Skip to content

Fix #300: support for application passwords#697

Merged
kasparsd merged 1 commit intoWordPress:masterfrom
joostdekeijzer:issue-300
Jul 3, 2025
Merged

Fix #300: support for application passwords#697
kasparsd merged 1 commit intoWordPress:masterfrom
joostdekeijzer:issue-300

Conversation

@joostdekeijzer
Copy link
Contributor

@joostdekeijzer joostdekeijzer commented Jul 3, 2025

Suggested fix for issue #300

What?

Proposed fix for #300: when a user is authenticated using an application password no 2factor is needed.

Why?

Re #300

How?

Depending of if the application_password_did_authenticate action has run the plugin now passes TRUE (did run) or FALSE (did not run) through the two_factor_user_api_login_enable filter in the is_user_api_login_enabled function.

Testing Instructions

  1. Install the WordPress app on your device
  2. Create an application password and login with your WordPress app

If you succeed my PR works, if you can't login my PR does not work.

Screenshots or screencast

Changelog Entry

Added - New feature.
Changed - Existing functionality.
Deprecated - Soon-to-be removed feature.
Removed - Feature.
Fixed - Bug fix.
Security - Vulnerability.

Fixed #300
Added application passwords support.
@joostdekeijzer
Copy link
Contributor Author

joostdekeijzer commented Jul 3, 2025

My PR may be too crude.

An alternative way is to add a new filter for the application_password_did_authenticate action in which based on the $user attriubte in that action I can do a more selective test on the $user_id in the two_factor_user_api_login_enable filter.
@kasparsd
Copy link
Collaborator

kasparsd commented Jul 3, 2025

Thanks for the pull request!

The goal of #300 is to make the two-factor plugin more vocal about Application Password and XML-RPC logins being blocked by default. I believe we don't want to enable API logins by default. Primarily because XML-RPC logins allow standard user passwords for auth.

So the solution could be adding a notice to the user profiles near the Application Passwords section. Something like:

The Two Factor plugin currently prevents logins with application passwords. See this documentation for how to adjust that.

In addition, we could also add a checkbox to the two-factor settings that allows enabling application passwords for that particular user. The option would be hidden if the two_factor_user_api_login_enable was already allowing API logins.
kasparsd
kasparsd approved these changes Jul 3, 2025
View reviewed changes
Copy link
Collaborator

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been thinking about this some more and I believe this plugin should match the behaviour of most other application (including Gmail and GitHub) where application passwords are allowed to bypass the second factor.

This will also enable XML-RPC logins as long as an application password was used.
class-two-factor-core.php
*/
public static function is_user_api_login_enabled( $user_id ) {
return (bool) apply_filters( 'two_factor_user_api_login_enable', false, $user_id );
return (bool) apply_filters( 'two_factor_user_api_login_enable', (bool) did_action( 'application_password_did_authenticate' ), $user_id );
Copy link
Collaborator

@kasparsd kasparsd Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good action to use, I believe. It fires right after a successful application passwords login.
Copy link
Contributor Author

@joostdekeijzer joostdekeijzer Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, as said it does not check the user, but I in the flow of things that should not be an issue.
@kasparsd kasparsd merged commit f168305 into WordPress:master Jul 3, 2025
49 of 54 checks passed
@kasparsd kasparsd mentioned this pull request Jul 3, 2025
Merged
@jeffpaul jeffpaul added this to the 0.14.0 milestone Jul 3, 2025
@kasparsd kasparsd mentioned this pull request Jul 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@joostdekeijzer @kasparsd @jeffpaul