Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3378867

Timestamp:

10/15/2025 11:59:42 AM (5 months ago)

Author:

chrmrtns

Message:

Release version 2.7.3 - Critical bug fixes

CRITICAL FIX: Magic link token validation

Fixed database table name mismatches causing immediate token expired errors
Token validation was querying non-existent kla_login_tokens table
Updated 10 SQL queries to use correct chrmrtns_kla_* table prefix
Tokens stored in chrmrtns_kla_login_tokens but lookups used kla_login_tokens

CRITICAL FIX: 2FA grace period redirect

Fixed malformed URL when grace period expires
Changed from wp_login_url with query string to add_query_arg()
Prevents incorrect URL encoding of query parameters

Additional fixes:

Removed unused variable in backup code validation
Fixed all database queries to use correct table names

Impact: Users experiencing immediate token expiration on magic links should now login successfully

Location:

keyless-auth

Files:

: 33 added
: 4 edited

tags/2.7.3 (added)
tags/2.7.3/LICENSE (added)
tags/2.7.3/assets (added)
tags/2.7.3/assets/css (added)
tags/2.7.3/assets/css/2fa-frontend.css (added)
tags/2.7.3/assets/css/admin-style.css (added)
tags/2.7.3/assets/css/forms-enhanced-dark.css (added)
tags/2.7.3/assets/css/forms-enhanced-light.css (added)
tags/2.7.3/assets/css/forms-enhanced.css (added)
tags/2.7.3/assets/css/style-back-end.css (added)
tags/2.7.3/assets/css/style-front-end.css (added)
tags/2.7.3/assets/js (added)
tags/2.7.3/assets/js/2fa-frontend.js (added)
tags/2.7.3/assets/js/admin-script.js (added)
tags/2.7.3/assets/js/qrcode.js (added)
tags/2.7.3/assets/js/qrcode.min.js (added)
tags/2.7.3/assets/logo_150_150.png (added)
tags/2.7.3/inc (added)
tags/2.7.3/inc/chrmrtns.class.notices.php (added)
tags/2.7.3/includes (added)
tags/2.7.3/includes/class-chrmrtns-kla-2fa-core.php (added)
tags/2.7.3/includes/class-chrmrtns-kla-2fa-frontend.php (added)
tags/2.7.3/includes/class-chrmrtns-kla-admin.php (added)
tags/2.7.3/includes/class-chrmrtns-kla-core.php (added)
tags/2.7.3/includes/class-chrmrtns-kla-database.php (added)
tags/2.7.3/includes/class-chrmrtns-kla-email-templates.php (added)
tags/2.7.3/includes/class-chrmrtns-kla-mail-logger.php (added)
tags/2.7.3/includes/class-chrmrtns-kla-smtp.php (added)
tags/2.7.3/includes/class-chrmrtns-kla-totp.php (added)
tags/2.7.3/keyless-auth.php (added)
tags/2.7.3/languages (added)
tags/2.7.3/languages/keyless-auth.pot (added)
tags/2.7.3/readme.txt (added)
trunk/includes/class-chrmrtns-kla-2fa-core.php (modified) (1 diff)
trunk/includes/class-chrmrtns-kla-database.php (modified) (12 diffs)
trunk/keyless-auth.php (modified) (2 diffs)
trunk/readme.txt (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

keyless-auth/trunk/includes/class-chrmrtns-kla-2fa-core.php

r3372203	r3378867
725	725	if (time() > $grace_end) {
726	726	wp_logout();
727		wp_redirect(~~wp_login_url('?chrmrtns_kla_2fa_required=1'~~));
	727	wp_redirect(add_query_arg('chrmrtns_kla_2fa_required', '1', wp_login_url()));
728	728	exit;
729	729	}

keyless-auth/trunk/includes/class-chrmrtns-kla-database.php

-                      r3378019
+                      r3378867
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- $where_clause and $order_by are properly sanitized above
         $sql = "SELECT * FROM {$wpdb->prefix}kla_login_logs
+        $sql = "SELECT * FROM {$wpdb->prefix}chrmrtns_kla_login_logs
                 WHERE $where_clause
                 ORDER BY $order_by
 …
         // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $sql is hardcoded with proper placeholders, no dynamic content
         $sql = "SELECT * FROM {$wpdb->prefix}kla_login_tokens
+        $sql = "SELECT * FROM {$wpdb->prefix}chrmrtns_kla_login_tokens
                 WHERE user_id = %d
                 AND token_hash = %s
 …
         // Increment attempt count for failed attempts
         $wpdb->query($wpdb->prepare(
             "UPDATE {$wpdb->prefix}kla_login_tokens
+            "UPDATE {$wpdb->prefix}chrmrtns_kla_login_tokens
              SET attempt_count = attempt_count + 1
              WHERE user_id = %d AND token_hash = %s",
 …
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- $where_clause is safely constructed above
         $sql = "DELETE FROM {$wpdb->prefix}kla_login_tokens WHERE $where_clause"; // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+        $sql = "DELETE FROM {$wpdb->prefix}chrmrtns_kla_login_tokens WHERE $where_clause"; // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
         if (!empty($where_values)) {
 …
         // Total logins
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching -- Statistics query for custom table
         $stats['total_logins'] = $wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}kla_login_logs WHERE status = 'success'");
+        $stats['total_logins'] = $wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}chrmrtns_kla_login_logs WHERE status = 'success'");
         // Logins this month
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching -- Statistics query for custom table
         $stats['logins_this_month'] = $wpdb->get_var(
             "SELECT COUNT(*) FROM {$wpdb->prefix}kla_login_logs
+            "SELECT COUNT(*) FROM {$wpdb->prefix}chrmrtns_kla_login_logs
              WHERE status = 'success'
              AND login_time >= DATE_FORMAT(NOW(), '%Y-%m-01')"
 …
         // Failed attempts
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching -- Statistics query for custom table
         $stats['failed_attempts'] = $wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}kla_login_logs WHERE status = 'failed'");
+        $stats['failed_attempts'] = $wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}chrmrtns_kla_login_logs WHERE status = 'failed'");
         // Total emails sent
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching -- Statistics query for custom table
         $stats['emails_sent'] = $wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}kla_mail_logs WHERE status = 'sent'");
+        $stats['emails_sent'] = $wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}chrmrtns_kla_mail_logs WHERE status = 'sent'");
         // Active tokens
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching -- Statistics query for custom table
         $stats['active_tokens'] = $wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}kla_login_tokens WHERE expires_at > NOW() AND is_used = 0");
+        $stats['active_tokens'] = $wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}chrmrtns_kla_login_tokens WHERE expires_at > NOW() AND is_used = 0");
         return $stats;
 …
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching -- Maintenance cleanup of old logs
         $login_deleted = $wpdb->query($wpdb->prepare(
             "DELETE FROM {$wpdb->prefix}kla_login_logs WHERE login_time < %s",
+            "DELETE FROM {$wpdb->prefix}chrmrtns_kla_login_logs WHERE login_time < %s",
             $date_threshold
         ));
 …
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching -- Maintenance cleanup of old logs
         $mail_deleted = $wpdb->query($wpdb->prepare(
             "DELETE FROM {$wpdb->prefix}kla_mail_logs WHERE sent_time < %s",
+            "DELETE FROM {$wpdb->prefix}chrmrtns_kla_mail_logs WHERE sent_time < %s",
             $date_threshold
         ));
 …
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching -- Querying custom devices table
         $existing = $wpdb->get_row($wpdb->prepare(
             "SELECT id FROM {$wpdb->prefix}kla_user_devices WHERE user_id = %d AND device_fingerprint = %s",
+            "SELECT id FROM {$wpdb->prefix}chrmrtns_kla_user_devices WHERE user_id = %d AND device_fingerprint = %s",
             $user_id, $device_fingerprint
         ));
 …
         $result = $wpdb->get_row($wpdb->prepare(
             "SELECT totp_secret, totp_enabled, totp_backup_codes, totp_last_used, totp_failed_attempts, totp_locked_until
              FROM {$wpdb->prefix}kla_user_devices
+             FROM {$wpdb->prefix}chrmrtns_kla_user_devices
              WHERE user_id = %d AND totp_enabled = 1
              LIMIT 1",
 …
             // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching -- Updating custom devices table
             $wpdb->query($wpdb->prepare(
                 "UPDATE {$wpdb->prefix}kla_user_devices
+                "UPDATE {$wpdb->prefix}chrmrtns_kla_user_devices
                  SET totp_failed_attempts = totp_failed_attempts + 1,
                      totp_locked_until = CASE
 …
         $base_query = "SELECT u.ID, u.user_login, u.user_email, u.display_name, d.totp_enabled, d.totp_last_used, d.totp_failed_attempts, d.totp_locked_until
                        FROM {$wpdb->users} u
                        INNER JOIN {$wpdb->prefix}kla_user_devices d ON u.ID = d.user_id AND d.totp_enabled = 1";
+                       INNER JOIN {$wpdb->prefix}chrmrtns_kla_user_devices d ON u.ID = d.user_id AND d.totp_enabled = 1";
         if (!empty($search)) {

keyless-auth/trunk/keyless-auth.php

-                      r3378019
+                      r3378867
 * Plugin URI: https://github.com/chrmrtns/keyless-auth
 * Description: Enhanced passwordless authentication allowing users to login securely without passwords via email magic links. Fork of Passwordless Login by Cozmoslabs with additional security features.
 * Version: 2.7.2
+* Version: 2.7.3
 * Author: Chris Martens
 * Author URI: https://github.com/chrmrtns
 …
 // Define plugin constants
 define('CHRMRTNS_KLA_VERSION', '2.7.2');
+define('CHRMRTNS_KLA_VERSION', '2.7.3');
 define('CHRMRTNS_KLA_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('CHRMRTNS_KLA_PLUGIN_URL', plugin_dir_url(__FILE__));

keyless-auth/trunk/readme.txt

-                      r3378019
+                      r3378867
 Requires at least: 3.9
 Tested up to: 6.8
 Stable tag: 2.7.2
+Stable tag: 2.7.3
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 2.7.3 =
+* CRITICAL FIX: Magic link token validation - Fixed database table name mismatches causing "token expired" errors
+* CRITICAL FIX: 2FA grace period redirect - Fixed malformed URL when grace period expires (proper use of add_query_arg)
+* FIX: Database queries now correctly reference chrmrtns_kla_* tables instead of kla_* tables (10 query fixes)
+* FIX: Removed unused variable $code_hash in backup code validation function
+* TECHNICAL: Token validation was querying non-existent kla_login_tokens table instead of chrmrtns_kla_login_tokens
+* TECHNICAL: Fixed inconsistency between table creation (chrmrtns_kla_*) and queries (kla_*)
+* IMPACT: Users experiencing immediate token expiration on magic links should now login successfully
 = 2.7.2 =
 * FIX: Database table naming - Renamed all tables from kla_* to chrmrtns_kla_* for unique namespace and collision prevention

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory