New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using auth_cookie filter instead of wp_login hook to start 2FA flow #406
Comments
Could you create a PR? |
I don't think using the However, the current method of allowing the cookies to be sent to browser (even if the sessions are destroyed, causing the cookies to be invalid) opens up the possibility for vulnerabilities, especially if anyone is overriding any of the pluggable.php files. Instead though, we can use the The Core filter is designed for unit testing, and so doesn't pass any context, which is a shame. See WordPress/wordpress-develop#3554 It's worth noting, that by preventing plugins from accidentally circumventing two-factor, it's also going to block cases where a plugin is deliberately bypassing it and setting cookies, for example, I've experimented with two approaches.
Attempt 1 is in master...dd32:two-factor:try/send_auth_cookies and I'm going to submit a PR with the second for review. |
Why is that? If we only modify |
I guess in my mind I see those filters as validating authentication, where as two-factor is validated after authentication succeeds or fails. It's about using the filter for the intention of it, rather than hijacking the request. Admittedly, #490 does just that for cases where Other Authentication methods, such as those you listed, need to have explicit handlers that respects the type of authentication. For example, you would not want to exit to a 2FA prompt for an XML-RPC client, instead you would disable authentication through the filter. |
Ah, I was thinking of it more as "the user hasn't fully authenticated until both factors are validated", because the 2nd factor is part of the authentication process. Core doesn't have any concept of multiple factors or custom login steps, so anything we do is gonna be somewhat janky. I can see what you mean, though 👍🏻 I guess #300 covers the concern about other methods, and there isn't a gap currently since it's disabled by default 👍🏻 |
Currently flow is started when wp_login is triggered, i.e. when the user has already been logged in, and then reversers the last part of the the default login-flow, by removing the the auth-cookie in function wp_login.
Why don't instead use the hook auth_cookie filter, to prevent the cookie from being set unit 2FA has been completed?
Or use wp_authenticate action hook that is triggered before the WP backend authentication process is done, removing need to destroy the session
I think that use of wp_login hook, in addition to being somewhat backward, as already completed login is reversed, is more likely to conflict with other hooks in sites that seek to do actions after successful login.
Ref:
https://usersinsights.com/wordpress-user-login-hooks/
https://developer.wordpress.org/reference/hooks/auth_cookie/
https://developer.wordpress.org/reference/hooks/wp_authenticate/
The text was updated successfully, but these errors were encountered: