Skip to content

feature: 2fa with authenticator apps (recover #1852)#1885

Open
arifulhoque7 wants to merge 5 commits into
weDevsOfficial:developfrom
arifulhoque7:recover/pr-1852
Open

feature: 2fa with authenticator apps (recover #1852)#1885
arifulhoque7 wants to merge 5 commits into
weDevsOfficial:developfrom
arifulhoque7:recover/pr-1852

Conversation

@arifulhoque7

Copy link
Copy Markdown
Contributor

Recovered from #1852 (originally by @sapayth), rebased onto develop with merge conflicts resolved. Functionality preserved.

Supersedes #1852.

sapayth and others added 5 commits April 29, 2026 16:08
2FA framework: TOTP authenticator support, multi-method registry,
enrollment / challenge / verify flow, security dashboard section, and
extracted login-stage CSS/JS to dedicated wpuf-2fa-login assets.

Login audit (docs/login-process-audit.md, Phases 1-3):
- Reconciled the two Turnstile settings on `login_form_turnstile`.
- Removed dead Turnstile error string and the `form_align` dead pipeline.
- New filters: `wpuf_login_turnstile_verify`, `wpuf_login_form_layout_class`,
  `wpuf_login_layouts`, `wpuf_login_form_template_args`.
- New actions: `wpuf_login_show_errors`, `wpuf_login_show_messages`.
- Layout class applied server-side (no FOUC); single source of truth
  for the layout list.
- Server-side rendering of customizable labels / placeholders / button /
  remember-me / lost-password / form heading — fixes a11y, page caches,
  and silent shortcode-page heading.
- Fire wp_login action after auth cookie in 2FA stage 2 so integrations
  listening for logins (audit logs, tracking) see successful 2FA logins.
- Guard openssl_encrypt() failure in TwoFactor\Crypto::encrypt() to avoid
  base64-encoding a false return.
- Use strict less-than for the PHP version gate so the declared 7.4
  minimum is actually accepted.
- isset() guard on admin_label in settings API multiselect-card to avoid
  notices for filter-extended option arrays.
@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@arifulhoque7, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 15 minutes and 19 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0d5dfde0-2e43-4066-a95e-f18584b1704f

📥 Commits

Reviewing files that changed from the base of the PR and between 9a241d2 and e992655.

⛔ Files ignored due to path filters (1)
  • composer.lock is excluded by !**/*.lock
📒 Files selected for processing (28)
  • Lib/WeDevs_Settings_API.php
  • assets/css/admin.css
  • assets/css/wpuf-2fa-login.css
  • assets/js/admin/settings.js
  • assets/js/wpuf-2fa-account.js
  • assets/js/wpuf-2fa-login.js
  • assets/less/admin.less
  • composer.json
  • includes/Assets.php
  • includes/Free/Simple_Login.php
  • includes/TwoFactor/Account_Section.php
  • includes/TwoFactor/Admin_User_Profile.php
  • includes/TwoFactor/Crypto.php
  • includes/TwoFactor/Default_Card_Renderer.php
  • includes/TwoFactor/Enrollment_Controller.php
  • includes/TwoFactor/Login_Controller.php
  • includes/TwoFactor/Method_Interface.php
  • includes/TwoFactor/Method_Registry.php
  • includes/TwoFactor/QR_Renderer.php
  • includes/TwoFactor/Rate_Limiter.php
  • includes/TwoFactor/TOTP_Method.php
  • includes/TwoFactor/Two_Factor_Manager.php
  • includes/TwoFactor/User_Storage.php
  • includes/functions/settings-options.php
  • templates/dashboard/security.php
  • templates/login-form.php
  • wpuf-functions.php
  • wpuf.php
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@arifulhoque7

Copy link
Copy Markdown
Contributor Author

Review: 2FA security posture is strong (AES-256-GCM secrets via HKDF, hashed issued codes, TOTP replay protection, rate limiting, single-use 5-min login tokens, wp_safe_redirect, password not sanitized before wp_check_password, nonce + is_user_logged_in on all AJAX, admin reset gated on manage_options). No blocking code issues.

Two items to address before release (not code-fixed here as they're product/migration decisions):

  1. Turnstile setting moved enable_turnstile/wpuf_generallogin_form_turnstile/wpuf_profile. Existing installs with login Turnstile enabled will silently lose it. Please ship a settings migration (or document the re-enable step).
  2. PHP minimum bumped 5.6 → 7.4 for the free plugin (TOTP uses typed properties / nullable returns). Confirm this is an intended requirement bump and note it in the changelog / readme Requires PHP.

Minor (multisite): Admin_User_Profile::handle_reset checks manage_options only; could also check current_user_can('edit_user', $target_user_id).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants