Skip to content

Fix #300: support for application passwords #697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 3, 2025
Merged

Fix #300: support for application passwords #697

merged 1 commit into from
Jul 3, 2025

Conversation

joostdekeijzer
Copy link
Contributor

Suggested fix for issue #300

What?

Proposed fix for #300: when a user is authenticated using an application password no 2factor is needed.

Why?

Re #300

How?

Depending of if the application_password_did_authenticate action has run the plugin now passes TRUE (did run) or FALSE (did not run) through the two_factor_user_api_login_enable filter in the is_user_api_login_enabled function.

Testing Instructions

  1. Install the WordPress app on your device
  2. Create an application password and login with your WordPress app

If you succeed my PR works, if you can't login my PR does not work.

Screenshots or screencast

Changelog Entry

Added - New feature.
Changed - Existing functionality.
Deprecated - Soon-to-be removed feature.
Removed - Feature.
Fixed - Bug fix.
Security - Vulnerability.

Fixed #300
Added application passwords support.

@joostdekeijzer
Copy link
Contributor Author

My PR may be too crude.

An alternative way is to add a new filter for the application_password_did_authenticate action in which based on the $user attriubte in that action I can do a more selective test on the $user_id in the two_factor_user_api_login_enable filter.

@kasparsd
Copy link
Collaborator

kasparsd commented Jul 3, 2025

Thanks for the pull request!

The goal of #300 is to make the two-factor plugin more vocal about Application Password and XML-RPC logins being blocked by default. I believe we don't want to enable API logins by default. Primarily because XML-RPC logins allow standard user passwords for auth.

So the solution could be adding a notice to the user profiles near the Application Passwords section. Something like:

The Two Factor plugin currently prevents logins with application passwords. See this documentation for how to adjust that.

In addition, we could also add a checkbox to the two-factor settings that allows enabling application passwords for that particular user. The option would be hidden if the two_factor_user_api_login_enable was already allowing API logins.

kasparsd
kasparsd approved these changes Jul 3, 2025
View reviewed changes
Copy link
Collaborator

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been thinking about this some more and I believe this plugin should match the behaviour of most other application (including Gmail and GitHub) where application passwords are allowed to bypass the second factor.

This will also enable XML-RPC logins as long as an application password was used.

class-two-factor-core.php
@@ -776,7 +776,7 @@ public static function filter_authenticate_block_cookies( $user ) {
* @return boolean
*/
public static function is_user_api_login_enabled( $user_id ) {
return (bool) apply_filters( 'two_factor_user_api_login_enable', false, $user_id );
return (bool) apply_filters( 'two_factor_user_api_login_enable', (bool) did_action( 'application_password_did_authenticate' ), $user_id );
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good action to use, I believe. It fires right after a successful application passwords login.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, as said it does not check the user, but I in the flow of things that should not be an issue.

@kasparsd kasparsd merged commit f168305 into WordPress:master Jul 3, 2025
49 of 54 checks passed
@kasparsd kasparsd mentioned this pull request Jul 3, 2025
Merged
@jeffpaul jeffpaul added this to the 0.14.0 milestone Jul 3, 2025
@kasparsd kasparsd mentioned this pull request Jul 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kasparsd kasparsd kasparsd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.14.0
Development

Successfully merging this pull request may close these issues.

Link to Application Passwords
3 participants
@joostdekeijzer @kasparsd @jeffpaul