registering keys in the WP admin.
125
  *
126
- * @return void
127
  */
128
- public static function enqueue_scripts() {
129
- wp_register_script(
130
- 'fido-u2f-api',
131
- plugins_url( 'includes/Google/u2f-api.js', dirname( __FILE__ ) ),
132
- null,
133
- self::asset_version(),
134
- true
135
- );
136
-
137
- wp_register_script(
138
- 'fido-u2f-login',
139
- plugins_url( 'js/fido-u2f-login.js', __FILE__ ),
140
- array( 'jquery', 'fido-u2f-api' ),
141
- self::asset_version(),
142
- true
143
- );
144
  }
145
 
146
  /**
@@ -152,7 +142,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
152
  * @return null
153
  */
154
  public function authentication_page( $user ) {
155
- require_once ABSPATH . '/wp-admin/includes/template.php';
156
 
157
  // U2F doesn't work without HTTPS.
158
  if ( ! is_ssl() ) {
@@ -208,7 +198,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
208
  try {
209
  $reg = self::$u2f->doAuthenticate( $requests, $keys, $response );
210
 
211
- $reg->last_used = time();
212
 
213
  self::update_security_key( $user->ID, $reg );
214
 
@@ -261,8 +251,8 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
261
 
262
  if (
263
  ! is_object( $register )
264
- || ! property_exists( $register, 'keyHandle' ) || empty( $register->keyHandle ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
265
- || ! property_exists( $register, 'publicKey' ) || empty( $register->publicKey ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
266
  || ! property_exists( $register, 'certificate' ) || empty( $register->certificate )
267
  || ! property_exists( $register, 'counter' ) || ( -1 > $register->counter )
268
  ) {
@@ -270,14 +260,14 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
270
  }
271
 
272
  $register = array(
273
- 'keyHandle' => $register->keyHandle, // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
274
- 'publicKey' => $register->publicKey, // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
275
  'certificate' => $register->certificate,
276
  'counter' => $register->counter,
277
  );
278
 
279
  $register['name'] = __( 'New Security Key', 'two-factor' );
280
- $register['added'] = time();
281
  $register['last_used'] = $register['added'];
282
 
283
  return add_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, $register );
@@ -328,8 +318,8 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
328
 
329
  if (
330
  ! is_object( $data )
331
- || ! property_exists( $data, 'keyHandle' ) || empty( $data->keyHandle ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
332
- || ! property_exists( $data, 'publicKey' ) || empty( $data->publicKey ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
333
  || ! property_exists( $data, 'certificate' ) || empty( $data->certificate )
334
  || ! property_exists( $data, 'counter' ) || ( -1 > $data->counter )
335
  ) {
@@ -339,7 +329,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
339
  $keys = self::get_security_keys( $user_id );
340
  if ( $keys ) {
341
  foreach ( $keys as $key ) {
342
- if ( $key->keyHandle === $data->keyHandle ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
343
  return update_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, (array) $data, (array) $key );
344
  }
345
  }
@@ -357,7 +347,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
357
  * @param string $keyHandle Optional. Key handle.
358
  * @return bool True on success, false on failure.
359
  */
360
- public static function delete_security_key( $user_id, $keyHandle = null ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
361
  global $wpdb;
362
 
363
  if ( ! is_numeric( $user_id ) ) {
@@ -369,12 +359,14 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
369
  return false;
370
  }
371
 
372
- $keyHandle = wp_unslash( $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
373
- $keyHandle = maybe_serialize( $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
 
 
374
 
375
- $query = $wpdb->prepare( "SELECT umeta_id FROM {$wpdb->usermeta} WHERE meta_key = %s AND user_id = %d", self::REGISTERED_KEY_USER_META_KEY, $user_id );
376
 
377
- if ( $keyHandle ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
378
  $key_handle_lookup = sprintf( ':"%s";s:', $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
379
 
380
  $query .= $wpdb->prepare(
@@ -383,7 +375,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
383
  );
384
  }
385
 
386
- $meta_ids = $wpdb->get_col( $query ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
387
  if ( ! count( $meta_ids ) ) {
388
  return false;
389
  }
1
  <?php
 
 
 
 
 
 
2
  /**
3
  * Class for creating a FIDO Universal 2nd Factor provider.
4
  *
41
  *
42
  * @return \Two_Factor_FIDO_U2F
43
  */
44
+ static function get_instance() {
45
  static $instance;
46
 
47
  if ( ! isset( $instance ) ) {
61
  return;
62
  }
63
 
64
+ require_once( TWO_FACTOR_DIR . 'includes/Yubico/U2F.php' );
65
  self::$u2f = new u2flib_server\U2F( self::get_u2f_app_id() );
66
 
67
+ require_once( TWO_FACTOR_DIR . 'providers/class.two-factor-fido-u2f-admin.php' );
68
  Two_Factor_FIDO_U2F_Admin::add_hooks();
69
 
70
+ wp_register_script(
71
+ 'fido-u2f-api',
72
+ plugins_url( 'includes/Google/u2f-api.js', dirname( __FILE__ ) ),
73
+ null,
74
+ self::asset_version(),
75
+ true
76
+ );
77
 
78
+ wp_register_script(
79
+ 'fido-u2f-login',
80
+ plugins_url( 'js/fido-u2f-login.js', __FILE__ ),
81
+ array( 'jquery', 'fido-u2f-api' ),
82
+ self::asset_version(),
83
+ true
84
+ );
85
+
86
+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_options' ) );
87
 
88
  return parent::__construct();
89
  }
121
  * @since 0.1-dev
122
  */
123
  public function get_label() {
124
+ return _x( 'FIDO Universal 2nd Factor (U2F)', 'Provider Label', 'two-factor' );
125
  }
126
 
127
  /**
128
+ * Enqueue assets for login form.
 
129
  *
130
+ * @since 0.1-dev
131
  */
132
+ public function login_enqueue_assets() {
133
+ wp_enqueue_script( 'fido-u2f-login' );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
134
  }
135
 
136
  /**
142
  * @return null
143
  */
144
  public function authentication_page( $user ) {
145
+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
146
 
147
  // U2F doesn't work without HTTPS.
148
  if ( ! is_ssl() ) {
198
  try {
199
  $reg = self::$u2f->doAuthenticate( $requests, $keys, $response );
200
 
201
+ $reg->last_used = current_time( 'timestamp' );
202
 
203
  self::update_security_key( $user->ID, $reg );
204
 
251
 
252
  if (
253
  ! is_object( $register )
254
+ || ! property_exists( $register, 'keyHandle' ) || empty( $register->keyHandle )
255
+ || ! property_exists( $register, 'publicKey' ) || empty( $register->publicKey )
256
  || ! property_exists( $register, 'certificate' ) || empty( $register->certificate )
257
  || ! property_exists( $register, 'counter' ) || ( -1 > $register->counter )
258
  ) {
260
  }
261
 
262
  $register = array(
263
+ 'keyHandle' => $register->keyHandle,
264
+ 'publicKey' => $register->publicKey,
265
  'certificate' => $register->certificate,
266
  'counter' => $register->counter,
267
  );
268
 
269
  $register['name'] = __( 'New Security Key', 'two-factor' );
270
+ $register['added'] = current_time( 'timestamp' );
271
  $register['last_used'] = $register['added'];
272
 
273
  return add_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, $register );
318
 
319
  if (
320
  ! is_object( $data )
321
+ || ! property_exists( $data, 'keyHandle' ) || empty( $data->keyHandle )
322
+ || ! property_exists( $data, 'publicKey' ) || empty( $data->publicKey )
323
  || ! property_exists( $data, 'certificate' ) || empty( $data->certificate )
324
  || ! property_exists( $data, 'counter' ) || ( -1 > $data->counter )
325
  ) {
329
  $keys = self::get_security_keys( $user_id );
330
  if ( $keys ) {
331
  foreach ( $keys as $key ) {
332
+ if ( $key->keyHandle === $data->keyHandle ) {
333
  return update_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, (array) $data, (array) $key );
334
  }
335
  }
347
  * @param string $keyHandle Optional. Key handle.
348
  * @return bool True on success, false on failure.
349
  */
350
+ public static function delete_security_key( $user_id, $keyHandle = null ) {
351
  global $wpdb;
352
 
353
  if ( ! is_numeric( $user_id ) ) {
359
  return false;
360
  }
361
 
362
+ $table = $wpdb->usermeta;
363
+
364
+ $keyHandle = wp_unslash( $keyHandle );
365
+ $keyHandle = maybe_serialize( $keyHandle );
366
 
367
+ $query = $wpdb->prepare( "SELECT umeta_id FROM $table WHERE meta_key = '%s' AND user_id = %d", self::REGISTERED_KEY_USER_META_KEY, $user_id );
368
 
369
+ if ( $keyHandle ) {
370
  $key_handle_lookup = sprintf( ':"%s";s:', $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
371
 
372
  $query .= $wpdb->prepare(
375
  );
376
  }
377
 
378
+ $meta_ids = $wpdb->get_col( $query );
379
  if ( ! count( $meta_ids ) ) {
380
  return false;
381
  }
providers/{class-two-factor-provider.php → class.two-factor-provider.php} RENAMED
@@ -1,10 +1,4 @@
1
  <?php
2
- /**
3
- * Abstract class for creating two factor authentication providers.
4
- *
5
- * @package Two_Factor
6
- */
7
-
8
  /**
9
  * Abstract class for creating two factor authentication providers.
10
  *
@@ -30,7 +24,7 @@ abstract class Two_Factor_Provider {
30
  *
31
  * @return string
32
  */
33
- abstract public function get_label();
34
 
35
  /**
36
  * Prints the name of the provider.
@@ -48,7 +42,7 @@ abstract class Two_Factor_Provider {
48
  *
49
  * @param WP_User $user WP_User object of the logged-in user.
50
  */
51
- abstract public function authentication_page( $user );
52
 
53
  /**
54
  * Allow providers to do extra processing before the authentication.
@@ -70,7 +64,7 @@ abstract class Two_Factor_Provider {
70
  * @param WP_User $user WP_User object of the logged-in user.
71
  * @return boolean
72
  */
73
- abstract public function validate_authentication( $user );
74
 
75
  /**
76
  * Whether this Two Factor provider is configured and available for the user specified.
@@ -78,7 +72,7 @@ abstract class Two_Factor_Provider {
78
  * @param WP_User $user WP_User object of the logged-in user.
79
  * @return boolean
80
  */
81
- abstract public function is_available_for_user( $user );
82
 
83
  /**
84
  * Generate a random eight-digit string to send out as an auth code.
1
  <?php
 
 
 
 
 
 
2
  /**
3
  * Abstract class for creating two factor authentication providers.
4
  *
24
  *
25
  * @return string
26
  */
27
+ abstract function get_label();
28
 
29
  /**
30
  * Prints the name of the provider.
42
  *
43
  * @param WP_User $user WP_User object of the logged-in user.
44
  */
45
+ abstract function authentication_page( $user );
46
 
47
  /**
48
  * Allow providers to do extra processing before the authentication.
64
  * @param WP_User $user WP_User object of the logged-in user.
65
  * @return boolean
66
  */
67
+ abstract function validate_authentication( $user );
68
 
69
  /**
70
  * Whether this Two Factor provider is configured and available for the user specified.
72
  * @param WP_User $user WP_User object of the logged-in user.
73
  * @return boolean
74
  */
75
+ abstract function is_available_for_user( $user );
76
 
77
  /**
78
  * Generate a random eight-digit string to send out as an auth code.
providers/{class-two-factor-totp.php → class.two-factor-totp.php} RENAMED
@@ -31,24 +31,18 @@ class Two_Factor_Totp extends Two_Factor_Provider {
31
  */
32
  const ACTION_SECRET_DELETE = 'totp-delete';
33
 
34
- const DEFAULT_KEY_BIT_SIZE = 160;
35
- const DEFAULT_CRYPTO = 'sha1';
36
- const DEFAULT_DIGIT_COUNT = 6;
37
- const DEFAULT_TIME_STEP_SEC = 30;
38
  const DEFAULT_TIME_STEP_ALLOWANCE = 4;
39
-
40
- /**
41
- * Chracters used in base32 encoding.
42
- *
43
- * @var string
44
- */
45
- private static $base_32_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
46
 
47
  /**
48
  * Class constructor. Sets up hooks, etc.
49
  */
50
  protected function __construct() {
51
- add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_two_factor_options' ) );
52
  add_action( 'personal_options_update', array( $this, 'user_two_factor_options_update' ) );
53
  add_action( 'edit_user_profile_update', array( $this, 'user_two_factor_options_update' ) );
54
  add_action( 'two_factor_user_settings_action', array( $this, 'user_settings_action' ), 10, 2 );
@@ -71,7 +65,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
71
  * Returns the name of the provider.
72
  */
73
  public function get_label() {
74
- return _x( 'Time Based One-Time Password (TOTP)', 'Provider Label', 'two-factor' );
75
  }
76
 
77
  /**
@@ -117,10 +111,9 @@ class Two_Factor_Totp extends Two_Factor_Provider {
117
 
118
  ?>
119
  <div id="two-factor-totp-options">
120
- <?php
121
- if ( empty( $key ) ) :
122
- $key = $this->generate_key();
123
- $site_name = get_bloginfo( 'name', 'display' );
124
  $totp_title = apply_filters( 'two_factor_totp_title', $site_name . ':' . $user->user_login, $user );
125
  ?>
126
  <p>
@@ -142,7 +135,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
142
  </p>
143
  <?php else : ?>
144
  <p class="success">
145
- <?php esc_html_e( 'Secret key is configured and registered. It is not possible to view it again for security reasons.', 'two-factor' ); ?>
146
  </p>
147
  <p>
148
  <a class="button" href="<?php echo esc_url( self::get_token_delete_url_for_user( $user->ID ) ); ?>"><?php esc_html_e( 'Reset Key', 'two-factor' ); ?></a>
@@ -159,12 +152,11 @@ class Two_Factor_Totp extends Two_Factor_Provider {
159
  * Save the options specified in `::user_two_factor_options()`
160
  *
161
  * @param integer $user_id The user ID whose options are being updated.
162
- *
163
- * @return void
164
  */
165
  public function user_two_factor_options_update( $user_id ) {
166
  $notices = array();
167
- $errors = array();
168
 
169
  if ( isset( $_POST['_nonce_user_two_factor_totp_options'] ) ) {
170
  check_admin_referer( 'user_two_factor_totp_options', '_nonce_user_two_factor_totp_options' );
@@ -172,8 +164,8 @@ class Two_Factor_Totp extends Two_Factor_Provider {
172
  // Validate and store a new secret key.
173
  if ( ! empty( $_POST['two-factor-totp-authcode'] ) && ! empty( $_POST['two-factor-totp-key'] ) ) {
174
  // Don't use filter_input() because we can't mock it during tests for now.
175
- $authcode = filter_var( sanitize_text_field( $_POST['two-factor-totp-authcode'] ), FILTER_SANITIZE_NUMBER_INT );
176
- $key = sanitize_text_field( $_POST['two-factor-totp-key'] );
177
 
178
  if ( $this->is_valid_key( $key ) ) {
179
  if ( $this->is_valid_authcode( $key, $authcode ) ) {
@@ -240,7 +232,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
240
  * @return boolean
241
  */
242
  public function is_valid_key( $key ) {
243
- $check = sprintf( '/^[%s]+$/', self::$base_32_chars );
244
 
245
  if ( 1 === preg_match( $check, $key ) ) {
246
  return true;
@@ -264,7 +256,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
264
 
265
  foreach ( $notices as $class => $messages ) {
266
  ?>
267
- <div class="<?php echo esc_attr( $class ); ?>">
268
  <?php
269
  foreach ( $messages as $msg ) {
270
  ?>
@@ -288,10 +280,10 @@ class Two_Factor_Totp extends Two_Factor_Provider {
288
  * @return bool Whether the user gave a valid code
289
  */
290
  public function validate_authentication( $user ) {
291
- if ( ! empty( $_REQUEST['authcode'] ) ) {
292
  return $this->is_valid_authcode(
293
  $this->get_user_totp_key( $user->ID ),
294
- sanitize_text_field( $_REQUEST['authcode'] )
295
  );
296
  }
297
 
@@ -313,12 +305,9 @@ class Two_Factor_Totp extends Two_Factor_Provider {
313
  * Ticks are the allowed offset from the correct time in 30 second increments,
314
  * so the default of 4 allows codes that are two minutes to either side of server time
315
  *
316
- * @deprecated 0.7.0 Use {@see 'two_factor_totp_time_step_allowance'} instead.
317
  * @param int $max_ticks Max ticks of time correction to allow. Default 4.
318
  */
319
- $max_ticks = apply_filters_deprecated( 'two-factor-totp-time-step-allowance', array( self::DEFAULT_TIME_STEP_ALLOWANCE ), '0.7.0', 'two_factor_totp_time_step_allowance' );
320
-
321
- $max_ticks = apply_filters( 'two_factor_totp_time_step_allowance', self::DEFAULT_TIME_STEP_ALLOWANCE );
322
 
323
  // Array of all ticks to allow, sorted using absolute value to test closest match first.
324
  $ticks = range( - $max_ticks, $max_ticks );
@@ -343,7 +332,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
343
  * @return string $bitsize long string composed of available base32 chars.
344
  */
345
  public static function generate_key( $bitsize = self::DEFAULT_KEY_BIT_SIZE ) {
346
- $bytes = ceil( $bitsize / 8 );
347
  $secret = wp_generate_password( $bytes, true, true );
348
 
349
  return self::base32_encode( $secret );
@@ -373,8 +362,8 @@ class Two_Factor_Totp extends Two_Factor_Provider {
373
  $higher = 0;
374
  }
375
 
376
- $lowmap = 0xffffffff;
377
- $lower = $value & $lowmap;
378
 
379
  return pack( 'NN', $higher, $lower );
380
  }
@@ -424,7 +413,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
424
  */
425
  public static function get_google_qr_code( $name, $key, $title = null ) {
426
  // Encode to support spaces, question marks and other characters.
427
- $name = rawurlencode( $name );
428
  $google_url = urlencode( 'otpauth://totp/' . $name . '?secret=' . $key );
429
  if ( isset( $title ) ) {
430
  $google_url .= urlencode( '&issuer=' . rawurlencode( $title ) );
@@ -452,20 +441,18 @@ class Two_Factor_Totp extends Two_Factor_Provider {
452
  * @param WP_User $user WP_User object of the logged-in user.
453
  */
454
  public function authentication_page( $user ) {
455
- require_once ABSPATH . '/wp-admin/includes/template.php';
456
  ?>
457
- <p>
458
- <?php esc_html_e( 'Please enter the code generated by your authenticator app.', 'two-factor' ); ?>
459
- </p>
460
  <p>
461
  <label for="authcode"><?php esc_html_e( 'Authentication Code:', 'two-factor' ); ?></label>
462
- <input type="tel" autocomplete="off" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
463
  </p>
464
  <script type="text/javascript">
465
  setTimeout( function(){
466
  var d;
467
  try{
468
  d = document.getElementById('authcode');
 
469
  d.focus();
470
  } catch(e){}
471
  }, 200);
@@ -493,10 +480,10 @@ class Two_Factor_Totp extends Two_Factor_Provider {
493
  }
494
 
495
  $five_bit_sections = str_split( $binary_string, 5 );
496
- $base32_string = '';
497
 
498
  foreach ( $five_bit_sections as $five_bit_section ) {
499
- $base32_string .= self::$base_32_chars[ base_convert( str_pad( $five_bit_section, 5, '0' ), 2, 10 ) ];
500
  }
501
 
502
  return $base32_string;
@@ -513,25 +500,25 @@ class Two_Factor_Totp extends Two_Factor_Provider {
513
  */
514
  public static function base32_decode( $base32_string ) {
515
 
516
- $base32_string = strtoupper( $base32_string );
517
 
518
- if ( ! preg_match( '/^[' . self::$base_32_chars . ']+$/', $base32_string, $match ) ) {
519
  throw new Exception( 'Invalid characters in the base32 string.' );
520
  }
521
 
522
- $l = strlen( $base32_string );
523
- $n = 0;
524
- $j = 0;
525
  $binary = '';
526
 
527
  for ( $i = 0; $i < $l; $i++ ) {
528
 
529
- $n = $n << 5; // Move buffer left by 5 to make room.
530
- $n = $n + strpos( self::$base_32_chars, $base32_string[ $i ] ); // Add value into buffer.
531
  $j += 5; // Keep track of number of bits in buffer.
532
 
533
  if ( $j >= 8 ) {
534
- $j -= 8;
535
  $binary .= chr( ( $n & ( 0xFF << $j ) ) >> $j );
536
  }
537
  }
@@ -553,6 +540,6 @@ class Two_Factor_Totp extends Two_Factor_Provider {
553
  if ( $a === $b ) {
554
  return 0;
555
  }
556
- return ( $a < $b ) ? -1 : 1;
557
  }
558
  }
31
  */
32
  const ACTION_SECRET_DELETE = 'totp-delete';
33
 
34
+ const DEFAULT_KEY_BIT_SIZE = 160;
35
+ const DEFAULT_CRYPTO = 'sha1';
36
+ const DEFAULT_DIGIT_COUNT = 6;
37
+ const DEFAULT_TIME_STEP_SEC = 30;
38
  const DEFAULT_TIME_STEP_ALLOWANCE = 4;
39
+ private static $_base_32_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
 
 
 
 
 
 
40
 
41
  /**
42
  * Class constructor. Sets up hooks, etc.
43
  */
44
  protected function __construct() {
45
+ add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_two_factor_options' ) );
46
  add_action( 'personal_options_update', array( $this, 'user_two_factor_options_update' ) );
47
  add_action( 'edit_user_profile_update', array( $this, 'user_two_factor_options_update' ) );
48
  add_action( 'two_factor_user_settings_action', array( $this, 'user_settings_action' ), 10, 2 );
65
  * Returns the name of the provider.
66
  */
67
  public function get_label() {
68
+ return _x( 'Time Based One-Time Password (Google Authenticator)', 'Provider Label', 'two-factor' );
69
  }
70
 
71
  /**
111
 
112
  ?>
113
  <div id="two-factor-totp-options">
114
+ <?php if ( empty( $key ) ) :
115
+ $key = $this->generate_key();
116
+ $site_name = get_bloginfo( 'name', 'display' );
 
117
  $totp_title = apply_filters( 'two_factor_totp_title', $site_name . ':' . $user->user_login, $user );
118
  ?>
119
  <p>
135
  </p>
136
  <?php else : ?>
137
  <p class="success">
138
+ <?php esc_html_e( 'Secret key configured and registered.', 'two-factor' ); ?>
139
  </p>
140
  <p>
141
  <a class="button" href="<?php echo esc_url( self::get_token_delete_url_for_user( $user->ID ) ); ?>"><?php esc_html_e( 'Reset Key', 'two-factor' ); ?></a>
152
  * Save the options specified in `::user_two_factor_options()`
153
  *
154
  * @param integer $user_id The user ID whose options are being updated.
155
+ * @return false
 
156
  */
157
  public function user_two_factor_options_update( $user_id ) {
158
  $notices = array();
159
+ $errors = array();
160
 
161
  if ( isset( $_POST['_nonce_user_two_factor_totp_options'] ) ) {
162
  check_admin_referer( 'user_two_factor_totp_options', '_nonce_user_two_factor_totp_options' );
164
  // Validate and store a new secret key.
165
  if ( ! empty( $_POST['two-factor-totp-authcode'] ) && ! empty( $_POST['two-factor-totp-key'] ) ) {
166
  // Don't use filter_input() because we can't mock it during tests for now.
167
+ $authcode = sanitize_text_field( $_POST['two-factor-totp-authcode'] );
168
+ $key = sanitize_text_field( $_POST['two-factor-totp-key'] );
169
 
170
  if ( $this->is_valid_key( $key ) ) {
171
  if ( $this->is_valid_authcode( $key, $authcode ) ) {
232
  * @return boolean
233
  */
234
  public function is_valid_key( $key ) {
235
+ $check = sprintf( '/^[%s]+$/', self::$_base_32_chars );
236
 
237
  if ( 1 === preg_match( $check, $key ) ) {
238
  return true;
256
 
257
  foreach ( $notices as $class => $messages ) {
258
  ?>
259
+ <div class="<?php echo esc_attr( $class ) ?>">
260
  <?php
261
  foreach ( $messages as $msg ) {
262
  ?>
280
  * @return bool Whether the user gave a valid code
281
  */
282
  public function validate_authentication( $user ) {
283
+ if ( ! empty( $_REQUEST['authcode'] ) ) { // WPCS: CSRF ok, nonce verified by login_form_validate_2fa().
284
  return $this->is_valid_authcode(
285
  $this->get_user_totp_key( $user->ID ),
286
+ sanitize_text_field( $_REQUEST['authcode'] ) // WPCS: CSRF ok, nonce verified by login_form_validate_2fa().
287
  );
288
  }
289
 
305
  * Ticks are the allowed offset from the correct time in 30 second increments,
306
  * so the default of 4 allows codes that are two minutes to either side of server time
307
  *
 
308
  * @param int $max_ticks Max ticks of time correction to allow. Default 4.
309
  */
310
+ $max_ticks = apply_filters( 'two-factor-totp-time-step-allowance', self::DEFAULT_TIME_STEP_ALLOWANCE );
 
 
311
 
312
  // Array of all ticks to allow, sorted using absolute value to test closest match first.
313
  $ticks = range( - $max_ticks, $max_ticks );
332
  * @return string $bitsize long string composed of available base32 chars.
333
  */
334
  public static function generate_key( $bitsize = self::DEFAULT_KEY_BIT_SIZE ) {
335
+ $bytes = ceil( $bitsize / 8 );
336
  $secret = wp_generate_password( $bytes, true, true );
337
 
338
  return self::base32_encode( $secret );
362
  $higher = 0;
363
  }
364
 
365
+ $lowmap = 0xffffffff;
366
+ $lower = $value & $lowmap;
367
 
368
  return pack( 'NN', $higher, $lower );
369
  }
413
  */
414
  public static function get_google_qr_code( $name, $key, $title = null ) {
415
  // Encode to support spaces, question marks and other characters.
416
+ $name = rawurlencode( $name );
417
  $google_url = urlencode( 'otpauth://totp/' . $name . '?secret=' . $key );
418
  if ( isset( $title ) ) {
419
  $google_url .= urlencode( '&issuer=' . rawurlencode( $title ) );
441
  * @param WP_User $user WP_User object of the logged-in user.
442
  */
443
  public function authentication_page( $user ) {
444
+ require_once( ABSPATH . '/wp-admin/includes/template.php' );
445
  ?>
 
 
 
446
  <p>
447
  <label for="authcode"><?php esc_html_e( 'Authentication Code:', 'two-factor' ); ?></label>
448
+ <input type="tel" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
449
  </p>
450
  <script type="text/javascript">
451
  setTimeout( function(){
452
  var d;
453
  try{
454
  d = document.getElementById('authcode');
455
+ d.value = '';
456
  d.focus();
457
  } catch(e){}
458
  }, 200);
480
  }
481
 
482
  $five_bit_sections = str_split( $binary_string, 5 );
483
+ $base32_string = '';
484
 
485
  foreach ( $five_bit_sections as $five_bit_section ) {
486
+ $base32_string .= self::$_base_32_chars[ base_convert( str_pad( $five_bit_section, 5, '0' ), 2, 10 ) ];
487
  }
488
 
489
  return $base32_string;
500
  */
501
  public static function base32_decode( $base32_string ) {
502
 
503
+ $base32_string = strtoupper( $base32_string );
504
 
505
+ if ( ! preg_match( '/^[' . self::$_base_32_chars . ']+$/', $base32_string, $match ) ) {
506
  throw new Exception( 'Invalid characters in the base32 string.' );
507
  }
508
 
509
+ $l = strlen( $base32_string );
510
+ $n = 0;
511
+ $j = 0;
512
  $binary = '';
513
 
514
  for ( $i = 0; $i < $l; $i++ ) {
515
 
516
+ $n = $n << 5; // Move buffer left by 5 to make room.
517
+ $n = $n + strpos( self::$_base_32_chars, $base32_string[ $i ] ); // Add value into buffer.
518
  $j += 5; // Keep track of number of bits in buffer.
519
 
520
  if ( $j >= 8 ) {
521
+ $j -= 8;
522
  $binary .= chr( ( $n & ( 0xFF << $j ) ) >> $j );
523
  }
524
  }
540
  if ( $a === $b ) {
541
  return 0;
542
  }
543
+ return ($a < $b) ? -1 : 1;
544
  }
545
  }
readme.md CHANGED
@@ -7,7 +7,7 @@ Enable Two-Factor Authentication using time-based one-time passwords (OTP, Googl
7
  **Contributors:** [georgestephanis](https://profiles.wordpress.org/georgestephanis), [valendesigns](https://profiles.wordpress.org/valendesigns), [stevenkword](https://profiles.wordpress.org/stevenkword), [extendwings](https://profiles.wordpress.org/extendwings), [sgrant](https://profiles.wordpress.org/sgrant), [aaroncampbell](https://profiles.wordpress.org/aaroncampbell), [johnbillion](https://profiles.wordpress.org/johnbillion), [stevegrunwell](https://profiles.wordpress.org/stevegrunwell), [netweb](https://profiles.wordpress.org/netweb), [kasparsd](https://profiles.wordpress.org/kasparsd), [alihusnainarshad](https://profiles.wordpress.org/alihusnainarshad), [passoniate](https://profiles.wordpress.org/passoniate)
8
  **Tags:** [two factor](https://wordpress.org/plugins/tags/two-factor), [two step](https://wordpress.org/plugins/tags/two-step), [authentication](https://wordpress.org/plugins/tags/authentication), [login](https://wordpress.org/plugins/tags/login), [totp](https://wordpress.org/plugins/tags/totp), [fido u2f](https://wordpress.org/plugins/tags/fido-u2f), [u2f](https://wordpress.org/plugins/tags/u2f), [email](https://wordpress.org/plugins/tags/email), [backup codes](https://wordpress.org/plugins/tags/backup-codes), [2fa](https://wordpress.org/plugins/tags/2fa), [yubikey](https://wordpress.org/plugins/tags/yubikey)
9
  **Requires at least:** 4.3
10
- **Tested up to:** 5.5
11
  **Stable tag:** trunk (master)
12
  **Requires PHP:** 5.6
13
 
7
  **Contributors:** [georgestephanis](https://profiles.wordpress.org/georgestephanis), [valendesigns](https://profiles.wordpress.org/valendesigns), [stevenkword](https://profiles.wordpress.org/stevenkword), [extendwings](https://profiles.wordpress.org/extendwings), [sgrant](https://profiles.wordpress.org/sgrant), [aaroncampbell](https://profiles.wordpress.org/aaroncampbell), [johnbillion](https://profiles.wordpress.org/johnbillion), [stevegrunwell](https://profiles.wordpress.org/stevegrunwell), [netweb](https://profiles.wordpress.org/netweb), [kasparsd](https://profiles.wordpress.org/kasparsd), [alihusnainarshad](https://profiles.wordpress.org/alihusnainarshad), [passoniate](https://profiles.wordpress.org/passoniate)
8
  **Tags:** [two factor](https://wordpress.org/plugins/tags/two-factor), [two step](https://wordpress.org/plugins/tags/two-step), [authentication](https://wordpress.org/plugins/tags/authentication), [login](https://wordpress.org/plugins/tags/login), [totp](https://wordpress.org/plugins/tags/totp), [fido u2f](https://wordpress.org/plugins/tags/fido-u2f), [u2f](https://wordpress.org/plugins/tags/u2f), [email](https://wordpress.org/plugins/tags/email), [backup codes](https://wordpress.org/plugins/tags/backup-codes), [2fa](https://wordpress.org/plugins/tags/2fa), [yubikey](https://wordpress.org/plugins/tags/yubikey)
9
  **Requires at least:** 4.3
10
+ **Tested up to:** 5.4
11
  **Stable tag:** trunk (master)
12
  **Requires PHP:** 5.6
13
 
readme.txt CHANGED
@@ -2,7 +2,7 @@
2
  Contributors: georgestephanis, valendesigns, stevenkword, extendwings, sgrant, aaroncampbell, johnbillion, stevegrunwell, netweb, kasparsd, alihusnainarshad, passoniate
3
  Tags: two factor, two step, authentication, login, totp, fido u2f, u2f, email, backup codes, 2fa, yubikey
4
  Requires at least: 4.3
5
- Tested up to: 5.5
6
  Requires PHP: 5.6
7
  Stable tag: trunk
8
 
2
  Contributors: georgestephanis, valendesigns, stevenkword, extendwings, sgrant, aaroncampbell, johnbillion, stevegrunwell, netweb, kasparsd, alihusnainarshad, passoniate
3
  Tags: two factor, two step, authentication, login, totp, fido u2f, u2f, email, backup codes, 2fa, yubikey
4
  Requires at least: 4.3
5
+ Tested up to: 5.4
6
  Requires PHP: 5.6
7
  Stable tag: trunk
8
 
two-factor.php CHANGED
@@ -1,18 +1,10 @@
1
  <?php
2
  /**
3
- * Two Factor
4
- *
5
- * @package Two_Factor
6
- * @author Plugin Contributors
7
- * @copyright 2020 Plugin Contributors
8
- * @license GPL-2.0-or-later
9
- *
10
- * @wordpress-plugin
11
  * Plugin Name: Two Factor
12
  * Plugin URI: https://wordpress.org/plugins/two-factor/
13
  * Description: Two-Factor Authentication using time-based one-time passwords, Universal 2nd Factor (FIDO U2F), email and backup verification codes.
14
  * Author: Plugin Contributors
15
- * Version: 0.7.0
16
  * Author URI: https://github.com/wordpress/two-factor/graphs/contributors
17
  * Network: True
18
  * Text Domain: two-factor
@@ -23,25 +15,20 @@
23
  */
24
  define( 'TWO_FACTOR_DIR', plugin_dir_path( __FILE__ ) );
25
 
26
- /**
27
- * Version of the plugin.
28
- */
29
- define( 'TWO_FACTOR_VERSION', '0.7.0' );
30
-
31
  /**
32
  * Include the base class here, so that other plugins can also extend it.
33
  */
34
- require_once TWO_FACTOR_DIR . 'providers/class-two-factor-provider.php';
35
 
36
  /**
37
  * Include the core that handles the common bits.
38
  */
39
- require_once TWO_FACTOR_DIR . 'class-two-factor-core.php';
40
 
41
  /**
42
  * A compatability layer for some of the most-used plugins out there.
43
  */
44
- require_once TWO_FACTOR_DIR . 'class-two-factor-compat.php';
45
 
46
  $two_factor_compat = new Two_Factor_Compat();
47
 
1
  <?php
2
  /**
 
 
 
 
 
 
 
 
3
  * Plugin Name: Two Factor
4
  * Plugin URI: https://wordpress.org/plugins/two-factor/
5
  * Description: Two-Factor Authentication using time-based one-time passwords, Universal 2nd Factor (FIDO U2F), email and backup verification codes.
6
  * Author: Plugin Contributors
7
+ * Version: 0.6.0
8
  * Author URI: https://github.com/wordpress/two-factor/graphs/contributors
9
  * Network: True
10
  * Text Domain: two-factor
15
  */
16
  define( 'TWO_FACTOR_DIR', plugin_dir_path( __FILE__ ) );
17
 
 
 
 
 
 
18
  /**
19
  * Include the base class here, so that other plugins can also extend it.
20
  */
21
+ require_once( TWO_FACTOR_DIR . 'providers/class.two-factor-provider.php' );
22
 
23
  /**
24
  * Include the core that handles the common bits.
25
  */
26
+ require_once( TWO_FACTOR_DIR . 'class-two-factor-core.php' );
27
 
28
  /**
29
  * A compatability layer for some of the most-used plugins out there.
30
  */
31
+ require_once( TWO_FACTOR_DIR . 'class-two-factor-compat.php' );
32
 
33
  $two_factor_compat = new Two_Factor_Compat();
34