/** * Filter the user to authenticate. * * @since 0.1-dev * * @access public * @static * * @param WP_User $input_user User to authenticate. * @param string $username User login. * @param string $password User password. */ public static function authenticate( $input_user, $username, $password ) { $api_request = ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ); if ( ! apply_filters( 'application_password_is_api_request', $api_request ) ) { return $input_user; } $user = get_user_by( 'login', $username ); // If the login name is invalid, short circuit. if ( ! $user ) { return $input_user; } /* * Strip out anything non-alphanumeric. This is so passwords can be used with * or without spaces to indicate the groupings for readability. */ $password = preg_replace( '/[^a-z\d]/i', '', $password ); $hashed_passwords = get_user_meta( $user->ID, self::USERMETA_KEY_APPLICATION_PASSWORDS, true ); foreach ( $hashed_passwords as $key => $item ) { if ( wp_check_password( $password, $item['password'], $user->ID ) ) { $item['last_used'] = time(); $item['last_ip'] = $_SERVER['REMOTE_ADDR']; $hashed_passwords[ $key ] = $item; update_user_meta( $user->ID, self::USERMETA_KEY_APPLICATION_PASSWORDS, $hashed_passwords ); return $user; } } // If the user uses two factor and no valid API credentials were used, return an error if ( Two_Factor_Core::is_user_using_two_factor( $user->ID ) ) { return new WP_Error( 'invalid_application_credentials', __( '<strong>ERROR</strong>: Invalid API credentials provided.' ) ); } // By default, return what we've been passed. return $input_user; }
/** * @covers Two_Factor_Core::is_user_using_two_factor */ public function test_is_user_using_two_factor_not_logged_in() { $this->assertFalse(Two_Factor_Core::is_user_using_two_factor()); }