Context Navigation

← Previous Changeset
Next Changeset →

Changeset 2701770

Timestamp:

03/30/2022 09:46:30 AM (4 years ago)

Author:

jimseconde

Message:

Released Version 1.0.0

Location:

vonage-2fa

Files:

: 18 added
: 2 edited

assets/banner-772x250.png (added)
assets/screenshot-1.png (added)
assets/screenshot-2.png (added)
assets/screenshot-3.png (added)
assets/screenshot-4.png (added)
tags/1.0.0 (added)
tags/1.0.0/LICENSE (added)
tags/1.0.0/README.md (added)
tags/1.0.0/assets (added)
tags/1.0.0/assets/admin-menu.png (added)
tags/1.0.0/assets/logo-large.png (added)
tags/1.0.0/assets/logo.png (added)
tags/1.0.0/assets/logo.svg (added)
tags/1.0.0/assets/vonage-api-screenshot.png (added)
tags/1.0.0/assets/vonage-user-settings.png (added)
tags/1.0.0/assets/vonagexwordpress.png (added)
tags/1.0.0/readme.txt (added)
tags/1.0.0/vonage2fa.php (added)
trunk/readme.txt (modified) (5 diffs)
trunk/vonage2fa.php (modified) (7 diffs)

Legend:

: Unmodified
: Added
: Removed

vonage-2fa/trunk/readme.txt

-                      r2701042
+                      r2701770
 Requires at least: 5.7
 Tested up to: 5.9.2
 Stable tag: 0.0.1
+Stable tag: 1.0.0
 Requires PHP: 8.0
 License: Apache 2.0
 …
 This plugin enables your WordPress site to use Two-Factor Authentication using Vonage's Verify API service.
+== Screenshots ==
+. The Vonage WordPress 2FA Plugin Admin Menu
+. This is where you can get your API keys from the Vonage Dashboard
+. Vonage 2FA Settings in the User profile screen
+. New PIN entry login form for 2FA
 == Description ==
 # Vonage Two-Factor Authentication Plugin for WordPress
-![Vonage and WordPress logos](./assets/vonagexwordpress.png)
 This plugin enables your WordPress site to use Two-Factor Authentication
 …
 . Install this plugin in your WordPress plugins directory.
 . Active the plugin under your administrator account.
+. Your 2FA admin menu should now be accessible from the WordPress menu:
+![Screenshot of the Vonage WordPress 2FA Plugin admin menu](./assets/admin-menu.png)
+. Your 2FA admin menu should now be accessible from the WordPress menu
 . Populate your API Key and Secret in order to connect to Vonage's [Verify API]() that
+this plugin uses. You can get these credentials from your [Vonage Dashboard](https://dashboard.nexmo.com/), located here:
+![Screenshot of Vonage Dashboard](./assets/vonage-api-screenshot.png)
+this plugin uses. You can get these credentials from your [Vonage Dashboard](https://dashboard.nexmo.com/).
 . Each user of your WordPress site can now enable 2 Factor Authentication from their
+user settings. A new section is available in the Profile screen, which will look like this:
+![Screenshot of WordPress settings menu](./assets/vonage-user-settings.png)
+user settings. A new section is available in the Profile screen.
 > Please note that this phone number must contain the *full* international dialling code
 …
 . For users with 2FA enabled, the first login attempt will ask for the PIN sent out
+to the phone number entered:
+![Screenshot of new PIN code entry](./assets/vonage-login-pin.png)
+to the phone number entered.
 . Once the user has entered a valid PIN, login will finish.
 …
 or by email you can reach me at jim.seconde at vonage.com. Alternatively, you
 can email the Developer Relations team at devrel at vonage.com.

vonage-2fa/trunk/vonage2fa.php

-                      r2701042
+                      r2701770
   Description: Use Vonage's APIs for 2FA
   Author: James Seconde
   Version: 0.0.1
+  Version: 1.0.0
   Author URI: https://developer.vonage.com/
 */
+const PLUGIN_VERSION ='1.0.0';
 const RESPONSE_PIN_OK = "0";
 const RESPONSE_PIN_INVALID = "16";
 …
 const RESPONSE_REQUEST_INSUFFICIENT_FUNDS = '9';
+global $wp_version;
+define( "VONAGE_USER_AGENT_STRING", 'vonage-wordpress/' . $wp_version . '/' . PLUGIN_VERSION );
 function vonage_2fa_setup_menu() {
     add_menu_page(
         'Test Plugin Page',
         'Vonage 2FA',
         'manage_options',
         'vonage_2fa_plugin',
         'vonage_2fa_load_admin_settings',
         'data:image/svg+xml;base64,' . base64_encode('<svg version="1.0" xmlns="http://www.w3.org/2000/svg"
+    add_menu_page(
+        'Vonage 2FA Plugin Page',
+        'Vonage 2FA',
+        'manage_options',
+        'vonage_2fa_plugin',
+        'vonage_2fa_load_admin_settings',
+        'data:image/svg+xml;base64,' . base64_encode('<svg version="1.0" xmlns="http://www.w3.org/2000/svg"
              width="300.000000pt" height="261.000000pt" viewBox="0 0 300.000000 261.000000"
              preserveAspectRatio="xMidYMid meet">
 …
             </svg>
             ')
     );
+    );
+}
 function vonage_2fa_register_settings() {
     register_setting( 'vonage_api_settings_options', 'vonage_api_settings_options', 'vonage_api_settings_options_validate' );
     add_settings_section( 'api_credentials', 'Vonage API Credentials', 'vonage_2fa_plugin_text_helper', 'vonage_2fa_plugin' );
     add_settings_field( 'api_credentials_key', 'API Key', 'vonage_2fa_api_credentials_key', 'vonage_2fa_plugin', 'api_credentials' );
     add_settings_field( 'api_credentials_secret', 'API Secret', 'vonage_2fa_api_credentials_secret', 'vonage_2fa_plugin', 'api_credentials' );
+    register_setting( 'vonage_api_settings_options', 'vonage_api_settings_options', 'vonage_api_settings_options_validate' );
+    add_settings_section( 'api_credentials', 'Vonage API Credentials', 'vonage_2fa_plugin_text_helper', 'vonage_2fa_plugin' );
+    add_settings_field( 'api_credentials_key', 'API Key', 'vonage_2fa_api_credentials_key', 'vonage_2fa_plugin', 'api_credentials' );
+    add_settings_field( 'api_credentials_secret', 'API Secret', 'vonage_2fa_api_credentials_secret', 'vonage_2fa_plugin', 'api_credentials' );
+}
 function vonage_2fa_plugin_text_helper() {
     echo '<p>You will need your master API Key/Secret credentials from your Vonage Dashboard.</p>';
+    echo '<p>You will need your master API Key/Secret credentials from your Vonage Dashboard.</p>';
+}
 function vonage_2fa_api_credentials_key() {
     $options = get_option( 'vonage_api_settings_options' );
     echo "<input id='api_credentials_key' name='vonage_api_settings_options[api_credentials_key]' type='text' value='" . esc_attr( $options['api_credentials_key'] ) . "' />";
+    $options = get_option( 'vonage_api_settings_options' );
+    echo "<input id='api_credentials_key' name='vonage_api_settings_options[api_credentials_key]' type='text' value='" . esc_attr( $options['api_credentials_key'] ) . "' />";
+}
 function vonage_2fa_api_credentials_secret() {
     $options = get_option( 'vonage_api_settings_options' );
     echo "<input id='api_credentials_secret' name='vonage_api_settings_options[api_credentials_secret]' type='text' value='" . esc_attr( $options['api_credentials_secret'] ) . "' />";
+    $options = get_option( 'vonage_api_settings_options' );
+    echo "<input id='api_credentials_secret' name='vonage_api_settings_options[api_credentials_secret]' type='text' value='" . esc_attr( $options['api_credentials_secret'] ) . "' />";
+}
 function vonage_2fa_load_admin_settings() {
     echo "
+    echo "
     <img src='" . plugin_dir_url(__FILE__ ) . "assets/logo-large.png' alt='Vonage logo'>
     <h1>Built in 2FA</h1>
 …
     <div>
         <form action='options.php' method='post'>";
             settings_fields( 'vonage_api_settings_options');
             do_settings_sections('vonage_2fa_plugin');
             submit_button();
     echo "
+    settings_fields( 'vonage_api_settings_options');
+    do_settings_sections('vonage_2fa_plugin');
+    submit_button();
+    echo "
         </form>
     </div>
 …
 function vonage_2fa_user_settings( $user ) {
     $mobileValue = get_the_author_meta( 'vonage_2fa_user_mobile_number_data', $user->ID );
     $enabled = get_the_author_meta( 'vonage_2fa_user_enabled_data', $user->ID );
     $checkedString = $enabled === '1' ? 'checked' : '';
     echo "
+    $mobileValue = get_the_author_meta( 'vonage_2fa_user_mobile_number_data', $user->ID );
+    $enabled = get_the_author_meta( 'vonage_2fa_user_enabled_data', $user->ID );
+    $checkedString = $enabled === '1' ? 'checked' : '';
+    echo "
         <br />
         <h3>Vonage Two-Factor Authentication Settings</h3>
 …
 function vonage_2fa_mobile_number_taken( $user_id, $mobile ) {
     if ( !$mobile ) {
         return false;
+    }
     $users = get_users(
+        [
             'meta_key' => 'vonage_2fa_user_mobile_number',
             'meta_value' => $mobile,
             'number' => 1
+        ]
     );
     return 0 < count( $users ) && $user_id !== $users[0]->ID;
+    if ( !$mobile ) {
+        return false;
+    }
+    $users = get_users(
+        [
+            'meta_key' => 'vonage_2fa_user_mobile_number',
+            'meta_value' => $mobile,
+            'number' => 1
+        ]
+    );
+    return 0 < count( $users ) && $user_id !== $users[0]->ID;
+}
 function vonage_2fa_valid_mobile( $mobile ) {
     $validMatch = preg_match('/^\+(?:[0-9]?){6,14}[0-9]$/', $mobile);
     $validTrim = trim($mobile) !== "";
     return $validMatch && $validTrim;
+    $validMatch = preg_match('/^\+(?:[0-9]?){6,14}[0-9]$/', $mobile);
+    $validTrim = trim($mobile) !== "";
+    return $validMatch && $validTrim;
+}
 function vonage_2fa_form_settings_validation( &$errors, $update, &$user ) {
     $mobile = filter_var( $_POST['vonage_2fa_user_mobile_number'], FILTER_SANITIZE_NUMBER_INT );
     $enabled = filter_var( isset( $_POST['vonage_2fa_user_enabled']), FILTER_SANITIZE_NUMBER_INT );
     if ($user && $enabled && !vonage_2fa_valid_mobile( $mobile )) {
         $errors->add( 'vonage_2fa_settings_update_error', 'Phone number provided is invalid, please make sure it includes international dialling code with plus sign.');
         update_user_meta($user->ID, 'vonage_2fa_user_mobile_number_data', "");
+    }
     if ($user && $mobile && vonage_2fa_mobile_number_taken( $user->ID, $mobile )) {
         $errors->add( 'vonage_2fa_settings_update_error', 'Mobile number already in use.');
         update_user_meta($user->ID, 'vonage_2fa_user_mobile_number_data', "");
+    }
+    $mobile = filter_var( $_POST['vonage_2fa_user_mobile_number'], FILTER_SANITIZE_NUMBER_INT );
+    $enabled = filter_var( isset( $_POST['vonage_2fa_user_enabled']), FILTER_SANITIZE_NUMBER_INT );
+    if ($user && $enabled && !vonage_2fa_valid_mobile( $mobile )) {
+        $errors->add( 'vonage_2fa_settings_update_error', 'Phone number provided is invalid, please make sure it includes international dialling code with plus sign.');
+        update_user_meta($user->ID, 'vonage_2fa_user_mobile_number_data', "");
+    }
+    if ($user && $mobile && vonage_2fa_mobile_number_taken( $user->ID, $mobile )) {
+        $errors->add( 'vonage_2fa_settings_update_error', 'Mobile number already in use.');
+        update_user_meta($user->ID, 'vonage_2fa_user_mobile_number_data', "");
+    }
+}
 function vonage_2fa_save_settings( $user_id ) {
     $mobile = filter_var( $_POST['vonage_2fa_user_mobile_number'], FILTER_SANITIZE_NUMBER_INT );
     $enabled = filter_var( isset( $_POST['vonage_2fa_user_enabled']), FILTER_SANITIZE_NUMBER_INT );
     if (!current_user_can( 'edit_user', $user_id ) ) {
         return false;
+    }
     update_user_meta( $user_id, 'vonage_2fa_user_mobile_number_data', $mobile );
     update_user_meta( $user_id, 'vonage_2fa_user_enabled_data', $enabled );
+    $mobile = filter_var( $_POST['vonage_2fa_user_mobile_number'], FILTER_SANITIZE_NUMBER_INT );
+    $enabled = filter_var( isset( $_POST['vonage_2fa_user_enabled']), FILTER_SANITIZE_NUMBER_INT );
+    if (!current_user_can( 'edit_user', $user_id ) ) {
+        return false;
+    }
+    update_user_meta( $user_id, 'vonage_2fa_user_mobile_number_data', $mobile );
+    update_user_meta( $user_id, 'vonage_2fa_user_enabled_data', $enabled );
+}
 function vonage_2fa_auth_intercept( $user, $username, $password ) {
+    if ( !session_id() ) {
+        session_start();
+    }
+    $wpUser = get_user_by( 'login', $username );
+    $enabled_2fa = get_user_meta( $wpUser->ID, 'vonage_2fa_user_enabled_data', true );
+    if (!$enabled_2fa) {
+        return;
+    }
+    $options = get_option( 'vonage_api_settings_options' );
+    $apiKey = $options['api_credentials_key'];
+    $apiSecret = $options['api_credentials_secret'];
+    $errors = [];
+    $redirect_to = sanitize_url( $_POST['redirect_to'] ) ?? admin_url();
+    $remember_me = isset( $_POST['rememberme'] ) && $_POST['rememberme'] === 'forever';
+    $savedRequestId = sanitize_text_field($_SESSION['vonage_2fa_request_id']);
+    $pin = isset( $_POST['vonage_2fa_pin'] ) ? sanitize_text_field( $_POST['vonage_2fa_pin'] ) : false;
+    $requestId = isset( $_POST['vonage_2fa_request_id'] ) ? sanitize_text_field( $_POST['vonage_2fa_request_id'] ) : false;
+    // You have submitted a PIN
+    if ( $requestId && $pin && $savedRequestId === $requestId ) {
+        $url = "https://api.nexmo.com/verify/check/json?&api_key=$apiKey&api_secret=$apiSecret&request_id=$requestId&code=$pin";
+        $response = wp_remote_get( $url );
+        $responseBody = json_decode( $response['body'], true );
+        if ( $responseBody['status'] === RESPONSE_PIN_OK ) {
+            wp_set_auth_cookie($wpUser->ID, $remember_me);
+            wp_safe_redirect($redirect_to);
+            exit;
+        }
+        if ( $responseBody['status'] === RESPONSE_PIN_INVALID ) {
+            $errors[] = "Invalid PIN code";
+        }
+    }
+    // Or you have a request ID saved that needs to be checked
+    if ( $savedRequestId ) {
+        $url = "https://api.nexmo.com/verify/search/json?&api_key=$apiKey&api_secret=$apiSecret&request_id=$savedRequestId";
+        $response = wp_remote_get( $url );
+        $responseBody = json_decode( $response['body'], true );
+        if ( $responseBody['status'] === RESPONSE_VERIFICATION_PASSED ) {
+            wp_set_auth_cookie( $wpUser->ID, $remember_me );
+            wp_safe_redirect( $redirect_to );
+            exit;
+        }
+        // The saved request ID has expired or failed
+        $errors[] = 'Your verification has expired or there was an error logging in.';
+        $_SESSION['vonage_2fa_request_id'] = '';
+    }
+    // You are trying to log in for the first time or have requested a PIN or have an invalid exiting verify
+    if ($wpUser) {
+        vonage_2fa_verify_user($wpUser, $redirect_to, $remember_me, $errors);
+    }
+    return $user;
+    if ( !session_id() ) {
+        session_start();
+    }
+    $wpUser = get_user_by( 'login', $username );
+    $enabled_2fa = get_user_meta( $wpUser->ID, 'vonage_2fa_user_enabled_data', true );
+    if (!$enabled_2fa) {
+        return;
+    }
+    $options = get_option( 'vonage_api_settings_options' );
+    $apiKey = $options['api_credentials_key'];
+    $apiSecret = $options['api_credentials_secret'];
+    $errors = [];
+    $redirect_to = sanitize_url( $_POST['redirect_to'] ) ?? admin_url();
+    $remember_me = isset( $_POST['rememberme'] ) && $_POST['rememberme'] === 'forever';
+    $savedRequestId = sanitize_text_field($_SESSION['vonage_2fa_request_id']);
+    $pin = isset( $_POST['vonage_2fa_pin'] ) ? sanitize_text_field( $_POST['vonage_2fa_pin'] ) : false;
+    $requestId = isset( $_POST['vonage_2fa_request_id'] ) ? sanitize_text_field( $_POST['vonage_2fa_request_id'] ) : false;
+    // You have submitted a PIN
+    if ( $requestId && $pin && $savedRequestId === $requestId ) {
+        $url = "https://api.nexmo.com/verify/check/json?&api_key=$apiKey&api_secret=$apiSecret&request_id=$requestId&code=$pin";
+        $response = wp_remote_get( $url, [
+            'user-agent' => VONAGE_USER_AGENT_STRING
+        ] );
+        $responseBody = json_decode( $response['body'], true );
+        if ( $responseBody['status'] === RESPONSE_PIN_OK ) {
+            wp_set_auth_cookie($wpUser->ID, $remember_me);
+            wp_safe_redirect($redirect_to);
+            exit;
+        }
+        if ( $responseBody['status'] === RESPONSE_PIN_INVALID ) {
+            $errors[] = "Invalid PIN code";
+        }
+    }
+    // Or you have a request ID saved that needs to be checked
+    if ( $savedRequestId ) {
+        $url = "https://api.nexmo.com/verify/search/json?&api_key=$apiKey&api_secret=$apiSecret&request_id=$savedRequestId";
+        $response = wp_remote_get( $url, [
+            'user-agent' => VONAGE_USER_AGENT_STRING
+        ] );
+        $responseBody = json_decode( $response['body'], true );
+        if ( $responseBody['status'] === RESPONSE_VERIFICATION_PASSED ) {
+            wp_set_auth_cookie( $wpUser->ID, $remember_me );
+            wp_safe_redirect( $redirect_to );
+            exit;
+        }
+        // The saved request ID has expired or failed
+        $errors[] = 'Your verification has expired or there was an error logging in.';
+        $_SESSION['vonage_2fa_request_id'] = '';
+    }
+    // You are trying to log in for the first time or have requested a PIN or have an invalid exiting verify
+    if ($wpUser) {
+        vonage_2fa_verify_user($wpUser, $redirect_to, $remember_me, $errors);
+    }
+    return $user;
+}
 function vonage_2fa_verify_user( $user, $redirect_to, $remember_me, $errors = [] ) {
+    $options = get_option( 'vonage_api_settings_options' );
+    $apiKey = $options['api_credentials_key'];
+    $apiSecret = $options['api_credentials_secret'];
+    $phoneNumber = get_user_meta( $user->ID, 'vonage_2fa_user_mobile_number_data', true );
+    // You are requesting a PIN with a phone number
+    $url = "https://api.nexmo.com/verify/json?&api_key=$apiKey&api_secret=$apiSecret&number=$phoneNumber&workflow_id=6&brand=Wordpress2FA";
+    $response = wp_remote_post( $url );
+    $responseBody = json_decode( $response['body'], true );
+    // Attempt to send number has been rejected
+    if ( $responseBody['status'] === RESPONSE_REQUEST_FAILED ) {
+        $errors[] = $responseBody['error_text'];
+    }
+    if ( $responseBody['status'] === RESPONSE_REQUEST_INSUFFICIENT_FUNDS ) {
+        $errors[] = 'Your Vonage account does not have enough balance to perform this authorisation request. Please contact your website administrator';
+    }
+    $requestId = $responseBody['request_id'];
+    $_SESSION['vonage_2fa_request_id'] = $requestId;
+    wp_logout();
+    nocache_headers();
+    header('Content-Type: ' . get_bloginfo( 'html_type' ) . '; charset=' . get_bloginfo( 'charset' ) );
+    login_header('Vonage Two-Factor Authentication', '<p class="message">' . sprintf( 'Enter the PIN code sent to your 2FA phone number ending in <strong>%1$s</strong>' , substr($phoneNumber, -5) ) . '</p>');
+    if ( !empty($errors) ) { ?>
+    $options = get_option( 'vonage_api_settings_options' );
+    $apiKey = $options['api_credentials_key'];
+    $apiSecret = $options['api_credentials_secret'];
+    $phoneNumber = get_user_meta( $user->ID, 'vonage_2fa_user_mobile_number_data', true );
+    // You are requesting a PIN with a phone number
+    $url = "https://api.nexmo.com/verify/json?&api_key=$apiKey&api_secret=$apiSecret&number=$phoneNumber&workflow_id=6&brand=Wordpress2FA";
+    $response = wp_remote_post( $url, [
+        'user-agent' => VONAGE_USER_AGENT_STRING
+    ] );
+    $responseBody = json_decode( $response['body'], true );
+    // Attempt to send number has been rejected
+    if ( $responseBody['status'] === RESPONSE_REQUEST_FAILED ) {
+        $errors[] = $responseBody['error_text'];
+    }
+    if ( $responseBody['status'] === RESPONSE_REQUEST_INSUFFICIENT_FUNDS ) {
+        $errors[] = 'Your Vonage account does not have enough balance to perform this authorisation request. Please contact your website administrator';
+    }
+    $requestId = $responseBody['request_id'];
+    $_SESSION['vonage_2fa_request_id'] = $requestId;
+    wp_logout();
+    nocache_headers();
+    header('Content-Type: ' . get_bloginfo( 'html_type' ) . '; charset=' . get_bloginfo( 'charset' ) );
+    login_header('Vonage Two-Factor Authentication', '<p class="message">' . sprintf( 'Enter the PIN code sent to your 2FA phone number ending in <strong>%1$s</strong>' , substr($phoneNumber, -5) ) . '</p>');
+    if ( !empty($errors) ) { ?>
         <div id="login_error"><?php echo esc_html( implode( '<br />', $errors ) ) ?></div>
     <?php  } ?>
+    <?php  } ?>
     <form name="loginform" id="loginform" action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ) ?>" method="post" autocomplete="off">
 …
             <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ) ?>" />
             <?php if ( $remember_me ) : ?>
+            <?php if ( $remember_me ) : ?>
                 <input type="hidden" name="rememberme" value="forever" />
             <?php endif; ?>
+            <?php endif; ?>
         </p>
     </form>
     <?php
     login_footer( 'vonage_2fa_pin' );
     exit;
+    <?php
+    login_footer( 'vonage_2fa_pin' );
+    exit;
+}

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 2701770

Legend:

vonage-2fa/trunk/readme.txt

vonage-2fa/trunk/vonage2fa.php

Download in other formats: