-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store the two-factor details in the user session at login time #528
Conversation
Unfortunately full unit testing isn't possible unless #527 lands. I've added a unit test to verify that this new getter returns false for a user session set outside of the two-factor auth flow though. |
181d319
to
f2b74a8
Compare
I've rebased this PR after I merged #527, and tests are now included that covers the login flow - validating that a cookie set outside of the login flow doesn't get flagged as 2fa, and that a login via the 2fa flow sets the appropriate session flags. This unfortunately did require changing how the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran out of time today, but wanted to send what I have so far. I'll pick it back up tomorrow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good and works in my tests 👍🏻
…tor() doesn't return true when the cookie is set from outside of the two-factor handler.
…et in the user session.
Co-authored-by: Ian Dunn <[email protected]>
Co-authored-by: Ian Dunn <[email protected]>
d1668c4
to
a799823
Compare
… be exited after calling.
This PR is part of some larger work for #484.
This PR causes the two-factor timestamp and provider to be stored in the user session, which can be later used to validate that the user session is two-factor authenticated.
Code Notes:
wp_set_auth_cookie()
, but that requires the caller to duplicate significantly more code than this option.To test, you can use something like
$session = WP_Session_Tokens::get_instance( $user->ID )->get( wp_get_session_token() );
on an admin page to inspect the current sessions session, this is what's used in the above screenshots.