Move to the generic authenticate filter since there we reliably know …

…the user state
WordPress · Jan 10, 2025 · 0e1b244 · 0e1b244
1 parent 8aef3df
commit 0e1b244
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/class-two-factor-core.php b/class-two-factor-core.php
@@ -682,11 +682,17 @@ public static function destroy_current_session_for_user( $user ) {
 	 * @return WP_User|WP_Error
 	 */
 	public static function filter_authenticate( $user ) {
-		if ( $user instanceof WP_User && self::is_api_request() && self::is_user_using_two_factor( $user->ID ) && ! self::is_user_api_login_enabled( $user->ID ) ) {
-			return new WP_Error(
-				'invalid_application_credentials',
-				__( 'Error: API login for user disabled.', 'two-factor' )
-			);
+		if ( $user instanceof WP_User && self::is_user_using_two_factor( $user->ID ) ) {
+			// Trigger the second-factor flow if the password was correct.
+			add_action( 'wp_login', array( __CLASS__, 'wp_login' ), 10, 2 );
+
+			// Disable the XML-RPC and REST API for users with two-factor enabled.
+			if ( self::is_api_request() && ! self::is_user_api_login_enabled( $user->ID ) ) {
+				return new WP_Error(
+					'invalid_application_credentials',
+					__( 'Error: API login for user disabled.', 'two-factor' )
+				);
+			}
 		}
 
 		return $user;
@@ -709,7 +715,6 @@ public static function filter_authenticate_block_cookies( $user ) {
 		 * rather than through an unsupported 3rd-party login process which this plugin doesn't support.
 		 */
 		if ( $user instanceof WP_User && self::is_user_using_two_factor( $user->ID ) && did_action( 'login_init' ) ) {
-			add_action( 'wp_login', array( __CLASS__, 'wp_login' ), 10, 2 );
 			add_filter( 'send_auth_cookies', '__return_false', PHP_INT_MAX );
 		}