fix(challenge): show 2fa lockout on active step

dknauss · dknauss · commit 9539e6b4e413 · 2026-03-22T15:41:48.000-06:00
diff --git a/admin/js/wp-sudo-challenge.js b/admin/js/wp-sudo-challenge.js
@@ -240,7 +240,15 @@
 
 					var data = response.data || {};
 					if (data.code === 'locked_out' && data.remaining > 0) {
-						startLockoutCountdown(data.remaining);
+						var firstTwofaInput = twofaStep
+							? twofaStep.querySelector('input:not([type="hidden"])')
+							: null;
+						startLockoutCountdown(
+							data.remaining,
+							twofaErrorBox,
+							twofaSubmitBtn,
+							firstTwofaInput
+						);
 					} else if (data.delay > 0) {
 						startThrottleCountdown(data.delay, twofaErrorBox, twofaSubmitBtn);
 					} else {
@@ -365,34 +373,47 @@
 	 * Disables the submit button and updates the error message each second
 	 * until the lockout expires, then re-enables the form.
 	 *
-	 * @param {number} remaining Seconds until lockout expires.
+	 * @param {number}  remaining  Seconds until lockout expires.
+	 * @param {Element} box        Optional error box element.
+	 * @param {Element} btn        Optional submit button element.
+	 * @param {Element} focusInput Optional input to focus when lockout expires.
 	 */
-	function startLockoutCountdown(remaining) {
+	function startLockoutCountdown(remaining, box, btn, focusInput) {
+		var targetBox = box || errorBox;
+		var targetBtn = btn || submitBtn;
+		var targetInput = focusInput || passwordInput;
+
 		if (lockoutInterval) {
 			clearInterval(lockoutInterval);
 		}
 
-		submitBtn.disabled = true;
+		if (targetBtn) {
+			targetBtn.disabled = true;
+		}
 
 		// Suppress per-second screen reader announcements during countdown.
 		// The error box has role="alert" which would announce every update.
 		// Instead, we set aria-live="off" and announce only at milestones.
-		if (errorBox) {
-			errorBox.setAttribute('aria-live', 'off');
+		if (targetBox) {
+			targetBox.setAttribute('aria-live', 'off');
 		}
 
 		function tick() {
 			if (remaining <= 0) {
 				clearInterval(lockoutInterval);
 				lockoutInterval = null;
-				submitBtn.disabled = false;
+				if (targetBtn) {
+					targetBtn.disabled = false;
+				}
 				// Restore live region before hiding so SR announces clearance.
-				if (errorBox) {
-					errorBox.removeAttribute('aria-live');
+				if (targetBox) {
+					targetBox.removeAttribute('aria-live');
 				}
-				hideError(errorBox);
+				hideError(targetBox);
 				announce(strings.lockoutExpired || 'Lockout expired. You may try again.');
-				passwordInput.focus();
+				if (targetInput) {
+					targetInput.focus();
+				}
 				return;
 			}
 
@@ -401,14 +422,14 @@
 			var timeStr = m + ':' + (s < 10 ? '0' : '') + s;
 
 			// Update visual text every second.
-			var p = errorBox ? errorBox.querySelector('p') : null;
-			if (errorBox && !errorBox.hidden) {
+			var p = targetBox ? targetBox.querySelector('p') : null;
+			if (targetBox && !targetBox.hidden) {
 				// Direct DOM update to avoid triggering live region.
 				if (p) {
 					p.textContent = strings.lockoutCountdown.replace('%s', timeStr);
 				}
 			} else {
-				showError(errorBox, strings.lockoutCountdown.replace('%s', timeStr));
+				showError(targetBox, strings.lockoutCountdown.replace('%s', timeStr));
 			}
 
 			// Announce to screen readers every 30 seconds and at 10 seconds.
diff --git a/docs/current-metrics.md b/docs/current-metrics.md
@@ -41,7 +41,7 @@ the count in prose without a verification command.
 | Audit hooks | 9 | `grep -c "do_action.*wp_sudo_" includes/class-*.php \| awk -F: '{sum+=$2} END{print sum}'` | v2.11.0 |
 | Settings fields (base) | 5 | 1 numeric (duration) + 4 policy dropdowns (REST, CLI, Cron, XML-RPC) | v2.0.0 |
 | Settings fields (with WPGraphQL) | 6 | +1 conditional WPGraphQL policy dropdown | v2.5.0 |
-| E2E tests | 37 | `npx playwright test --config tests/e2e/playwright.config.ts --list` | unreleased |
+| E2E tests | 38 | `npx playwright test --config tests/e2e/playwright.config.ts --list` | unreleased |
 
 ### Files that reference these counts
 
diff --git a/tests/e2e/specs/challenge.spec.ts b/tests/e2e/specs/challenge.spec.ts
@@ -1,5 +1,5 @@
 /**
- * Challenge flow tests — CHAL-01 through CHAL-10
+ * Challenge flow tests — CHAL-01 through CHAL-11
  *
  * Tests the full stash-challenge-replay flow and challenge page form elements.
  *
@@ -1034,4 +1034,77 @@ test.describe( 'Challenge flow', () => {
             await disableE2eTwoFactor();
         }
     } );
+
+    /**
+     * CHAL-11: A 2FA lockout should surface on the 2FA step and disable the 2FA submit button.
+     */
+    test( 'CHAL-11: repeated invalid 2FA codes trigger the lockout UI on the 2FA step', async ( {
+        page,
+    } ) => {
+        await enableE2eTwoFactor();
+
+        try {
+            await reachTwoFactorStep( page );
+
+            const initialUrl = page.url();
+
+            for ( let attempt = 1; attempt <= 3; attempt++ ) {
+                await page.fill( '#wp-sudo-e2e-two-factor-code', '000000' );
+                await page.click( '#wp-sudo-challenge-2fa-submit' );
+
+                await expect(
+                    page.locator( '#wp-sudo-challenge-2fa-error' ),
+                    `Invalid 2FA attempt ${ attempt } should show the inline error box`
+                ).toContainText( 'Invalid authentication code', { timeout: 10_000 } );
+            }
+
+            await page.fill( '#wp-sudo-e2e-two-factor-code', '000000' );
+            await page.click( '#wp-sudo-challenge-2fa-submit' );
+
+            await expect(
+                page.locator( '#wp-sudo-challenge-2fa-submit' ),
+                'The 4th invalid 2FA attempt should trigger the short throttle before lockout'
+            ).toBeDisabled();
+
+            await expect(
+                page.locator( '#wp-sudo-challenge-2fa-submit' ),
+                'The short throttle must expire before the lockout-triggering retry'
+            ).toBeEnabled( { timeout: 10_000 } );
+
+            await page.fill( '#wp-sudo-e2e-two-factor-code', '000000' );
+            await page.click( '#wp-sudo-challenge-2fa-submit' );
+
+            await expect(
+                page.locator( '#wp-sudo-challenge-2fa-error' ),
+                'The lockout response should surface in the 2FA error box, not the hidden password step'
+            ).toBeVisible( { timeout: 10_000 } );
+
+            await expect(
+                page.locator( '#wp-sudo-challenge-2fa-error' ),
+                'The lockout UI should tell the user they are locked out and must wait'
+            ).toContainText( 'Too many failed attempts', { timeout: 5_000 } );
+
+            await expect(
+                page.locator( '#wp-sudo-challenge-2fa-submit' ),
+                'The 2FA submit button should be disabled during the lockout countdown'
+            ).toBeDisabled();
+
+            await expect(
+                page.locator( '#wp-sudo-challenge-2fa-step' ),
+                'The browser must remain on the visible 2FA step during lockout'
+            ).toBeVisible();
+
+            await expect(
+                page.locator( '#wp-sudo-challenge-error' ),
+                'The password-step error box should stay hidden during a 2FA lockout'
+            ).toBeHidden();
+
+            expect(
+                page.url(),
+                'The lockout path must not navigate away from the challenge page'
+            ).toBe( initialUrl );
+        } finally {
+            await disableE2eTwoFactor();
+        }
+    } );
 } );
