/**
* Filter the user to authenticate.
*
* @since 0.1-dev
*
* @access public
* @static
*
* @param WP_User $input_user User to authenticate.
* @param string $username User login.
* @param string $password User password.
*/
public static function authenticate( $input_user, $username, $password ) {
$api_request = ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST );
if ( ! apply_filters( 'application_password_is_api_request', $api_request ) ) {
return $input_user;
}
$user = get_user_by( 'login', $username );
// If the login name is invalid, short circuit.
if ( ! $user ) {
return $input_user;
}
/*
* Strip out anything non-alphanumeric. This is so passwords can be used with
* or without spaces to indicate the groupings for readability.
*/
$password = preg_replace( '/[^a-z\d]/i', '', $password );
$hashed_passwords = get_user_meta( $user->ID, self::USERMETA_KEY_APPLICATION_PASSWORDS, true );
foreach ( $hashed_passwords as $key => $item ) {
if ( wp_check_password( $password, $item['password'], $user->ID ) ) {
$item['last_used'] = time();
$item['last_ip'] = $_SERVER['REMOTE_ADDR'];
$hashed_passwords[ $key ] = $item;
update_user_meta( $user->ID, self::USERMETA_KEY_APPLICATION_PASSWORDS, $hashed_passwords );
return $user;
}
}
// If the user uses two factor and no valid API credentials were used, return an error
if ( Two_Factor_Core::is_user_using_two_factor( $user->ID ) ) {
return new WP_Error( 'invalid_application_credentials', __( '<strong>ERROR</strong>: Invalid API credentials provided.' ) );
}
// By default, return what we've been passed.
return $input_user;
}
/**
* @covers Two_Factor_Core::is_user_using_two_factor
*/
public function test_is_user_using_two_factor_not_logged_in()
{
$this->assertFalse(Two_Factor_Core::is_user_using_two_factor());
}
