From afa6a18c5a50b32f878f761dc56e35f0e4141ddb Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:18:58 +0200
Subject: [PATCH 01/23] Add a filter to adjust the providers available to each
 user

---
 class-two-factor-core.php | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index b396c60a..91e1b4e3 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -297,6 +297,28 @@ public static function get_providers() {
 		return $providers;
 	}
 
+	/**
+	 * Get providers available for user which may not be enabled or configured.
+	 *
+	 * @see Two_Factor_Core::get_enabled_providers_for_user()
+	 * @see Two_Factor_Core::get_available_providers_for_user()
+	 *
+	 * @param  WP_User|int|null $user User ID.
+	 * @return array List of provider instances indexed by provider key.
+	 */
+	public function get_supported_providers_for_user( $user = null ) {
+		$user = self::fetch_user( $user );
+		$providers = self::get_providers();
+
+		/**
+		 * List of providers available to user which may not be enabled or configured.
+		 *
+		 * @param array       $providers List of available provider instances indexed by provider key.
+		 * @param int|WP_User $user User ID.
+		 */
+		return apply_filters( 'two_factor_providers_for_user', $providers, $user );
+	}
+
 	/**
 	 * Enable the dummy method only during debugging.
 	 *

From eccac72364180c5627d63c15d46294c7a850eba2 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:22:43 +0200
Subject: [PATCH 02/23] Use the new helper when getting providers for user

---
 class-two-factor-core.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 91e1b4e3..0a09b30c 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -626,7 +626,7 @@ public static function get_primary_provider_for_user( $user = null ) {
 			return null;
 		}
 
-		$providers           = self::get_providers();
+		$providers           = self::get_supported_providers_for_user();
 		$available_providers = self::get_available_providers_for_user( $user );
 
 		// If there's only one available provider, force that to be the primary.
@@ -1826,6 +1826,8 @@ public static function manage_users_custom_column( $output, $column_name, $user_
 	public static function user_two_factor_options( $user ) {
 		$notices = [];
 
+		$providers = self::get_supported_providers_for_user( $user->ID );
+
 		wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ), array(), TWO_FACTOR_VERSION );
 
 		$enabled_providers = array_keys( self::get_available_providers_for_user( $user ) );
@@ -1872,7 +1874,7 @@ public static function user_two_factor_options( $user ) {
 
 		<table class="form-table two-factor-methods-table" role="presentation">
 			<tbody>
-			<?php foreach ( self::get_providers() as $provider_key => $object ) : ?>
+			<?php foreach ( $providers as $provider_key => $object ) : ?>
 				<tr>
 					<th><?php echo esc_html( $object->get_label() ); ?></th>
 					<td>
@@ -1906,7 +1908,7 @@ public static function user_two_factor_options( $user ) {
 					<td>
 						<select name="<?php echo esc_attr( self::PROVIDER_USER_META_KEY ); ?>">
 							<option value=""><?php echo esc_html( __( 'Default', 'two-factor' ) ); ?></option>
-							<?php foreach ( self::get_providers() as $provider_key => $object ) : ?>
+							<?php foreach ( $providers as $provider_key => $object ) : ?>
 								<option value="<?php echo esc_attr( $provider_key ); ?>" <?php selected( $provider_key, $primary_provider_key ); ?> <?php disabled( ! in_array( $provider_key, $enabled_providers, true ) ); ?>>
 									<?php echo esc_html( $object->get_label() ); ?>
 								</option>
@@ -1942,7 +1944,7 @@ public static function user_two_factor_options( $user ) {
 	 */
 	public static function enable_provider_for_user( $user_id, $new_provider ) {
 		// Ensure the provider is even available.
-		if ( ! array_key_exists( $new_provider, self::get_providers() ) ) {
+		if ( ! array_key_exists( $new_provider, self::get_supported_providers_for_user( $user_id ) ) ) {
 			return false;
 		}
 
@@ -1973,7 +1975,7 @@ public static function enable_provider_for_user( $user_id, $new_provider ) {
 	 */
 	public static function disable_provider_for_user( $user_id, $provider_to_delete ) {
 		// Check if the provider is even enabled.
-		if ( ! array_key_exists( $provider_to_delete, self::get_providers() ) ) {
+		if ( ! array_key_exists( $provider_to_delete, self::get_supported_providers_for_user( $user_id ) ) ) {
 			return false;
 		}
 
@@ -2017,7 +2019,7 @@ public static function user_two_factor_options_update( $user_id ) {
 				return;
 			}
 
-			$providers          = self::get_providers();
+			$providers          = self::get_supported_providers_for_user( $user_id );
 			$enabled_providers  = $_POST[ self::ENABLED_PROVIDERS_USER_META_KEY ];
 			$existing_providers = self::get_enabled_providers_for_user( $user_id );
 

From 6eed739fdd2a3c2c84dc2d0d728694c7d6e22d9a Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:30:25 +0200
Subject: [PATCH 03/23] More references

---
 class-two-factor-core.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 0a09b30c..7bdc9301 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -516,7 +516,7 @@ public static function get_enabled_providers_for_user( $user = null ) {
 			return array();
 		}
 
-		$providers         = self::get_providers();
+		$providers         = self::get_supported_providers_for_user();
 		$enabled_providers = get_user_meta( $user->ID, self::ENABLED_PROVIDERS_USER_META_KEY, true );
 		if ( empty( $enabled_providers ) ) {
 			$enabled_providers = array();
@@ -544,12 +544,11 @@ public static function get_available_providers_for_user( $user = null ) {
 			return array();
 		}
 
-		$providers            = self::get_providers();
 		$enabled_providers    = self::get_enabled_providers_for_user( $user );
 		$configured_providers = array();
 
-		foreach ( $providers as $provider_key => $provider ) {
-			if ( in_array( $provider_key, $enabled_providers, true ) && $provider->is_available_for_user( $user ) ) {
+		foreach ( $enabled_providers as $provider_key => $provider ) {
+			if ( $provider->is_available_for_user( $user ) ) {
 				$configured_providers[ $provider_key ] = $provider;
 			}
 		}

From acba8c0f389ec34907bcbc4314d99b26277b9686 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:31:35 +0200
Subject: [PATCH 04/23] Better description to differentiate between available,
 enabled and supported providers

---
 class-two-factor-core.php | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 7bdc9301..857ddb34 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -249,9 +249,12 @@ private static function get_providers_classes( $providers ) {
 	}
 
 	/**
-	 * Get all enabled two-factor providers with keys as the original
+	 * Get all registered two-factor providers with keys as the original
 	 * provider class names and the values as the provider class instances.
 	 *
+	 * @see Two_Factor_Core::get_enabled_providers_for_user()
+	 * @see Two_Factor_Core::get_supported_providers_for_user()
+	 *
 	 * @since 0.1-dev
 	 *
 	 * @return array
@@ -505,7 +508,11 @@ public static function fetch_user( $user = null ) {
 	}
 
 	/**
-	 * Get all Two-Factor Auth providers that are enabled for the specified|current user.
+	 * Get two-factor providers that are enabled for the specified (or current) user
+	 * but might not be configured, yet.
+	 *
+	 * @see Two_Factor_Core::get_supported_providers_for_user()
+	 * @see Two_Factor_Core::get_available_providers_for_user()
 	 *
 	 * @param int|WP_User $user Optional. User ID, or WP_User object of the the user. Defaults to current user.
 	 * @return array
@@ -533,7 +540,11 @@ public static function get_enabled_providers_for_user( $user = null ) {
 	}
 
 	/**
-	 * Get all Two-Factor Auth providers that are both enabled and configured for the specified|current user.
+	 * Get all two-factor providers that are both enabled and configured
+	 * for the specified (or current) user.
+	 *
+	 * @see Two_Factor_Core::get_supported_providers_for_user()
+	 * @see Two_Factor_Core::get_enabled_providers_for_user()
 	 *
 	 * @param int|WP_User $user Optional. User ID, or WP_User object of the the user. Defaults to current user.
 	 * @return array

From d2c9ecc871b53e04fc366b45376752fc53b8c64f Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:31:52 +0200
Subject: [PATCH 05/23] Move the form into a helper for conditional rendering

---
 class-two-factor-core.php | 49 +++++++++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 17 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 857ddb34..80df4e25 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1841,12 +1841,11 @@ public static function user_two_factor_options( $user ) {
 		wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ), array(), TWO_FACTOR_VERSION );
 
 		$enabled_providers = array_keys( self::get_available_providers_for_user( $user ) );
-		$primary_provider_key  = self::get_primary_provider_key_selected_for_user( $user );
 
 		// This is specific to the current session, not the displayed user.
 		$show_2fa_options = self::current_user_can_update_two_factor_options();
 
-		if ( ! $show_2fa_options ) {
+		if ( $providers && ! $show_2fa_options ) {
 			$url = add_query_arg(
 				'redirect_to',
 				urlencode( self::get_user_settings_page_url( $user->ID ) . '#two-factor-options' ),
@@ -1860,12 +1859,12 @@ public static function user_two_factor_options( $user ) {
 			);
 		}
 
-		printf(
-			'<fieldset id="two-factor-options" %s>',
-			$show_2fa_options ? '' : 'disabled="disabled"'
-		);
+		if ( empty( $providers ) ) {
+			$notices['notice two-factor-notice-no-providers-supported'] = esc_html__( 'No providers are available for your account.', 'two-factor' );
+		}
 
-		if ( 1 === count( $enabled_providers ) ) {
+		// Suggest enabling a backup method if only method is enabled and there are more available.
+		if ( count( $providers ) > 1 && 1 === count( $enabled_providers ) ) {
 			$notices['warning two-factor-warning-suggest-backup'] = esc_html__( 'To prevent being locked out of your account, consider enabling a backup method like Recovery Codes in case you lose access to your primary authentication method.', 'two-factor' );
 		}
 		?>
@@ -1876,9 +1875,34 @@ public static function user_two_factor_options( $user ) {
 			<p><?php echo wp_kses_post( $notice ); ?></p>
 		</div>
 		<?php endforeach; ?>
+
+		<?php
+		if ( $providers ) {
+			self::render_user_providers_form( $user, $providers );
+		}
+
+		/**
+		 * Fires after the Two Factor methods table.
+		 *
+		 * To be used by Two Factor methods to add settings UI.
+		 *
+		 * @param WP_User $user The user.
+		 * @param array   $providers List of providers available to the user.
+		 *
+		 * @since 0.1-dev
+		 */
+		do_action( 'show_user_security_settings', $user, $providers );
+	}
+
+	private static function render_user_providers_form( $user, $providers ) {
+		$primary_provider_key  = self::get_primary_provider_key_selected_for_user( $user );
+
+		?>
 		<p>
-			<?php  esc_html_e( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method.', 'two-factor' ); ?>
+			<?php esc_html_e( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method.', 'two-factor' ); ?>
 		</p>
+
+		<fieldset id="two-factor-options" <?php echo $show_2fa_options ? '' : 'disabled="disabled"'; ?>>
 		<?php wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false ); ?>
 		<input type="hidden" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php /* Dummy input so $_POST value is passed when no providers are enabled. */ ?>" />
 
@@ -1931,15 +1955,6 @@ public static function user_two_factor_options( $user ) {
 		</table>
 		</fieldset>
 		<?php
-
-		/**
-		 * Fires after the Two Factor methods table.
-		 *
-		 * To be used by Two Factor methods to add settings UI.
-		 *
-		 * @since 0.1-dev
-		 */
-		do_action( 'show_user_security_settings', $user );
 	}
 
 	/**

From 1aa2bfca3692a032848edc697ab355b9d315fa10 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:38:05 +0200
Subject: [PATCH 06/23] We have the user context so pass it along

---
 class-two-factor-core.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 80df4e25..bedf26f1 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -636,7 +636,7 @@ public static function get_primary_provider_for_user( $user = null ) {
 			return null;
 		}
 
-		$providers           = self::get_supported_providers_for_user();
+		$providers           = self::get_supported_providers_for_user( $user );
 		$available_providers = self::get_available_providers_for_user( $user );
 
 		// If there's only one available provider, force that to be the primary.

From 19938fbec7547b395505d3f728fc22c4dc3aa4c4 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:38:22 +0200
Subject: [PATCH 07/23] The static hell is there

---
 class-two-factor-core.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index bedf26f1..1cc1e835 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -309,7 +309,7 @@ public static function get_providers() {
 	 * @param  WP_User|int|null $user User ID.
 	 * @return array List of provider instances indexed by provider key.
 	 */
-	public function get_supported_providers_for_user( $user = null ) {
+	public static function get_supported_providers_for_user( $user = null ) {
 		$user = self::fetch_user( $user );
 		$providers = self::get_providers();
 

From 927408cdd8633c0af6f73ef10bfa24ed582a6e64 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:39:29 +0200
Subject: [PATCH 08/23] Enabled providers returns just the keys so we need the
 supported ones to resolve the instances

---
 class-two-factor-core.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 1cc1e835..2ffe97ac 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -547,7 +547,7 @@ public static function get_enabled_providers_for_user( $user = null ) {
 	 * @see Two_Factor_Core::get_enabled_providers_for_user()
 	 *
 	 * @param int|WP_User $user Optional. User ID, or WP_User object of the the user. Defaults to current user.
-	 * @return array
+	 * @return array List of provider instances.
 	 */
 	public static function get_available_providers_for_user( $user = null ) {
 		$user = self::fetch_user( $user );
@@ -555,11 +555,12 @@ public static function get_available_providers_for_user( $user = null ) {
 			return array();
 		}
 
-		$enabled_providers    = self::get_enabled_providers_for_user( $user );
+		$providers = self::get_supported_providers_for_user( $user ); // Returns full objects.
+		$enabled_providers    = self::get_enabled_providers_for_user( $user ); // Returns just the keys.
 		$configured_providers = array();
 
-		foreach ( $enabled_providers as $provider_key => $provider ) {
-			if ( $provider->is_available_for_user( $user ) ) {
+		foreach ( $providers as $provider_key => $provider ) {
+			if ( in_array( $provider_key, $enabled_providers, true ) && $provider->is_available_for_user( $user ) ) {
 				$configured_providers[ $provider_key ] = $provider;
 			}
 		}

From 80d7f984dbb7792466cb77ececbcbcf5193427b5 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:56:23 +0200
Subject: [PATCH 09/23] Add a unit test for the new filter

---
 tests/class-two-factor-core.php | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/tests/class-two-factor-core.php b/tests/class-two-factor-core.php
index 992ddc60..268432a5 100644
--- a/tests/class-two-factor-core.php
+++ b/tests/class-two-factor-core.php
@@ -1556,6 +1556,38 @@ public function test_all_sessions_destroyed_when_enabling_2fa_by_admin() {
 		$this->assertCount( 1, $admin_session_manager->get_all(), 'No admin sessions are present first' );
 	}
 
+	public function test_can_filter_registered_providers_for_user() {
+		$user = self::factory()->user->create_and_get();
+
+		$this->assertEquals(
+			Two_Factor_Core::get_providers(),
+			Two_Factor_Core::get_supported_providers_for_user( $user ),
+			'All providers are available by default'
+		);
+
+		add_filter(
+			'two_factor_providers_for_user',
+			function( $providers, $user ) {
+				$this->assertInstanceOf( WP_User::class, $user );
+
+				return array_diff_key( $providers, array( 'Two_Factor_Email' => null ) );
+			},
+			10,
+			2
+		);
+
+		$providers = Two_Factor_Core::get_providers();
+		unset( $providers['Two_Factor_Email'] );
+
+		$this->assertEquals(
+			$providers,
+			Two_Factor_Core::get_supported_providers_for_user( $user ),
+			'Email provider can be disabled for a user'
+		);
+
+		remove_all_filters( 'two_factor_providers_for_user' );
+	}
+
 	/**
 	 * Plugin uninstall removes all user meta.
 	 *

From f801c3a2a76455ff896ce40b73fef74da18d5f25 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 15:59:01 +0200
Subject: [PATCH 10/23] Check for known things instead

---
 tests/class-two-factor-core.php | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/tests/class-two-factor-core.php b/tests/class-two-factor-core.php
index 268432a5..a8ad1816 100644
--- a/tests/class-two-factor-core.php
+++ b/tests/class-two-factor-core.php
@@ -1568,7 +1568,7 @@ public function test_can_filter_registered_providers_for_user() {
 		add_filter(
 			'two_factor_providers_for_user',
 			function( $providers, $user ) {
-				$this->assertInstanceOf( WP_User::class, $user );
+				$this->assertInstanceOf( WP_User::class, $user, 'A user referenced is passed to the filter' );
 
 				return array_diff_key( $providers, array( 'Two_Factor_Email' => null ) );
 			},
@@ -1576,11 +1576,8 @@ function( $providers, $user ) {
 			2
 		);
 
-		$providers = Two_Factor_Core::get_providers();
-		unset( $providers['Two_Factor_Email'] );
-
-		$this->assertEquals(
-			$providers,
+		$this->assertNotContains(
+			'Two_Factor_Email',
 			Two_Factor_Core::get_supported_providers_for_user( $user ),
 			'Email provider can be disabled for a user'
 		);

From c06eff4a6ab1e99a16226d8ed280a018008509ff Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 16:14:17 +0200
Subject: [PATCH 11/23] Pass the missing data

---
 class-two-factor-core.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 2ffe97ac..40fc9b64 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -310,7 +310,7 @@ public static function get_providers() {
 	 * @return array List of provider instances indexed by provider key.
 	 */
 	public static function get_supported_providers_for_user( $user = null ) {
-		$user = self::fetch_user( $user );
+		$user      = self::fetch_user( $user );
 		$providers = self::get_providers();
 
 		/**
@@ -523,7 +523,7 @@ public static function get_enabled_providers_for_user( $user = null ) {
 			return array();
 		}
 
-		$providers         = self::get_supported_providers_for_user();
+		$providers         = self::get_supported_providers_for_user( $user );
 		$enabled_providers = get_user_meta( $user->ID, self::ENABLED_PROVIDERS_USER_META_KEY, true );
 		if ( empty( $enabled_providers ) ) {
 			$enabled_providers = array();
@@ -555,7 +555,7 @@ public static function get_available_providers_for_user( $user = null ) {
 			return array();
 		}
 
-		$providers = self::get_supported_providers_for_user( $user ); // Returns full objects.
+		$providers            = self::get_supported_providers_for_user( $user ); // Returns full objects.
 		$enabled_providers    = self::get_enabled_providers_for_user( $user ); // Returns just the keys.
 		$configured_providers = array();
 
@@ -571,7 +571,7 @@ public static function get_available_providers_for_user( $user = null ) {
 	/**
 	 * Fetch the provider for the request based on the user preferences.
 	 *
-	 * @param int|WP_User $user Optional. User ID, or WP_User object of the the user. Defaults to current user.
+	 * @param int|WP_User        $user Optional. User ID, or WP_User object of the the user. Defaults to current user.
 	 * @param null|string|object $preferred_provider Optional. The name of the provider, the provider, or empty.
 	 * @return null|object The provider
 	 */
@@ -1837,7 +1837,7 @@ public static function manage_users_custom_column( $output, $column_name, $user_
 	public static function user_two_factor_options( $user ) {
 		$notices = [];
 
-		$providers = self::get_supported_providers_for_user( $user->ID );
+		$providers = self::get_supported_providers_for_user( $user );
 
 		wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ), array(), TWO_FACTOR_VERSION );
 

From a8cd102c0fb13959b85bf6bbff7dce3bc3c14d0d Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 16:15:03 +0200
Subject: [PATCH 12/23] Per linter

---
 class-two-factor-core.php | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 40fc9b64..69675a79 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -589,7 +589,7 @@ public static function get_provider_for_user( $user = null, $preferred_provider
 		// Default to the currently logged in provider.
 		if ( ! $preferred_provider && get_current_user_id() === $user->ID ) {
 			$session = self::get_current_user_session();
-			if ( ! empty( $session['two-factor-provider'] )	) {
+			if ( ! empty( $session['two-factor-provider'] ) ) {
 				$preferred_provider = $session['two-factor-provider'];
 			}
 		}
@@ -1548,10 +1548,12 @@ public static function _login_form_revalidate_2fa( $nonce = '', $provider = '',
 		}
 
 		// Update the session metadata with the revalidation details.
-		self::update_current_user_session( array(
-			'two-factor-provider' => $provider->get_key(),
-			'two-factor-login'    => time(),
-		) );
+		self::update_current_user_session(
+			array(
+				'two-factor-provider' => $provider->get_key(),
+				'two-factor-login'    => time(),
+			) 
+		);
 
 		do_action( 'two_factor_user_revalidated', $user, $provider );
 
@@ -1787,7 +1789,7 @@ public static function show_password_reset_error() {
 			)
 		);
 
-		login_header( __( 'Password Reset', 'two-factor' ), '',  $error );
+		login_header( __( 'Password Reset', 'two-factor' ), '', $error );
 		login_footer();
 	}
 
@@ -1854,9 +1856,9 @@ public static function user_two_factor_options( $user ) {
 			);
 
 			$notices['warning two-factor-warning-revalidate-session'] = sprintf(
-					esc_html__( 'To update your Two-Factor options, you must first revalidate your session.', 'two-factor' ) .
+				esc_html__( 'To update your Two-Factor options, you must first revalidate your session.', 'two-factor' ) .
 					' <a class="button" href="%s">' . esc_html__( 'Revalidate now', 'two-factor' ) . '</a>',
-					esc_url( $url )
+				esc_url( $url )
 			);
 		}
 
@@ -1896,7 +1898,7 @@ public static function user_two_factor_options( $user ) {
 	}
 
 	private static function render_user_providers_form( $user, $providers ) {
-		$primary_provider_key  = self::get_primary_provider_key_selected_for_user( $user );
+		$primary_provider_key = self::get_primary_provider_key_selected_for_user( $user );
 
 		?>
 		<p>
@@ -1939,7 +1941,7 @@ private static function render_user_providers_form( $user, $providers ) {
 		<table class="form-table two-factor-primary-method-table" role="presentation">
 			<tbody>
 				<tr>
-					<th><?php esc_html_e( 'Primary Method', 'two-factor' ) ?></th>
+					<th><?php esc_html_e( 'Primary Method', 'two-factor' ); ?></th>
 					<td>
 						<select name="<?php echo esc_attr( self::PROVIDER_USER_META_KEY ); ?>">
 							<option value=""><?php echo esc_html( __( 'Default', 'two-factor' ) ); ?></option>
@@ -1949,7 +1951,7 @@ private static function render_user_providers_form( $user, $providers ) {
 								</option>
 							<?php endforeach; ?>
 						</select>
-						<p class="description"><?php esc_html_e( 'Select the primary method to use for two-factor authentication when signing into this site.', 'two-factor' ) ?></p>
+						<p class="description"><?php esc_html_e( 'Select the primary method to use for two-factor authentication when signing into this site.', 'two-factor' ); ?></p>
 					</td>
 				</tr>
 			</tbody>

From 6e4f0a6a897091cabf82441b302561a4f3c244ec Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 16:18:17 +0200
Subject: [PATCH 13/23] Document the new filter

---
 readme.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/readme.txt b/readme.txt
index da5700e7..53957dee 100644
--- a/readme.txt
+++ b/readme.txt
@@ -25,6 +25,7 @@ For more history, see [this post](https://georgestephanis.wordpress.com/2013/08/
 Here is a list of action and filter hooks provided by the plugin:
 
 - `two_factor_providers` filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.
+- `two_factor_providers_for_user` filter overrides the available two-factor providers for a specific user. Array values are instances of provider classes and the user object `WP_User` is available as the second argument.
 - `two_factor_enabled_providers_for_user` filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.
 - `two_factor_user_authenticated` action which receives the logged in `WP_User` object as the first argument for determining the logged in user right after the authentication workflow.
 - `two_factor_email_token_ttl` filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the `WP_User` object being authenticated.

From e8108592885ad118db3f1d56f7a1801835f7b42c Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 16:36:35 +0200
Subject: [PATCH 14/23] Add the missing data

---
 class-two-factor-core.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 69675a79..62f109ae 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1899,6 +1899,7 @@ public static function user_two_factor_options( $user ) {
 
 	private static function render_user_providers_form( $user, $providers ) {
 		$primary_provider_key = self::get_primary_provider_key_selected_for_user( $user );
+		$enabled_providers = self::get_enabled_providers_for_user( $user );
 
 		?>
 		<p>

From 63323e4a876afe600ad71b5b17a04bf9e26beaff Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 16:36:58 +0200
Subject: [PATCH 15/23] Move the fieldset logic to the caller where we know the
 state

---
 class-two-factor-core.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 62f109ae..c998acae 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1879,11 +1879,15 @@ public static function user_two_factor_options( $user ) {
 		</div>
 		<?php endforeach; ?>
 
+		<fieldset id="two-factor-options" <?php echo $show_2fa_options ? '' : 'disabled="disabled"'; ?>>
 		<?php
 		if ( $providers ) {
 			self::render_user_providers_form( $user, $providers );
 		}
+		?>
+		</fieldset>
 
+		<?php
 		/**
 		 * Fires after the Two Factor methods table.
 		 *
@@ -1906,7 +1910,6 @@ private static function render_user_providers_form( $user, $providers ) {
 			<?php esc_html_e( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method.', 'two-factor' ); ?>
 		</p>
 
-		<fieldset id="two-factor-options" <?php echo $show_2fa_options ? '' : 'disabled="disabled"'; ?>>
 		<?php wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false ); ?>
 		<input type="hidden" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php /* Dummy input so $_POST value is passed when no providers are enabled. */ ?>" />
 
@@ -1957,7 +1960,6 @@ private static function render_user_providers_form( $user, $providers ) {
 				</tr>
 			</tbody>
 		</table>
-		</fieldset>
 		<?php
 	}
 

From 58e30e0ba5447dbba014df54429bfcd4326370d6 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 16:59:11 +0200
Subject: [PATCH 16/23] Add a helper to check if the method is supported for
 the user

---
 providers/class-two-factor-provider.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/providers/class-two-factor-provider.php b/providers/class-two-factor-provider.php
index 0e82dd67..6f494c3d 100644
--- a/providers/class-two-factor-provider.php
+++ b/providers/class-two-factor-provider.php
@@ -123,6 +123,19 @@ abstract public function validate_authentication( $user );
 	 */
 	abstract public function is_available_for_user( $user );
 
+	/**
+	 * If this provider should be available for the user.
+	 *
+	 * @param WP_User|int $user WP_User object, user ID or null to resolve the current user.
+	 *
+	 * @return bool
+	 */
+	public static function is_supported_for_user( $user = null ) {
+		$providers = Two_Factor_Core::get_supported_providers_for_user( $user );
+
+		return isset( $providers[ self::class ] );
+	}
+
 	/**
 	 * Generate a random eight-digit string to send out as an auth code.
 	 *

From 966285fbc3dd61ae80f8ad28a4bdcaf48190af1f Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 16:59:38 +0200
Subject: [PATCH 17/23] =?UTF-8?q?Don=E2=80=99t=20show=20the=20settings=20i?=
 =?UTF-8?q?f=20the=20method=20is=20not=20supported=20for=20the=20user?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 providers/class-two-factor-fido-u2f-admin.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/providers/class-two-factor-fido-u2f-admin.php b/providers/class-two-factor-fido-u2f-admin.php
index d5412089..1869ab8b 100644
--- a/providers/class-two-factor-fido-u2f-admin.php
+++ b/providers/class-two-factor-fido-u2f-admin.php
@@ -164,6 +164,10 @@ protected static function asset_version() {
 	 * @param WP_User $user WP_User object of the logged-in user.
 	 */
 	public static function show_user_profile( $user ) {
+		if ( ! Two_Factor_FIDO_U2F::is_supported_for_user( $user ) ) {
+			return;
+		}
+
 		wp_nonce_field( "user_security_keys-{$user->ID}", '_nonce_user_security_keys' );
 		$new_key = false;
 

From b7d593be895d7bdaf14c22d0a8c41806fe919caa Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 17:01:44 +0200
Subject: [PATCH 18/23] Per linter

---
 class-two-factor-core.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index c998acae..6ccd1dff 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1552,7 +1552,7 @@ public static function _login_form_revalidate_2fa( $nonce = '', $provider = '',
 			array(
 				'two-factor-provider' => $provider->get_key(),
 				'two-factor-login'    => time(),
-			) 
+			)
 		);
 
 		do_action( 'two_factor_user_revalidated', $user, $provider );

From 2bb236f669f1e9655ee898174b0a49cc64e7283c Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 17:05:37 +0200
Subject: [PATCH 19/23] Reference the sub-class instead

---
 providers/class-two-factor-provider.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/providers/class-two-factor-provider.php b/providers/class-two-factor-provider.php
index 6f494c3d..b780c4a7 100644
--- a/providers/class-two-factor-provider.php
+++ b/providers/class-two-factor-provider.php
@@ -133,7 +133,7 @@ abstract public function is_available_for_user( $user );
 	public static function is_supported_for_user( $user = null ) {
 		$providers = Two_Factor_Core::get_supported_providers_for_user( $user );
 
-		return isset( $providers[ self::class ] );
+		return isset( $providers[ static::class ] );
 	}
 
 	/**

From 5422ba14c81fc6738627090f228843f59858aa37 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 17:09:05 +0200
Subject: [PATCH 20/23] Keep together similar tests

---
 tests/class-two-factor-core.php | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/tests/class-two-factor-core.php b/tests/class-two-factor-core.php
index a8ad1816..c7ebe8e5 100644
--- a/tests/class-two-factor-core.php
+++ b/tests/class-two-factor-core.php
@@ -1585,6 +1585,21 @@ function( $providers, $user ) {
 		remove_all_filters( 'two_factor_providers_for_user' );
 	}
 
+	public function test_can_disable_default_providers() {
+		$this->assertContains( 'Two_Factor_Email', array_keys( Two_Factor_Core::get_providers() ), 'Email provider is enabled by default' );
+
+		add_filter(
+			'two_factor_providers',
+			function ( $providers ) {
+				return array_diff_key( $providers, array( 'Two_Factor_Email' => null ) );
+			}
+		);
+
+		$this->assertNotContains( 'Two_Factor_Email', array_keys( Two_Factor_Core::get_providers() ), 'Default provider can be disabled via a filter' );
+
+		remove_all_filters( 'two_factor_providers' );
+	}
+
 	/**
 	 * Plugin uninstall removes all user meta.
 	 *
@@ -1611,21 +1626,6 @@ public function test_uninstall_removes_user_meta() {
 		);
 	}
 
-	public function test_can_disable_default_providers() {
-		$this->assertContains( 'Two_Factor_Email', array_keys( Two_Factor_Core::get_providers() ), 'Email provider is enabled by default' );
-
-		add_filter(
-			'two_factor_providers',
-			function ( $providers ) {
-				return array_diff_key( $providers, array( 'Two_Factor_Email' => null ) );
-			}
-		);
-
-		$this->assertNotContains( 'Two_Factor_Email', array_keys( Two_Factor_Core::get_providers() ), 'Default provider can be disabled via a filter' );
-
-		remove_all_filters( 'two_factor_providers' );
-	}
-
 	/**
 	 * Plugin uninstall removes all user meta even for disabled providers.
 	 *

From 5f7783dca758669443f1fc3e93d50c3bfd9660da Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 17:16:05 +0200
Subject: [PATCH 21/23] Test the new provider resolver

---
 tests/class-two-factor-core.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tests/class-two-factor-core.php b/tests/class-two-factor-core.php
index c7ebe8e5..e8303086 100644
--- a/tests/class-two-factor-core.php
+++ b/tests/class-two-factor-core.php
@@ -1586,7 +1586,13 @@ function( $providers, $user ) {
 	}
 
 	public function test_can_disable_default_providers() {
-		$this->assertContains( 'Two_Factor_Email', array_keys( Two_Factor_Core::get_providers() ), 'Email provider is enabled by default' );
+		$user = self::factory()->user->create_and_get();
+		$providers = Two_Factor_Core::get_providers();
+		$default_provider = current( $providers );
+
+		$this->assertContains( 'Two_Factor_Email', array_keys( $providers ), 'Email provider is enabled by default' );
+
+		$this->assertTrue( $default_provider::is_supported_for_user( $user ), 'Available provider is supported by default' );
 
 		add_filter(
 			'two_factor_providers',
@@ -1597,6 +1603,8 @@ function ( $providers ) {
 
 		$this->assertNotContains( 'Two_Factor_Email', array_keys( Two_Factor_Core::get_providers() ), 'Default provider can be disabled via a filter' );
 
+		$this->assertFalse( $default_provider::is_supported_for_user( $user ), 'Disabled provider is not supported for user' );
+
 		remove_all_filters( 'two_factor_providers' );
 	}
 

From aa8cfda4599e48d12b59008de50f7e91fa6d57b2 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 17:19:54 +0200
Subject: [PATCH 22/23] Test the filter impact to the new helper

---
 tests/class-two-factor-core.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tests/class-two-factor-core.php b/tests/class-two-factor-core.php
index e8303086..0a114b26 100644
--- a/tests/class-two-factor-core.php
+++ b/tests/class-two-factor-core.php
@@ -1558,13 +1558,16 @@ public function test_all_sessions_destroyed_when_enabling_2fa_by_admin() {
 
 	public function test_can_filter_registered_providers_for_user() {
 		$user = self::factory()->user->create_and_get();
+		$providers = Two_Factor_Core::get_providers();
 
 		$this->assertEquals(
-			Two_Factor_Core::get_providers(),
+			$providers,
 			Two_Factor_Core::get_supported_providers_for_user( $user ),
 			'All providers are available by default'
 		);
 
+		$this->assertTrue( $providers['Two_Factor_Email']::is_supported_for_user( $user ), 'Email provider is supported by default' );
+
 		add_filter(
 			'two_factor_providers_for_user',
 			function( $providers, $user ) {
@@ -1582,6 +1585,8 @@ function( $providers, $user ) {
 			'Email provider can be disabled for a user'
 		);
 
+		$this->assertFalse( $providers['Two_Factor_Email']::is_supported_for_user( $user ), 'Email provider is disabled if not supported' );
+
 		remove_all_filters( 'two_factor_providers_for_user' );
 	}
 

From b2b605e635edfe3d349e05b8b6ab8ba3290de516 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Fri, 14 Feb 2025 17:24:23 +0200
Subject: [PATCH 23/23] This is for the current session and not the user edited

---
 class-two-factor-core.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 6ccd1dff..12ae6895 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1848,7 +1848,7 @@ public static function user_two_factor_options( $user ) {
 		// This is specific to the current session, not the displayed user.
 		$show_2fa_options = self::current_user_can_update_two_factor_options();
 
-		if ( $providers && ! $show_2fa_options ) {
+		if ( ! $show_2fa_options ) {
 			$url = add_query_arg(
 				'redirect_to',
 				urlencode( self::get_user_settings_page_url( $user->ID ) . '#two-factor-options' ),