Block creating authentication cookies when inappropriate to do so. by dd32 · Pull Request #490 · WordPress/two-factor

dd32 · 2022-11-03T05:22:22Z

As noted in #406 and #385 it's possible for plugins to accidentally bypass the two-factor requirement by setting cookies directly.

See #406 (comment) for more detailed reasonings.

Fixes #406, #385

…er through wp-login.php for two-factor verification.

kasparsd · 2022-11-03T05:56:34Z

This appears to be impacting the core workflows used by this plugin. Could we please add some unit tests to go with these changes?

dd32 · 2022-11-16T05:32:44Z

Could we please add some unit tests to go with these changes?

I wasn't able to determine how best to add unit testing here, given the plugin doesn't appear to currently test it.

Do you have any suggestions @kasparsd?

iandunn · 2022-11-18T21:46:06Z

#497 might be a better way to test it. I don't think that needs to be a blocker for this, though. We could just test this manually and then add the e2e tests once the tooling is in place (maybe as part of #468 )

iandunn · 2022-12-01T00:49:49Z

This seems to work in my manual tests. @kasparsd , do you have any thoughts on the 2 comments above about automated tests?

Co-authored-by: Ian Dunn <ian@iandunn.name>

dd32 · 2023-01-05T03:10:16Z

Closing in favour of #502 which has been merged.

dd32 added 7 commits November 3, 2022 13:09

Don't send valid auth cookies, only to then destroy them.

53a10e7

Catch wp_clear_auth_cookie() usage as well.

c211094

Remove the filter, rather than using a flag.

f558b13

When wp_set_auth_cookie() is called outside of login, redirect the us…

578260c

…er through wp-login.php for two-factor verification.

Documentation & WordPress 6.2+ filter usage.

7c413b3

Correct PHPDoc format.

ce690cd

Respect the redirect location if a cookie set was intercepted.

c68cdb4

dd32 mentioned this pull request Nov 3, 2022

Reauth 2nd factor to change 2FA settings #484

Closed

jeffpaul added this to the 0.8.0 milestone Nov 3, 2022

jeffpaul linked an issue Nov 3, 2022 that may be closed by this pull request

Prevent other plugins from accidentally circumventing two factor authentication #385

Closed

iandunn mentioned this pull request Nov 3, 2022

Tracking upstream MVP issues WordPress/wporg-two-factor#1

Closed

15 tasks

dd32 mentioned this pull request Nov 4, 2022

Using auth_cookie filter instead of wp_login hook to start 2FA flow #406

Closed

iandunn mentioned this pull request Nov 18, 2022

Add e2e tests for critical paths #497

Open

iandunn reviewed Dec 1, 2022

View reviewed changes

Comment thread class-two-factor-core.php Outdated

Update class-two-factor-core.php

c31d187

Co-authored-by: Ian Dunn <ian@iandunn.name>

dd32 mentioned this pull request Dec 7, 2022

Block sending authentication cookies upon 2FA login #502

Merged

dd32 closed this Jan 5, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Block creating authentication cookies when inappropriate to do so.#490

Block creating authentication cookies when inappropriate to do so.#490
dd32 wants to merge 8 commits into
WordPress:masterfrom
dd32:fix/dont-send-auth-cookies

dd32 commented Nov 3, 2022

Uh oh!

kasparsd commented Nov 3, 2022

Uh oh!

dd32 commented Nov 16, 2022

Uh oh!

iandunn commented Nov 18, 2022

Uh oh!

iandunn commented Dec 1, 2022

Uh oh!

Uh oh!

dd32 commented Jan 5, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

dd32 commented Nov 3, 2022

Uh oh!

kasparsd commented Nov 3, 2022

Uh oh!

dd32 commented Nov 16, 2022

Uh oh!

iandunn commented Nov 18, 2022

Uh oh!

iandunn commented Dec 1, 2022

Uh oh!

Uh oh!

dd32 commented Jan 5, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants