fix(auth): add self-service 2FA recovery for lost devices#914
Open
faisalahammad wants to merge 1 commit into
Open
fix(auth): add self-service 2FA recovery for lost devices#914faisalahammad wants to merge 1 commit into
faisalahammad wants to merge 1 commit into
Conversation
- Add email-based recovery flow with confirmation and cancel emails - Implement 24-hour wait period before recovery can be completed - Add rate limiting (12 hours) between recovery requests - Add TWO_FACTOR_DISABLE_RECOVERY constant to opt out - Add filters for delay period and rate limit - Cancel recovery automatically on successful 2FA login - Clean up recovery meta on uninstall Fixes WordPress#909
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add email-based self-service recovery for users who lost their 2FA device and have no backup codes. Uses a two-step email confirmation with a configurable delay period (default 24 hours) before 2FA is disabled.
Fixes #909 (sub-issue #621)
Changes
class-two-factor-core.php
Added:
RECOVERY_TOKEN_META_KEY,RECOVERY_CANCEL_TOKEN_META_KEY, etc.)login_form_*action handlers for the recovery flowmaybe_show_recovery_options()to show recovery link on 2FA login pagecancel_pending_recovery()called after successful 2FA loginuninstall()Why: Issue #909 identifies that users locked out of their account with no 2FA device and no backup codes have no self-service path. This is especially critical for single-user sites.
tests/class-two-factor-core.php
Added: 14 test methods covering token generation, validation, expiry, rate limiting, wait period, email sending, recovery cancellation, and provider disabling.
Testing
Test 1: Recovery link visibility
Result: link visible when recovery is enabled
Test 2: Recovery flow
Result: recovery confirmed, wait period starts
Test 3: Cancellation
Result: "Recovery cancelled" message, pending request cleared
Test 4: Auto-cancel on 2FA login
Result: recovery cancelled automatically
Test 5: Feature disable
define('TWO_FACTOR_DISABLE_RECOVERY', true)to wp-config.phpResult: recovery link hidden, direct URL access blocked