Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revalidate two factor settings prior to allowing any two-factor changes to an account. #529

Merged
merged 57 commits into from
May 11, 2023
Merged

Revalidate two factor settings prior to allowing any two-factor changes to an account. #529

Show file tree
Hide file tree
Changes from 44 commits
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
9b59073
Store the two factor login timestamp and provider in the user session.
dd32 Feb 17, 2023
0749b4a
Create the user session directly attaching data to it, rather than us…
dd32 Feb 17, 2023
67da4ae
DEBUG: Add a notice to profile.php which shows the current users logi…
dd32 Feb 17, 2023
f3e2299
Remove the need for the backup_2fa route, it appears to work without it.
dd32 Feb 17, 2023
aa5e716
Add a route that prompts for 2FA details for a logged in user.
dd32 Feb 17, 2023
1cf3606
Tests: Fix tests after removing the backup_2fa method.
dd32 Feb 17, 2023
9c9b467
Move Provider validation out of the main form handler and into a seco…
dd32 Feb 17, 2023
96edeec
Use the users primary provider when revalidating the 2FA.
dd32 Feb 17, 2023
e7edaa7
When revalidating 2FA, prompt with the provider which the user is cur…
dd32 Feb 17, 2023
5f53d9e
Validate and update the session with the newly verified two-factor de…
dd32 Feb 17, 2023
1b7da24
Add a note as to why $_POST is checked for.
dd32 Feb 17, 2023
6258cba
Remove `filter_input()` in preference for $_REQUEST for future testab…
dd32 Feb 20, 2023
318418d
Move the pre_process_authentication out of process_provider.
dd32 Feb 20, 2023
60624c8
Only show the last-login-failure alert on login, not on revalidation.
dd32 Feb 20, 2023
851f333
Remove sanitize_key() and sanitize_text_field() from input variables,…
dd32 Feb 20, 2023
8d86049
Move login_form_revalidate_2fa() to be closer to login_form_validate_…
dd32 Feb 20, 2023
f6f5dfd
Dummy Two Factor: Require that the form is actually submitted before …
dd32 Feb 20, 2023
0cf4670
Move pre_process_authentication() back inside process_provider().
dd32 Feb 20, 2023
5f846c8
Simplify the 'backup' methods links when re-validating, ensure that t…
dd32 Feb 20, 2023
4b856c6
Add a method to determine if the current login session is two factored.
dd32 Feb 20, 2023
6229fe3
DEBUG: Only show the current user session is 2fa notice when editing …
dd32 Feb 20, 2023
cd5dd5e
Only process the provider if there's POST data to process.
dd32 Feb 20, 2023
c378bc1
Add a getter for the revalidate url.
dd32 Feb 20, 2023
a098362
Sanitize the URL for the revalidate flow.
dd32 Feb 20, 2023
6ed2293
Make is_current_user_session_two_factor() more readable.
dd32 Feb 20, 2023
11e33c9
Add a function that can be used to check if the current session can u…
dd32 Feb 20, 2023
803c160
Check the user can alter the two factor settings upon alterations.
dd32 Feb 20, 2023
bdf4032
Disable the entire two factor options section with a <fieldset disabl…
dd32 Feb 20, 2023
aa2f578
TOTP: Switch the reset TOTP button from an <a> to a <button> so that …
dd32 Feb 20, 2023
0b63439
DEBUG: include more information in the admin alert
dd32 Feb 20, 2023
f0193bb
get_user_settings_page_url() should not return profile.php?user_id=xx…
dd32 Feb 20, 2023
e9d7d0b
Add a notice to revalidate the session.
dd32 Feb 20, 2023
4afa233
Merge branch 'master' into add/2fa-revalidation-for-changes
dd32 Mar 9, 2023
bee8818
Revert "Dummy Two Factor: Require that the form is actually submitted…
dd32 Mar 9, 2023
e570b33
Merge branch 'WordPress:master' into add/2fa-revalidation-for-changes
dd32 Mar 16, 2023
2231db3
Add a filter for the revalidation time.
dd32 Mar 17, 2023
fc45ca5
Add translations
dd32 Mar 17, 2023
c796251
Use the term 'revalidated' rather than 're-authenticated'
dd32 Mar 17, 2023
01b80ca
Mark the debug notice as debug-only.
dd32 Mar 17, 2023
d9d2e28
Centralise the REST API authentication validation code.
dd32 Mar 17, 2023
71b8a9e
Merge branch 'master' into add/2fa-revalidation-for-changes
dd32 Apr 18, 2023
1b88d0c
Whitespace fix
dd32 Apr 18, 2023
462464e
Merge branch 'master' into add/2fa-revalidation-for-changes
dd32 Apr 19, 2023
d178c57
return from the interim login too in the revalidate branch.
dd32 Apr 20, 2023
48f3317
Clarify comments
dd32 Apr 27, 2023
c34ed51
Clarify comments.
dd32 Apr 27, 2023
2374c8f
Tests: Add a test for `Two_Factor_Core::_login_form_revalidate_2fa()`.
dd32 Apr 27, 2023
6502d24
Allow disabling revalidation by returning false to the filter.
dd32 Apr 27, 2023
6721a41
When enabling 2FA for the first time, set the current session as 2FA …
dd32 Apr 27, 2023
7b7b474
Tests: Add a test that covers Two_Factor_Core::current_user_can_updat…
dd32 Apr 27, 2023
d3e024c
Don't return true from Two_Factor_Core::current_user_can_update_two_f…
dd32 Apr 27, 2023
77192a3
Merge branch 'master' into add/2fa-revalidation-for-changes
dd32 May 3, 2023
9b37eb0
Remove debugging from the PR
dd32 May 3, 2023
bc358d0
Nest the link-generation-specific code within the if branch.
dd32 May 3, 2023
f2b60d0
Merge branch 'WordPress:master' into add/2fa-revalidation-for-changes
dd32 May 4, 2023
113cb72
Make `Two_Factor_Core::get_user_two_factor_revalidate_url()` public.
dd32 May 4, 2023
2d9e61b
For compatibility with WordPress login, always pass the action to the…
dd32 May 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading