From cd8fae257edd7625de92430fb4bc3e4e465a0c14 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Thu, 3 Jul 2025 17:04:24 +0300
Subject: [PATCH 1/5] Document the filter

---
 class-two-factor-core.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 504eda51..51430109 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -776,7 +776,18 @@ public static function filter_authenticate_block_cookies( $user ) {
 	 * @return boolean
 	 */
 	public static function is_user_api_login_enabled( $user_id ) {
-		return (bool) apply_filters( 'two_factor_user_api_login_enable', (bool) did_action( 'application_password_did_authenticate' ), $user_id );
+		/**
+		 * Allow or prevent logins without two-factor during
+		 * API requests such as XML-RPC and REST.
+		 *
+		 * @param boolean $enabled Whether the user can login via API requests.
+		 * @param integer $user_id User ID.
+		 */
+		return (bool) apply_filters(
+			'two_factor_user_api_login_enable',
+			(bool) did_action( 'application_password_did_authenticate' ),
+			$user_id
+		);
 	}
 
 	/**

From 33e30c29d3a80cbef993660dd24f4c85677eaf4c Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Thu, 3 Jul 2025 17:15:48 +0300
Subject: [PATCH 2/5] Explain the default behaviour

---
 class-two-factor-core.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 51430109..0e802bda 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -769,7 +769,9 @@ public static function filter_authenticate_block_cookies( $user ) {
 	}
 
 	/**
-	 * If the current user can login via API requests such as XML-RPC and REST.
+	 * If the user can login via API requests such as XML-RPC and REST.
+	 *
+	 * Only logins with application passwords are permitted by default.
 	 *
 	 * @param integer $user_id User ID.
 	 *

From 685944feadc3e3b9b3acb9e080a0306985a643e0 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Thu, 3 Jul 2025 17:16:06 +0300
Subject: [PATCH 3/5] Display a notice about application passwords being
 required for API login

---
 class-two-factor-core.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 0e802bda..9d0da8ce 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1956,6 +1956,12 @@ private static function render_user_providers_form( $user, $providers ) {
 			<?php esc_html_e( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method. Methods marked as recommended are more secure and easier to use.', 'two-factor' ); ?>
 		</p>
 
+		<?php if ( function_exists( 'wp_is_application_passwords_available_for_user' ) && wp_is_application_passwords_available_for_user( $user ) ) : ?>
+		<p>
+			<?php esc_html_e( 'Authentication over REST API and XML-RPC must use application passwords (defined above) instead of your password.', 'two-factor' ); ?>
+		</p>
+		<?php endif; // Application passwords are supported. ?>
+
 		<?php wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false ); ?>
 		<input type="hidden" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php /* Dummy input so $_POST value is passed when no providers are enabled. */ ?>" />
 

From a08522c43e583881804a0d2faeadd242f2b3a4fd Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Thu, 3 Jul 2025 17:20:38 +0300
Subject: [PATCH 4/5] Document the filter

---
 readme.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/readme.txt b/readme.txt
index 34310ae7..ab1725cd 100644
--- a/readme.txt
+++ b/readme.txt
@@ -28,6 +28,7 @@ Here is a list of action and filter hooks provided by the plugin:
 - `two_factor_providers_for_user` filter overrides the available two-factor providers for a specific user. Array values are instances of provider classes and the user object `WP_User` is available as the second argument.
 - `two_factor_enabled_providers_for_user` filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.
 - `two_factor_user_authenticated` action which receives the logged in `WP_User` object as the first argument for determining the logged in user right after the authentication workflow.
+- `two_factor_user_api_login_enable` filter restricts authentication for REST API and XML-RPC to application passwords only. Provides the user ID as the second argument.
 - `two_factor_email_token_ttl` filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the `WP_User` object being authenticated.
 - `two_factor_email_token_length` filter overrides the default 8 character count for email tokens.
 - `two_factor_backup_code_length` filter overrides the default 8 character count for backup codes. Providers the `WP_User` of the associated user as the second argument.

From 4f720a4432dc156ab2beb8bc763cd1610fe3acc1 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Thu, 3 Jul 2025 17:23:23 +0300
Subject: [PATCH 5/5] Simplify the language for easier translation

---
 class-two-factor-core.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 9d0da8ce..11ccf767 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1958,7 +1958,7 @@ private static function render_user_providers_form( $user, $providers ) {
 
 		<?php if ( function_exists( 'wp_is_application_passwords_available_for_user' ) && wp_is_application_passwords_available_for_user( $user ) ) : ?>
 		<p>
-			<?php esc_html_e( 'Authentication over REST API and XML-RPC must use application passwords (defined above) instead of your password.', 'two-factor' ); ?>
+			<?php esc_html_e( 'Authentication for REST API and XML-RPC must use application passwords (defined above) instead of your regular password.', 'two-factor' ); ?>
 		</p>
 		<?php endif; // Application passwords are supported. ?>