Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3402233

Timestamp:

11/25/2025 06:38:28 AM (4 months ago)

Author:

themepaste

Message:

Update to version 1.1.3 from GitHub

Location:

admin-safety-guard

Files:

: 6 edited
: 1 copied

tags/1.1.3 (copied) (copied from admin-safety-guard/trunk)
tags/1.1.3/admin-safety-guard.php (modified) (2 diffs)
tags/1.1.3/app/Classes/Features/TwoFactorAuth.php (modified) (4 diffs)
tags/1.1.3/readme.txt (modified) (2 diffs)
trunk/admin-safety-guard.php (modified) (2 diffs)
trunk/app/Classes/Features/TwoFactorAuth.php (modified) (4 diffs)
trunk/readme.txt (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

admin-safety-guard/tags/1.1.3/admin-safety-guard.php

-                      r3401254
+                      r3402233
 Plugin URI: http://themepaste.com/product/themepaste-secure-admin-pro/
 Description: Secure your WordPress login with Admin safety guard to ensure secured access with limit login attempts, 2FA, reCaptcha, IP Blocking, Disable XML-RPC and activity tracking.
 Version: 1.1.2
+Version: 1.1.3
 Author: Themepaste Team
 Author URI: http://themepaste.com/
 …
         define( 'TPSA_PLUGIN_FILE', __FILE__ );
         define( 'TPSA_PREFIX', 'tpsa' );
         define( 'TPSA_PLUGIN_VERSION', '1.1.2' );
+        define( 'TPSA_PLUGIN_VERSION', '1.1.3' );
         define( 'TPSA_PLUGIN_DIRNAME', dirname( TPSA_PLUGIN_FILE ) );
         define( 'TPSA_PLUGIN_BASENAME', plugin_basename( TPSA_PLUGIN_FILE ) );

admin-safety-guard/tags/1.1.3/app/Classes/Features/TwoFactorAuth.php

-                      r3401251
+                      r3402233
         if ( $this->is_enabled( $settings, 'otp-email' ) ) {
+            $this->action( 'login_form', [$this, 'check_otp_submission'] );
+            // Process OTP submission as early as possible (before HTML output).
+            $this->action( 'login_init', [$this, 'check_otp_submission'] );
+            // Render OTP UI on the login form.
             $this->action( 'login_form', [$this, 'render_otp_input'] );
+            // Intercept username/password login to send OTP first.
             $this->filter( 'authenticate', [$this, 'intercept_login_with_otp'], 30, 3 );
+        }
 …
+}
 </style>
 <div id="tpsa_otp_wrap">
+    <label for="tpsa_otp_field"><?php echo esc_html__( 'One Time Password', 'tp-secure-plugin' ); ?></label>
+    <label for="tpsa_otp_field">
+        <?php echo esc_html__( 'One Time Password', 'tp-secure-plugin' ); ?>
+    </label>
     <input type="hidden" name="tpsa_user_id" value="<?php echo esc_attr( $user_id ); ?>">
     <input type="hidden" name="tpsa_otp_verify" value="1">
 …
     <?php $this->sent_email_message( $user ); ?>
 </div>
+<button type="submit" id="tpsa_verify_btn"><?php echo esc_html__( 'Verify OTP', 'tp-secure-plugin' ); ?></button>
+<button type="submit" id="tpsa_verify_btn">
+    <?php echo esc_html__( 'Verify OTP', 'tp-secure-plugin' ); ?>
+</button>
 <?php
+}
     /**
      * Check OTP submission on login form.
+     * Check OTP submission on login (runs on login_init).
+     *
      * @return void
 …
         $stored_data = get_user_meta( $user_id, '_tpsa_otp_code', true );
         $stored_otp = isset( $stored_data['otp'] ) ? $stored_data['otp'] : '';
+        if ( $otp_input !== $stored_otp ) {
+            // Display error message above the form.
+            add_action(
+                'login_message',
+                function () {
+                    echo '<div style="color:red; margin-bottom:10px;">' .
+                    esc_html__( 'Invalid OTP. Please try again.', 'tp-secure-plugin' ) .
+                        '</div>';
+                }
+            );
+            return;
+        }
+        // OTP is correct – now perform a proper WordPress login using wp_signon().
+        $username = isset( $stored_data['username'] ) ? $stored_data['username'] : '';
+        $password = isset( $stored_data['password'] ) ? $stored_data['password'] : '';
         $remember = !empty( $stored_data['remember'] );
+        if ( $otp_input === $stored_otp ) {
+            // Clean up OTP data.
+            delete_user_meta( $user_id, '_tpsa_otp_code' );
+            // Log user in with correct persistence.
+            wp_set_auth_cookie( $user_id, $remember );
+            wp_set_current_user( $user_id );
+            wp_redirect( admin_url() );
+            exit;
+        } else {
+            // Display error message above the form.
+            add_action( 'login_message', function () {
+                echo '<div style="color:red; margin-bottom:10px;">' . esc_html__( 'Invalid OTP. Please try again.', 'tp-secure-plugin' ) . '</div>';
+            } );
+        }
+        // Clean up OTP data.
+        delete_user_meta( $user_id, '_tpsa_otp_code' );
+        if ( empty( $username ) || empty( $password ) ) {
+            add_action(
+                'login_message',
+                function () {
+                    echo '<div style="color:red; margin-bottom:10px;">' .
+                    esc_html__( 'Login data missing. Please try logging in again.', 'tp-secure-plugin' ) .
+                        '</div>';
+                }
+            );
+            return;
+        }
+        $creds = [
+            'user_login'    => $username,
+            'user_password' => $password,
+            'remember'      => $remember,
+        ];
+        // Let WordPress handle auth, cookies, tokens, Remember Me, etc.
+        $secure_cookie = is_ssl();
+        $user = wp_signon( $creds, $secure_cookie );
+        if ( is_wp_error( $user ) ) {
+            add_action(
+                'login_message',
+                function () {
+                    echo '<div style="color:red; margin-bottom:10px;">' .
+                    esc_html__( 'Login failed after OTP verification. Please try again.', 'tp-secure-plugin' ) .
+                        '</div>';
+                }
+            );
+            return;
+        }
+        // Successful login, redirect to admin.
+        wp_safe_redirect( admin_url() );
+        exit;
+    }

admin-safety-guard/tags/1.1.3/readme.txt

-                      r3401254
+                      r3402233
 Tested up to: 6.8
 Requires PHP: 7.0
 Stable tag: 1.1.2
+Stable tag: 1.1.3
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 …
 == Changelog ==
+= 1.1.3 =
+* Fixed an issue where OTP-verified logins could result in session cookies instead of persistent cookies.
+* Refactored OTP verification to run earlier in the login flow via `login_init`.
+* Updated the authentication process to use `wp_signon()` so WordPress handles Remember Me cookies correctly.
+* Tested across multiple environments and browsers to confirm expected cookie expiration behavior.
+* Minor improvements and stability adjustments.
+= 1.1.3 =
+* [fix] - Resolved persistent login cookie issue after OTP verification in certain environments.
+* [fix] - OTP validation now runs earlier (`login_init`) to prevent headers already sent & session cookie fallback.
+* [Improved] - Login is now completed through `wp_signon()` to let WordPress handle full cookie generation reliably.
+* [Improved] - Tested across multiple environments and browsers for consistent persistent cookie behavior.
 = 1.1.2 =
 * [fix] - 2FA login cookie session issue when OTP verification completed.

admin-safety-guard/trunk/admin-safety-guard.php

-                      r3401254
+                      r3402233
 Plugin URI: http://themepaste.com/product/themepaste-secure-admin-pro/
 Description: Secure your WordPress login with Admin safety guard to ensure secured access with limit login attempts, 2FA, reCaptcha, IP Blocking, Disable XML-RPC and activity tracking.
 Version: 1.1.2
+Version: 1.1.3
 Author: Themepaste Team
 Author URI: http://themepaste.com/
 …
         define( 'TPSA_PLUGIN_FILE', __FILE__ );
         define( 'TPSA_PREFIX', 'tpsa' );
         define( 'TPSA_PLUGIN_VERSION', '1.1.2' );
+        define( 'TPSA_PLUGIN_VERSION', '1.1.3' );
         define( 'TPSA_PLUGIN_DIRNAME', dirname( TPSA_PLUGIN_FILE ) );
         define( 'TPSA_PLUGIN_BASENAME', plugin_basename( TPSA_PLUGIN_FILE ) );

admin-safety-guard/trunk/app/Classes/Features/TwoFactorAuth.php

-                      r3401251
+                      r3402233
         if ( $this->is_enabled( $settings, 'otp-email' ) ) {
+            $this->action( 'login_form', [$this, 'check_otp_submission'] );
+            // Process OTP submission as early as possible (before HTML output).
+            $this->action( 'login_init', [$this, 'check_otp_submission'] );
+            // Render OTP UI on the login form.
             $this->action( 'login_form', [$this, 'render_otp_input'] );
+            // Intercept username/password login to send OTP first.
             $this->filter( 'authenticate', [$this, 'intercept_login_with_otp'], 30, 3 );
+        }
 …
+}
 </style>
 <div id="tpsa_otp_wrap">
+    <label for="tpsa_otp_field"><?php echo esc_html__( 'One Time Password', 'tp-secure-plugin' ); ?></label>
+    <label for="tpsa_otp_field">
+        <?php echo esc_html__( 'One Time Password', 'tp-secure-plugin' ); ?>
+    </label>
     <input type="hidden" name="tpsa_user_id" value="<?php echo esc_attr( $user_id ); ?>">
     <input type="hidden" name="tpsa_otp_verify" value="1">
 …
     <?php $this->sent_email_message( $user ); ?>
 </div>
+<button type="submit" id="tpsa_verify_btn"><?php echo esc_html__( 'Verify OTP', 'tp-secure-plugin' ); ?></button>
+<button type="submit" id="tpsa_verify_btn">
+    <?php echo esc_html__( 'Verify OTP', 'tp-secure-plugin' ); ?>
+</button>
 <?php
+}
     /**
      * Check OTP submission on login form.
+     * Check OTP submission on login (runs on login_init).
+     *
      * @return void
 …
         $stored_data = get_user_meta( $user_id, '_tpsa_otp_code', true );
         $stored_otp = isset( $stored_data['otp'] ) ? $stored_data['otp'] : '';
+        if ( $otp_input !== $stored_otp ) {
+            // Display error message above the form.
+            add_action(
+                'login_message',
+                function () {
+                    echo '<div style="color:red; margin-bottom:10px;">' .
+                    esc_html__( 'Invalid OTP. Please try again.', 'tp-secure-plugin' ) .
+                        '</div>';
+                }
+            );
+            return;
+        }
+        // OTP is correct – now perform a proper WordPress login using wp_signon().
+        $username = isset( $stored_data['username'] ) ? $stored_data['username'] : '';
+        $password = isset( $stored_data['password'] ) ? $stored_data['password'] : '';
         $remember = !empty( $stored_data['remember'] );
+        if ( $otp_input === $stored_otp ) {
+            // Clean up OTP data.
+            delete_user_meta( $user_id, '_tpsa_otp_code' );
+            // Log user in with correct persistence.
+            wp_set_auth_cookie( $user_id, $remember );
+            wp_set_current_user( $user_id );
+            wp_redirect( admin_url() );
+            exit;
+        } else {
+            // Display error message above the form.
+            add_action( 'login_message', function () {
+                echo '<div style="color:red; margin-bottom:10px;">' . esc_html__( 'Invalid OTP. Please try again.', 'tp-secure-plugin' ) . '</div>';
+            } );
+        }
+        // Clean up OTP data.
+        delete_user_meta( $user_id, '_tpsa_otp_code' );
+        if ( empty( $username ) || empty( $password ) ) {
+            add_action(
+                'login_message',
+                function () {
+                    echo '<div style="color:red; margin-bottom:10px;">' .
+                    esc_html__( 'Login data missing. Please try logging in again.', 'tp-secure-plugin' ) .
+                        '</div>';
+                }
+            );
+            return;
+        }
+        $creds = [
+            'user_login'    => $username,
+            'user_password' => $password,
+            'remember'      => $remember,
+        ];
+        // Let WordPress handle auth, cookies, tokens, Remember Me, etc.
+        $secure_cookie = is_ssl();
+        $user = wp_signon( $creds, $secure_cookie );
+        if ( is_wp_error( $user ) ) {
+            add_action(
+                'login_message',
+                function () {
+                    echo '<div style="color:red; margin-bottom:10px;">' .
+                    esc_html__( 'Login failed after OTP verification. Please try again.', 'tp-secure-plugin' ) .
+                        '</div>';
+                }
+            );
+            return;
+        }
+        // Successful login, redirect to admin.
+        wp_safe_redirect( admin_url() );
+        exit;
+    }

admin-safety-guard/trunk/readme.txt

-                      r3401254
+                      r3402233
 Tested up to: 6.8
 Requires PHP: 7.0
 Stable tag: 1.1.2
+Stable tag: 1.1.3
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 …
 == Changelog ==
+= 1.1.3 =
+* Fixed an issue where OTP-verified logins could result in session cookies instead of persistent cookies.
+* Refactored OTP verification to run earlier in the login flow via `login_init`.
+* Updated the authentication process to use `wp_signon()` so WordPress handles Remember Me cookies correctly.
+* Tested across multiple environments and browsers to confirm expected cookie expiration behavior.
+* Minor improvements and stability adjustments.
+= 1.1.3 =
+* [fix] - Resolved persistent login cookie issue after OTP verification in certain environments.
+* [fix] - OTP validation now runs earlier (`login_init`) to prevent headers already sent & session cookie fallback.
+* [Improved] - Login is now completed through `wp_signon()` to let WordPress handle full cookie generation reliably.
+* [Improved] - Tested across multiple environments and browsers for consistent persistent cookie behavior.
 = 1.1.2 =
 * [fix] - 2FA login cookie session issue when OTP verification completed.

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: