Ubuntu

­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ errors['empty_username'], $raw_user->errors['empty_password'] ); if ( $raw_user->errors ) { // There are still errors, don't go further. $running = false; return $raw_user; } } // Step 2 for the user roles that don't use PasswordLess. The user filled the password (only). if ( $password ) { $token = ! empty( $_POST['token'] ) ? $_POST['token'] : ''; // WPCS: CSRF ok. $fallback_error_msg = sprintf( __( 'This link is not valid for this user, please try to log-in again.', 'secupress-pro' ), esc_url( wp_login_url( '', true ) ) ); $fallback_wp_error = new WP_Error( 'authentication_failed', $fallback_error_msg ); if ( ! $token ) { $running = false; return $fallback_wp_error; } $users = get_users( array( 'meta_key' => 'passwordless_token', 'meta_value' => $token, 'fields' => 'ID', 'number' => 1, ) ); $userid = is_array( $users ) && $users ? (int) reset( $users ) : 0; $raw_user = $userid ? get_user_by( 'id', $userid ) : false; if ( ! secupress_is_user( $raw_user ) ) { $running = false; return $fallback_wp_error; } $raw_user = wp_signon( array( 'user_login' => $raw_user->user_login, 'user_password' => $password, 'remember' => ! empty( $_POST['rememberme'] ), // WPCS: CSRF ok. ) ); // Authentication failed. if ( ! secupress_is_user( $raw_user ) ) { // Errors from other plugins. if ( is_wp_error( $raw_user ) && $raw_user->errors ) { $running = false; return $raw_user; } $running = false; return $fallback_wp_error; } $running = false; return $raw_user; } // Step 1 for everybody: try to find the user by username, email, or backup email. if ( $username ) { $by = is_email( $username ) ? 'email' : 'login'; $raw_user = get_user_by( $by, $username ); if ( ! secupress_is_user( $raw_user ) && 'email' === $by ) { // Try the backup email. $users = get_users( array( 'meta_key' => 'secupress_recovery_email', 'meta_value' => $username, 'fields' => 'ID', 'number' => 1, ) ); $userid = is_array( $users ) && $users ? (int) reset( $users ) : 0; $raw_user = $userid ? get_user_by( 'id', $userid ) : false; } } // Authentication failed. if ( ! secupress_is_user( $raw_user ) ) { // Display a vague error message. if ( ! is_wp_error( $raw_user ) ) { $raw_user = new WP_Error(); } $raw_user->add( 'invalid_username', __( 'ERROR: Invalid username or email.', 'secupress-pro' ) ); $running = false; return $raw_user; } // Step 1 succeeded: generate a token. $user_is_affected = secupress_is_affected_role( 'users-login', 'double-auth', $raw_user ); $redirect_to = ! empty( $_POST['redirect_to'] ) ? wp_unslash( $_POST['redirect_to'] ) : ''; // WPCS: CSRF ok. remove_all_filters( 'random_password' ); $key = wp_generate_password( 32, false ); update_user_meta( $raw_user->ID, 'passwordless_token', $key ); if ( ! $user_is_affected ) { // Redirect the user to step 2. wp_redirect( esc_url_raw( add_query_arg( array( 'action' => 'notpasswordless', 'token' => $key ), wp_login_url( $redirect_to, true ) ) ) ); die(); } // Send the email and redirect. $rememberme = ! empty( $_POST['rememberme'] ); // WPCS: CSRF ok. update_user_meta( $raw_user->ID, 'passwordless_timeout', time() + 10 * MINUTE_IN_SECONDS ); update_user_meta( $raw_user->ID, 'passwordless_rememberme', (int) $rememberme ); $subject = sprintf( __( '[%s] Secure Login Request', 'secupress-pro' ), '###SITENAME###' ); /** * Filter the subject of the mail sent to the user. * * @since 1.0 * * @param (string) $subject The email subject. */ $subject = apply_filters( 'secupress.plugin.passwordless_email_subject', $subject ); $token_url = admin_url( 'admin-post.php?action=passwordless_autologin&token=' . $key . ( $redirect_to ? '&redirect_to=' . rawurlencode( $redirect_to ) : '' ) ); $body = sprintf( /** Translators: 1 is a user name, 2 is a blog name, 3 is a URL. */ __( 'Hello %1$s, a log-in has been requested for %2$s. Open this page to really log in.', 'secupress-pro' ), esc_html( $raw_user->display_name ), '###SITENAME###', esc_url_raw( $token_url ) ); /** * Filter the body of the mail sent to the user. * * @since 1.0 * * @param (string) $body The email body. */ $body = apply_filters( 'secupress.plugin.passwordless_email_message', $body ); secupress_send_mail( $raw_user->user_email, $subject, $body ); wp_redirect( esc_url_raw( add_query_arg( 'action', 'passwordless_autologin', wp_login_url() ) ) ); die(); } add_action( 'login_head', 'secupress_passwordless_buffer_start_login' ); /** * Start the buffer if we are on the login page. * * @since 1.0 * @author Julio Potier */ function secupress_passwordless_buffer_start_login() { if ( ! isset( $_GET['action'] ) || 'login' === $_GET['action'] ) { ob_start( 'secupress_passwordless_hide_password_field_ob' ); } } add_action( 'login_head', 'secupress_passwordless_buffer_start_notpasswordless' ); /** * Start the buffer if we are on the login page, not passwordless. * * @since 1.0 * @author Julio Potier */ function secupress_passwordless_buffer_start_notpasswordless() { if ( isset( $_GET['action'] ) && 'notpasswordless' === $_GET['action'] ) { if ( ! empty( $_GET['rememberme'] ) ) { $_POST['rememberme'] = 1; // Ugly hack to autocheck the rememberme checkbox without JS. // WPCS: CSRF ok. } ob_start( 'secupress_passwordless_hide_login_field_ob' ); } } add_action( 'login_footer', 'secupress_passwordless_buffer_stop' ); /** * End the buffer if we are on the login page + not passwordless. * * @since 1.0 * @author Julio Potier */ function secupress_passwordless_buffer_stop() { if ( isset( $_GET['action'] ) && 'login' !== $_GET['action'] && 'notpasswordless' !== $_GET['action'] ) { return; } ob_end_flush(); // Focus the password field. if ( ! isset( $_GET['action'] ) || 'notpasswordless' !== $_GET['action'] ) { return; } ?> \s*