Skip to content

Add filters for email token and backup code length#653

Merged
kasparsd merged 17 commits into
masterfrom
add-filter-code-length
Jan 9, 2025
Merged

Add filters for email token and backup code length#653
kasparsd merged 17 commits into
masterfrom
add-filter-code-length

Conversation

@kasparsd
Copy link
Copy Markdown
Collaborator

@kasparsd kasparsd commented Dec 2, 2024
edited
Loading

Fixes #374.

Replaces #419.

What?

Implements two new filters:

  • two_factor_email_token_ttl filter overrides the default 8 character count for email tokens. This has been renamed from two_factor_token_ttl which is now marked as deprecated.

  • two_factor_backup_code_length filter overrides the default 8 character count for backup codes. Providers the WP_User of the associated user as the second argument.

Why?

Users might want to increase this.

How?

  • Introduce the filters and rename existing ones for consistency. Add tests to confirm both old and new filters are working.

  • Updated the input field placeholders to match the expected character length. Note that this might give away the expected character length for a brute force attacker but we're rate limiting these attempts so that is not an issue.

Testing Instructions

Screenshots or screencast

Note the updated XXXX characters for the placeholders and the correct length. Previously the placeholder was also including spaces but that could have confused the users about the format not matching what they get in the email or app. The input automatically removes invalid characters so the processing happens in either way.

email-codes

recover-codes

Inspiration:

input-format

Changelog Entry

Added - Introduce two_factor_email_token_length and two_factor_backup_code_length filters for adjusting the length of the respective tokens.

@kasparsd kasparsd mentioned this pull request Dec 2, 2024
Closed
@kasparsd
Copy link
Copy Markdown
Collaborator Author

kasparsd commented Dec 2, 2024

This is ready for code review.

@kasparsd kasparsd added this to the 0.11.0 milestone Dec 2, 2024
@jeffpaul jeffpaul requested a review from dd32 December 2, 2024 22:42
kasparsd
kasparsd commented Jan 9, 2025
View reviewed changes
Comment thread providers/class-two-factor-email.php Outdated
kasparsd
kasparsd commented Jan 9, 2025
View reviewed changes
Comment thread providers/class-two-factor-backup-codes.php
$code_placeholder = str_repeat( 'X', $this->get_backup_code_length( $user ) );

?>
<p class="two-factor-prompt"><?php esc_html_e( 'Enter a recovery code.', 'two-factor' ); ?></p><br/>
Copy link
Copy Markdown
Collaborator Author

@kasparsd kasparsd Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was causing too much blank space between the message and the input:

recover-codes

@kasparsd kasparsd merged commit abd8289 into master Jan 9, 2025
@kasparsd kasparsd mentioned this pull request Jan 9, 2025
Merged
@jeffpaul jeffpaul modified the milestones: 0.12.0, 0.11.0 Jan 9, 2025
@jeffpaul jeffpaul deleted the add-filter-code-length branch April 30, 2025 21:09
@georgestephanis georgestephanis mentioned this pull request Mar 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dd32 dd32 Awaiting requested review from dd32

Assignees

@kasparsd kasparsd

Labels

None yet

Projects

None yet

Milestone

0.11.0

Development

Successfully merging this pull request may close these issues.

Backup Codes (Improve 8 to 12 numbers)

2 participants

@kasparsd @jeffpaul