Making WordPress.org

Changeset 13937


Ignore:
Timestamp:
07/31/2024 05:06:46 AM (7 weeks ago)
Author:
dd32
Message:

Login: Only nag users to setup 2FA every week, not every login.

This only applies to users whom 2FA is optional, but encouraged.

See https://github.com/WordPress/wporg-two-factor/pull/288

Location:
sites/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/common/includes/wporg-sso/wp-plugin.php

    r13932 r13937  
    11<?php
    2 use function WordPressdotorg\Two_Factor\user_should_2fa;
     2use function WordPressdotorg\Two_Factor\{ user_should_2fa, user_requires_2fa };
    33
    44/**
     
    822822        public function maybe_redirect_to_enable_2fa( $redirect, $orig_redirect, $user ) {
    823823            if (
    824                 ! str_contains( $redirect, '/enable-2fa' ) &&
    825                 ! is_wp_error( $user ) &&
    826                 user_should_2fa( $user ) &&
    827                 ! Two_Factor_Core::is_user_using_two_factor( $user->ID )
     824                // No valid user.
     825                is_wp_error( $user ) ||
     826                // Or we're already going there.
     827                str_contains( $redirect, '/enable-2fa' ) ||
     828                // Or if the user doesn't need 2FA.
     829                ! user_should_2fa( $user ) ||
     830                // Or the user is already using 2FA.
     831                Two_Factor_Core::is_user_using_two_factor( $user->ID )
    828832            ) {
    829                 $redirect = add_query_arg(
    830                     'redirect_to',
    831                     urlencode( $redirect ),
    832                     home_url( '/enable-2fa' )
    833                 );
    834             }
    835 
    836             return $redirect;
     833                // Then we don't need to redirect to the enable 2FA page.
     834                return $redirect;
     835            }
     836
     837            // If the user doesn't REQUIRE 2FA, only nag ever so often.
     838            if ( ! user_requires_2fa( $user ) ) {
     839                $nag_interval = WEEK_IN_SECONDS;
     840                $last_nagged  = (int) get_user_meta( $user->ID, 'last_2fa_nag', true );
     841                if ( $last_nagged && $last_nagged > ( time() - $nag_interval ) ) {
     842                    return $redirect;
     843                }
     844            }
     845
     846            // Redirect to the Enable 2FA nag.
     847            return add_query_arg(
     848                'redirect_to',
     849                urlencode( $redirect ),
     850                home_url( '/enable-2fa' )
     851            );
    837852        }
    838853
  • sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/enable-2fa.php

    r13926 r13937  
    1111$should_2fa   = user_should_2fa( $user ); // If they're on this page, this should be truthful.
    1212$redirect_to  = wp_validate_redirect( wp_unslash( $_REQUEST['redirect_to'] ?? '' ), wporg_login_wordpress_url() );
     13
     14/*
     15 * Record the last time we naged the user about 2FA.
     16 * See WPORG_SSO::maybe_redirect_to_enable_2fa().
     17 * Note, this isn't in the above function, incase the redirect ultimately filtered to elsewhere.
     18 */
     19update_user_meta( $user->ID, 'last_2fa_nag', time() );
    1320
    1421get_header();
Note: See TracChangeset for help on using the changeset viewer.