Changeset 14070

Timestamp:

09/23/2024 07:25:15 AM (15 months ago)

Author:

dd32

Message:

Login: Lower the enable-2fa nag interval to 2 days, and set login sessions to a maximum of 2 days until they do so.

See ​https://make.wordpress.org/plugins/2024/09/04/upcoming-security-changes-for-plugin-and-theme-authors-on-wordpress-org/

File:

• sites/trunk/common/includes/wporg-sso/wp-plugin.php (modified) (3 diffs)

sites/trunk/common/includes/wporg-sso/wp-plugin.php

@@ -90 +90 @@
                 add_action( 'profile_update', array( $this, 'record_last_password_change' ), 10, 3 );
                 add_action( 'wp_set_password', array( $this, 'record_last_password_change_reset' ), 10, 3 );
+
+                add_filter( 'auth_cookie_expiration', array( $this, 'auth_cookie_expiration' ), 10, 2 );
 
                 add_action( 'login_form_logout', array( $this, 'login_form_logout' ) );
@@ -843 +845 @@
 
         /**
+         * Shorten the session timeout for users who haven't setup 2FA.
+         *
+         * Acts as if the user didn't check the remember-me box.
+         */
+        public function auth_cookie_expiration( $expiration, $user_id ) {
+            $user = get_user_by( 'id', $user_id );
+
+            if ( $user && user_should_2fa( $user ) && ! Two_Factor_Core::is_user_using_two_factor( $user_id ) ) {
+                $expiration = min( $expiration, 2 * DAY_IN_SECONDS );
+            }
+
+            return $expiration;
+        }
+
+        /**
          * Redirects the user to a "please enable 2fa" page after login.
          */
@@ -862 +879 @@
             // If the user doesn't REQUIRE 2FA, only nag ever so often.
             if ( ! user_requires_2fa( $user ) ) {
-                $nag_interval = WEEK_IN_SECONDS;
+                $nag_interval = 2 * DAY_IN_SECONDS;
                 $last_nagged  = (int) get_user_meta( $user->ID, 'last_2fa_nag', true );
                 if ( $last_nagged && $last_nagged > ( time() - $nag_interval ) ) {