function user_switching_duo_set_cookie($user_id)
{
if (function_exists('duo_set_cookie')) {
duo_unset_cookie();
duo_set_cookie(new WP_User($user_id));
}
}
function duo_authenticate_user($user = "", $username = "", $password = "")
{
// play nicely with other plugins if they have higher priority than us
if (is_a($user, 'WP_User')) {
return $user;
}
if (!duo_auth_enabled()) {
duo_debug_log('Duo not enabled, skipping 2FA.');
return;
}
if (isset($_POST['sig_response'])) {
// secondary auth
remove_action('authenticate', 'wp_authenticate_username_password', 20);
$akey = duo_get_akey();
$duo_time = duo_get_time();
$username = Duo::verifyResponse(duo_get_option('duo_ikey'), duo_get_option('duo_skey'), $akey, $_POST['sig_response'], $duo_time);
if ($username) {
// Don't use get_user_by(). It doesn't return a WP_User object if wordpress version < 3.3
$user = new WP_User(0, $username);
duo_set_cookie($user);
duo_debug_log("Second factor successful for user: {$username}");
return $user;
} else {
$user = new WP_Error('Duo authentication_failed', __('<strong>ERROR</strong>: Failed or expired two factor authentication'));
return $user;
}
}
if (strlen($username) > 0) {
// primary auth
// Don't use get_user_by(). It doesn't return a WP_User object if wordpress version < 3.3
$user = new WP_User(0, $username);
if (!$user) {
error_log("Failed to retrieve WP user {$username}");
return;
}
if (!duo_role_require_mfa($user)) {
duo_debug_log("Skipping 2FA for user: {$username} with roles: " . print_r($user->roles, true));
return;
}
remove_action('authenticate', 'wp_authenticate_username_password', 20);
$user = wp_authenticate_username_password(NULL, $username, $password);
if (!is_a($user, 'WP_User')) {
// on error, return said error (and skip the remaining plugin chain)
return $user;
} else {
duo_debug_log("Primary auth succeeded, starting second factor for {$username}");
duo_start_second_factor($user);
}
}
duo_debug_log('Starting primary authentication');
}
