Add email verification before activation

[faisalahammad]

Description

This PR implements a verification step for the Email provider before it can be activated as a Two-Factor Authentication method.

Previously, the Email provider could be enabled without confirming that the user had access to the email address. This could lead to a lockout if the email associated with the account was incorrect or inaccessible.

This change aligns the Email provider's activation flow with the TOTP provider effectively requiring a successful code verification before the Two_Factor_Email provider is added to the user's enabled providers list.

Changes

• User Options UI:
  • The "Email" provider section now shows a "Verify your e-mail address" button for unverified users.
  • Clicking this button triggers an AJAX request to send a verification code.
  • A new input field allows the user to enter the code.
  • Upon successful verification, the provider is enabled and the UI updates to show the standard "Enabled" checkbox state.
• REST API:
  • Added POST /two-factor/1.0/email: Handles sending verification codes and validating them.
  • Added DELETE /two-factor/1.0/email: Handles resetting the verification status (if needed).
• Verification Logic:
  • Tw_Factor_Email::is_available_for_user() now returns true only if the user has verified their email (checked via _two_factor_email_verified user meta).
• Backwards Compatibility:
  • Users who already have the Email provider enabled are considered "legacy verified" and can continue using it without re-verification.
• Data Integrity:
  • Added pre_user_options_update hook to prevent the Email provider from being enabled via the standard profile form save unless the user is verified.

How to Test

New User (Fresh Setup)

1. Go to Users > Profile.
2. Scroll to Two-Factor Options.
3. Ensure the "Email" option is not enabled.
4. You should see a "Verify your e-mail address" button.
5. Click it. You should receive an email with a code.
6. Enter the code and click "Verify".
7. The page should update, and the "Email" checkbox should now be checked and enabled.

Legacy User (Existing Setup)

1. On a user profile that already has Email 2FA enabled:
2. Go to Users > Profile.
3. The "Email" checkbox should remain checked and functional.
4. You should not be forced to re-verify.

Technical Details

• Class: Two_Factor_Email
• New Methods:
  • register_rest_routes()
  • rest_setup_email()
  • rest_delete_email()
  • pre_user_options_update()
• Modified Methods:
  • user_options(): Updated to render the verification UI.
  • is_available_for_user(): Added verification check (with legacy fallback).
  • generate_and_email_token(): Updated to accept an $action argument ('login' vs 'verification_setup') to send context-appropriate emails.
• New Constants:
  • VERIFIED_META_KEY: _two_factor_email_verified

Checklist

• Code follows the WordPress Coding Standards.
• Unit tests have been added/updated.
• Verified manual testing of the new flow.
• Verified backwards compatibility for existing users.

Fixes WordPress#778

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: faisalahammad <faisalahammad@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.