From e7f1ad68c7f4e14db436774df2872f027c6bf1f5 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Fri, 10 Jan 2025 10:34:20 +0200 Subject: [PATCH] Revert "Move to the generic authenticate filter since there we reliably know the user state" This reverts commit 0e1b2446f44bba2b932b3379cfc5bd131d388b69. --- class-two-factor-core.php | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/class-two-factor-core.php b/class-two-factor-core.php index eed2daeb..a411e128 100644 --- a/class-two-factor-core.php +++ b/class-two-factor-core.php @@ -682,17 +682,11 @@ public static function destroy_current_session_for_user( $user ) { * @return WP_User|WP_Error */ public static function filter_authenticate( $user ) { - if ( $user instanceof WP_User && self::is_user_using_two_factor( $user->ID ) ) { - // Trigger the second-factor flow if the password was correct. - add_action( 'wp_login', array( __CLASS__, 'wp_login' ), 10, 2 ); - - // Disable the XML-RPC and REST API for users with two-factor enabled. - if ( self::is_api_request() && ! self::is_user_api_login_enabled( $user->ID ) ) { - return new WP_Error( - 'invalid_application_credentials', - __( 'Error: API login for user disabled.', 'two-factor' ) - ); - } + if ( $user instanceof WP_User && self::is_api_request() && self::is_user_using_two_factor( $user->ID ) && ! self::is_user_api_login_enabled( $user->ID ) ) { + return new WP_Error( + 'invalid_application_credentials', + __( 'Error: API login for user disabled.', 'two-factor' ) + ); } return $user; @@ -715,6 +709,7 @@ public static function filter_authenticate_block_cookies( $user ) { * rather than through an unsupported 3rd-party login process which this plugin doesn't support. */ if ( $user instanceof WP_User && self::is_user_using_two_factor( $user->ID ) && did_action( 'login_init' ) ) { + add_action( 'wp_login', array( __CLASS__, 'wp_login' ), 10, 2 ); add_filter( 'send_auth_cookies', '__return_false', PHP_INT_MAX ); }