feat: grace logins, plugin slot fix, explain modal alignment, save JS bug fix

- Fix: active plugin was cloudscale-code-block (v1.8.86) while all deploys
  went to inactive cloudscale-devtools slot — swapped to correct active slot
- Fix: undefined `slug` variable in hide login save success handler caused
  ReferenceError after every successful save, showing false failure alert
- Fix: Explain modal badge alignment — badge now always centered at top of
  each card, removing flex-wrap inconsistency on narrow mobile screens
- Feat: Grace logins UI — number input in 2FA Settings panel, AJAX save
  handler, and JS payload; allows N logins before 2FA is enforced per user
- Tests: session-persistence.spec.js — 4 Playwright tests confirm 30-day
  persistent cookie (expires > 0) vs default session cookie (expires = -1)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Andrew Baker

assets/cs-login.js

@@ -48,6 +48,7 @@
             login_slug:       document.getElementById( 'cs-login-slug' )?.value.trim() || '',
             method:           document.querySelector( 'input[name="cs_devtools_2fa_method"]:checked' )?.value || 'off',
             force_admins:     document.getElementById( 'cs-2fa-force' )?.checked ? '1' : '0',
+            grace_logins:     document.getElementById( 'cs-2fa-grace-logins' )?.value || '0',
             session_duration: document.getElementById( 'cs-session-duration' )?.value || 'default',
             bf_enabled:       document.getElementById( 'cs-bf-enabled' )?.checked ? '1' : '0',
             bf_attempts:      document.getElementById( 'cs-bf-attempts' )?.value || '5',
@@ -68,9 +69,7 @@
                         urlEl.href        = res.data.login_url;
                         urlEl.textContent = res.data.login_url;
                     }
-                    // Update slug-base preview
-                    const slugInput = document.getElementById( 'cs-login-slug' );
-                    if ( slugInput ) slugInput.value = slug;
+                    // (slug input already has the current value — no update needed)
                 } else {
                     alert( res.data || 'Save failed.' );
                 }

cs-code-block.php

@@ -3,7 +3,7 @@
  * Plugin Name: CloudScale DevTools
  * Plugin URI: https://andrewbaker.ninja
  * Description: Developer toolkit with syntax-highlighted code blocks, SQL query tool, code migrator, site monitor, and login security (passkeys, TOTP, email 2FA, hide login URL).
- * Version: 1.8.90
+ * Version: 1.8.95
  * Author: Andrew Baker
  * Author URI: https://andrewbaker.ninja
  * License: GPL-2.0-or-later
@@ -38,7 +38,7 @@
  */
 class CloudScale_DevTools {
 
-    const VERSION      = '1.8.90';
+    const VERSION      = '1.8.95';
     const HLJS_VERSION = '11.11.1';
     const HLJS_CDN     = 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/';
     const TOOLS_SLUG   = 'cloudscale-devtools';
@@ -775,6 +775,14 @@ public static function register_settings() {
             'sanitize_callback' => function ( $v ) { return '1' === $v ? '1' : '0'; },
             'default'           => '0',
         ] );
+        register_setting( 'cs_devtools_login_settings', 'cs_devtools_2fa_grace_logins', [
+            'type'              => 'string',
+            'sanitize_callback' => static function ( $v ) {
+                $n = (int) $v;
+                return ( $n >= 0 && $n <= 10 ) ? (string) $n : '0';
+            },
+            'default' => '0',
+        ] );
         register_setting( 'cs_devtools_login_settings', 'cs_devtools_session_duration', [
             'type'              => 'string',
             'sanitize_callback' => static function ( $v ) {
@@ -1184,10 +1192,10 @@ private static function render_explain_btn( string $id, string $title, array $it
                         $bdr    = $is_on ? '#1a7a34' : ( $is_opt ? '#c3c4c7' : '#2271b1' );
                     ?>
                     <div style="border:1px solid #e0e0e0;border-radius:6px;padding:12px 14px;margin-bottom:10px">
-                        <div style="display:flex;align-items:center;gap:10px;margin-bottom:5px;flex-wrap:wrap">
-                            <strong style="font-size:13px"><?php echo esc_html( $item['name'] ); ?></strong>
-                            <span style="background:<?php echo esc_attr( $bg ); ?>;color:<?php echo esc_attr( $col ); ?>;border:1px solid <?php echo esc_attr( $bdr ); ?>;border-radius:4px;font-size:11px;font-weight:600;padding:1px 8px;white-space:nowrap"><?php echo esc_html( $rec ); ?></span>
+                        <div style="text-align:center;margin-bottom:6px">
+                            <span style="display:inline-block;background:<?php echo esc_attr( $bg ); ?>;color:<?php echo esc_attr( $col ); ?>;border:1px solid <?php echo esc_attr( $bdr ); ?>;border-radius:4px;font-size:11px;font-weight:600;padding:1px 8px;white-space:nowrap"><?php echo esc_html( $rec ); ?></span>
                         </div>
+                        <strong style="display:block;font-size:13px;margin-bottom:4px"><?php echo esc_html( $item['name'] ); ?></strong>
                         <p style="margin:0;color:#50575e;font-size:12px;line-height:1.5;white-space:pre-line"><?php echo esc_html( $item['desc'] ); ?></p>
                     </div>
                     <?php endforeach; ?>
@@ -1777,6 +1785,7 @@ function dismiss() { clearInterval( t ); if ( modal ) modal.style.display = 'non
                     [ 'name' => 'Email Code',               'rec' => 'Optional',        'desc' => 'Requires users to enter a code sent to their email after each password login. Works out of the box with no app required.' ],
                     [ 'name' => 'Authenticator App (TOTP)', 'rec' => 'Recommended',     'desc' => 'Each user configures their own authenticator app. Most secure option — works without internet or email.' ],
                     [ 'name' => 'Force 2FA for Admins',     'rec' => 'Recommended',     'desc' => 'Blocks administrator-role users from accessing the dashboard until they have set up 2FA. Strongly recommended on any multi-user site.' ],
+                    [ 'name' => 'Grace Logins',             'rec' => 'Advanced',        'desc' => "Allows a user to log in up to N times before 2FA is required. The counter is per-user and never resets automatically.\n\nDefault is 0 (2FA always required from the first login).\n\nTip for automated test accounts: set to 1. Playwright and similar tools cannot complete a real 2FA challenge, so granting one grace login lets a test account authenticate for setup steps without disabling 2FA site-wide." ],
                 ] ); ?>
             </div>
             <div class="cs-panel-body">
@@ -1822,6 +1831,16 @@ function dismiss() { clearInterval( t ); if ( modal ) modal.style.display = 'non
                     </div>
                 </div>
 
+                <?php $grace_logins = (int) get_option( 'cs_devtools_2fa_grace_logins', '0' ); ?>
+                <div class="cs-field-row" style="margin-top:16px">
+                    <div class="cs-field">
+                        <label class="cs-label" for="cs-2fa-grace-logins"><?php esc_html_e( 'Grace logins before 2FA is required:', 'cloudscale-devtools' ); ?></label>
+                        <input type="number" id="cs-2fa-grace-logins" class="cs-input" min="0" max="10"
+                               value="<?php echo esc_attr( $grace_logins ); ?>" style="max-width:100px">
+                        <span class="cs-hint"><?php esc_html_e( 'Allow N logins without 2FA per user. 0 = 2FA required from first login. For automated test accounts use 1.', 'cloudscale-devtools' ); ?></span>
+                    </div>
+                </div>
+
                 <div style="margin-top:16px;display:flex;align-items:center;gap:10px">
                     <button type="button" class="cs-btn-primary" id="cs-2fa-save">💾 <?php esc_html_e( 'Save 2FA Settings', 'cloudscale-devtools' ); ?></button>
                     <span class="cs-settings-saved" id="cs-2fa-saved">✓ <?php esc_html_e( 'Saved', 'cloudscale-devtools' ); ?></span>
@@ -4503,6 +4522,17 @@ public static function login_2fa_intercept( $user, string $username, string $pas
             return $user;
         }
 
+        // Grace logins: allow up to N logins without 2FA being set up.
+        // Useful for automated test accounts or newly invited users.
+        $grace_limit = (int) get_option( 'cs_devtools_2fa_grace_logins', '0' );
+        if ( $grace_limit > 0 ) {
+            $grace_count = (int) get_user_meta( $user->ID, 'cs_devtools_2fa_grace_count', true );
+            if ( $grace_count < $grace_limit ) {
+                update_user_meta( $user->ID, 'cs_devtools_2fa_grace_count', $grace_count + 1 );
+                return $user; // Skip 2FA — grace login consumed.
+            }
+        }
+
         // Avoid triggering 2FA during a 2FA verification POST itself.
         $action = isset( $_REQUEST['action'] ) ? sanitize_key( $_REQUEST['action'] ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
         if ( $action === 'cs_devtools_2fa' ) {
@@ -4923,6 +4953,11 @@ public static function ajax_login_save(): void {
         update_option( 'cs_devtools_brute_force_attempts', (string) $bf_attempts );
         update_option( 'cs_devtools_brute_force_lockout',  (string) $bf_lockout );
 
+        // Grace logins
+        $grace_logins = isset( $_POST['grace_logins'] ) ? (int) sanitize_text_field( wp_unslash( $_POST['grace_logins'] ) ) : 0;
+        if ( $grace_logins < 0 || $grace_logins > 10 ) { $grace_logins = 0; }
+        update_option( 'cs_devtools_2fa_grace_logins', (string) $grace_logins );
+
         $new_url = $hide === '1' && $slug ? home_url( '/' . $slug . '/' ) : wp_login_url();
         wp_send_json_success( [ 'login_url' => $new_url ] );
     }

readme.txt

@@ -4,7 +4,7 @@ Tags: code block, syntax highlighting, gutenberg block, dark mode, highlight.js
 Requires at least: 6.0
 Tested up to: 6.7
 Requires PHP: 7.4
-Stable tag: 1.8.90
+Stable tag: 1.8.95
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -79,7 +79,7 @@ Yes. Press Enter to run the query. Use Shift+Enter to insert a newline. Ctrl+Ent
 
 == Changelog ==
 
-= 1.8.90 =
+= 1.8.95 =
 * Fixed: session cookie hook was wrong — login_form_login is a display hook that never fires on a successful login POST; moved to login_init so the persistent-cookie flag is set before WordPress processes credentials
 
 = 1.8.89 =

tests/session-persistence.spec.js

@@ -0,0 +1,188 @@
+/**
+ * Session Persistence — focused Playwright test
+ *
+ * Verifies that when a custom session duration is configured, the WordPress
+ * auth cookie is written as a persistent cookie (explicit expiry, not expire=0)
+ * so it survives a browser kill / swipe-up on mobile.
+ *
+ * Uses cs_devtools_test (admin) — no separate admin credentials needed.
+ *
+ * Run:  npx playwright test tests/session-persistence.spec.js --headed
+ */
+
+const { test, expect, request } = require('@playwright/test');
+
+const SITE      = process.env.WP_SITE      || 'https://andrewbaker.ninja';
+const TEST_USER = process.env.WP_TEST_USER || 'cs_session_test';
+const TEST_PASS = process.env.WP_TEST_PASS || 'SessionTest2026!';
+
+const LOGIN_URL   = `${SITE}/wp-login.php`;
+const SETTINGS_URL = `${SITE}/wp-admin/tools.php?page=cloudscale-devtools&tab=login`;
+
+/** Add the WP test cookie (browser compatibility check) */
+async function addWpTestCookie( ctx ) {
+    await ctx.addCookies( [ {
+        name:     'wordpress_test_cookie',
+        value:    'WP Cookie check',
+        domain:   new URL( SITE ).hostname,
+        path:     '/',
+        secure:   true,
+        httpOnly: false,
+        sameSite: 'Lax',
+    } ] );
+}
+
+/** Log in and return — throws if login fails */
+async function wpLogin( page, user, pass ) {
+    await addWpTestCookie( page.context() );
+    await page.goto( LOGIN_URL, { waitUntil: 'domcontentloaded' } );
+    await page.fill( '#user_login', user );
+    await page.fill( '#user_pass',  pass );
+    await Promise.all( [
+        page.waitForNavigation( { waitUntil: 'domcontentloaded', timeout: 30_000 } ),
+        page.click( '#wp-submit' ),
+    ] );
+    if ( page.url().includes( 'wp-login.php' ) ) {
+        const err = await page.locator( '#login_error' ).textContent().catch( () => 'unknown' );
+        throw new Error( `Login failed: ${err.trim()}` );
+    }
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// 1. Baseline — confirm default WP sessions ARE session cookies (expire = -1)
+// ─────────────────────────────────────────────────────────────────────────────
+test( 'Baseline — default WP session is a session cookie (expires=-1)', async ( { browser } ) => {
+    // Make sure session duration is set to "default" first.
+    const ctx  = await browser.newContext( { ignoreHTTPSErrors: true } );
+    const page = await ctx.newPage();
+    await wpLogin( page, TEST_USER, TEST_PASS );
+
+    // Navigate to settings and set duration to "default".
+    await page.goto( SETTINGS_URL );
+    await page.locator( '#cs-session-duration' ).selectOption( 'default' );
+    await page.locator( '#cs-session-save' ).click();
+    await expect( page.locator( '#cs-session-saved' ) ).toBeVisible( { timeout: 5_000 } );
+    console.log( '✅  Session duration set to default.' );
+
+    // Log out, then log back in fresh so the new setting applies.
+    await page.goto( `${SITE}/wp-login.php?action=logout` );
+    const confirmLogout = page.locator( 'a[href*="action=logout"]' );
+    if ( await confirmLogout.isVisible( { timeout: 3_000 } ).catch( () => false ) ) {
+        await confirmLogout.click();
+    }
+    await page.waitForTimeout( 500 );
+    await wpLogin( page, TEST_USER, TEST_PASS );
+
+    const cookies  = await ctx.cookies();
+    const authCook = cookies.find( c => c.name.startsWith( 'wordpress_logged_in_' ) );
+    console.log( `  Auth cookie expires = ${authCook?.expires}` );
+
+    // With default WP (no remember-me), expire should be -1 (session cookie).
+    expect( authCook ).toBeTruthy();
+    expect( authCook.expires ).toBe( -1 );
+    console.log( '✅  Confirmed: default login is a session cookie (expires=-1).' );
+    await ctx.close();
+} );
+
+// ─────────────────────────────────────────────────────────────────────────────
+// 2. With custom duration — cookie must be persistent (expires > 0)
+// ─────────────────────────────────────────────────────────────────────────────
+test( 'Custom 30-day session — auth cookie must be persistent (expires > 0)', async ( { browser } ) => {
+    const ctx  = await browser.newContext( { ignoreHTTPSErrors: true } );
+    const page = await ctx.newPage();
+    await wpLogin( page, TEST_USER, TEST_PASS );
+
+    // Set 30-day session.
+    await page.goto( SETTINGS_URL );
+    await page.locator( '#cs-session-duration' ).selectOption( '30' );
+    await page.locator( '#cs-session-save' ).click();
+    await expect( page.locator( '#cs-session-saved' ) ).toBeVisible( { timeout: 5_000 } );
+    console.log( '✅  Session duration set to 30 days.' );
+
+    // Log out and back in so the new cookie is issued.
+    await page.goto( `${SITE}/wp-login.php?action=logout` );
+    const confirmLogout = page.locator( 'a[href*="action=logout"]' );
+    if ( await confirmLogout.isVisible( { timeout: 3_000 } ).catch( () => false ) ) {
+        await confirmLogout.click();
+    }
+    await page.waitForTimeout( 500 );
+    await wpLogin( page, TEST_USER, TEST_PASS );
+
+    const cookies  = await ctx.cookies();
+    const authCook = cookies.find( c => c.name.startsWith( 'wordpress_logged_in_' ) );
+    console.log( `  Auth cookie expires = ${authCook?.expires}  (0 = session cookie, >0 = persistent)` );
+
+    expect( authCook ).toBeTruthy();
+    // -1 or 0 means session cookie — this is the bug we're fixing.
+    expect( authCook.expires ).toBeGreaterThan( 0 );
+
+    const expiryDate = new Date( authCook.expires * 1000 );
+    const daysFromNow = ( authCook.expires - Date.now() / 1000 ) / 86400;
+    console.log( `  Expires: ${expiryDate.toISOString()} (~${Math.round( daysFromNow )} days from now)` );
+    expect( daysFromNow ).toBeGreaterThan( 25 );  // should be ~30 days
+    console.log( '✅  Auth cookie is persistent — survives browser kill/swipe-up.' );
+    await ctx.close();
+} );
+
+// ─────────────────────────────────────────────────────────────────────────────
+// 3. Simulate browser kill — new context with saved cookies stays logged in
+// ─────────────────────────────────────────────────────────────────────────────
+test( 'Simulated browser kill — re-opening with saved cookies stays logged in', async ( { browser } ) => {
+    // First context: log in with 30-day session and grab cookies.
+    const ctx1  = await browser.newContext( { ignoreHTTPSErrors: true } );
+    const page1 = await ctx1.newPage();
+    await wpLogin( page1, TEST_USER, TEST_PASS );
+
+    // Ensure 30-day duration is set.
+    await page1.goto( SETTINGS_URL );
+    await page1.locator( '#cs-session-duration' ).selectOption( '30' );
+    await page1.locator( '#cs-session-save' ).click();
+    await expect( page1.locator( '#cs-session-saved' ) ).toBeVisible( { timeout: 5_000 } );
+
+    // Re-login to get the fresh persistent cookie.
+    await page1.goto( `${SITE}/wp-login.php?action=logout` );
+    const confirmLogout = page1.locator( 'a[href*="action=logout"]' );
+    if ( await confirmLogout.isVisible( { timeout: 3_000 } ).catch( () => false ) ) {
+        await confirmLogout.click();
+    }
+    await page1.waitForTimeout( 500 );
+    await wpLogin( page1, TEST_USER, TEST_PASS );
+
+    const cookies = await ctx1.cookies();
+    const authCook = cookies.find( c => c.name.startsWith( 'wordpress_logged_in_' ) );
+    expect( authCook?.expires ).toBeGreaterThan( 0 );
+    console.log( `  Captured persistent cookie: ${authCook?.name}, expires ${new Date( authCook.expires * 1000 ).toISOString()}` );
+
+    // "Kill" the browser — close context 1.
+    await ctx1.close();
+    console.log( '  Browser context closed (simulating swipe-up / app kill).' );
+
+    // "Reopen" — new context with the saved cookies (simulating restored session).
+    const ctx2   = await browser.newContext( { ignoreHTTPSErrors: true } );
+    await ctx2.addCookies( cookies );
+    const page2  = await ctx2.newPage();
+    await page2.goto( `${SITE}/wp-admin/`, { waitUntil: 'domcontentloaded' } );
+
+    // Should land in wp-admin, not be redirected to login.
+    const finalUrl = page2.url();
+    console.log( `  After "reopen", landed at: ${finalUrl}` );
+    expect( finalUrl ).not.toContain( 'wp-login.php' );
+    expect( finalUrl ).toContain( 'wp-admin' );
+    console.log( '✅  Session survived simulated browser kill — still logged in.' );
+    await ctx2.close();
+} );
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Cleanup — restore default session duration
+// ─────────────────────────────────────────────────────────────────────────────
+test( 'Cleanup — restore default session duration', async ( { browser } ) => {
+    const ctx  = await browser.newContext( { ignoreHTTPSErrors: true } );
+    const page = await ctx.newPage();
+    await wpLogin( page, TEST_USER, TEST_PASS );
+    await page.goto( SETTINGS_URL );
+    await page.locator( '#cs-session-duration' ).selectOption( 'default' );
+    await page.locator( '#cs-session-save' ).click();
+    await expect( page.locator( '#cs-session-saved' ) ).toBeVisible( { timeout: 5_000 } );
+    console.log( '✅  Session duration restored to default.' );
+    await ctx.close();
+} );