it() {
if ((!is_admin() || (defined('DOING_AJAX') && DOING_AJAX)) && is_user_logged_in() && file_exists($this->includes_dir().'/tfa_frontend.php')) {
$this->load_frontend();
} else {
add_shortcode('twofactor_user_settings', array($this, 'shortcode_when_not_logged_in'));
}
}
/**
* Return the TOTP provider object.
*
* @param String $controller_id - which controller
*
* @return Simba_TFA_Provider_totp
*/
public function get_controller($controller_id = 'totp') {
return $this->controllers[$controller_id];
}
/**
* Return all OTP controllers
*
* @return Array
*/
public function get_controllers() {
return $this->controllers;
}
/**
* Deprecated synonym for get_controller('totp')
*
* @return Simba_TFA_Provider_totp
*/
public function get_totp_controller() {
trigger_error("Deprecated: Call get_controller('totp'), not get_totp_controller()", E_USER_WARNING);
return $this->get_controller('totp');
}
/**
* "Shared" - i.e. could be called from either front-end or back-end
*/
public function shared_ajax() {
if (empty($_POST['subaction']) || empty($_POST['nonce']) || !is_user_logged_in() || !wp_verify_nonce($_POST['nonce'], 'tfa_shared_nonce')) die('Security check (3).');
global $current_user;
$subaction = $_POST['subaction'];
if ('refreshotp' == $subaction) {
$code = $this->get_controller('totp')->get_current_code($current_user->ID);
if (false === $code) die(json_encode(array('code' => '')));
die(json_encode(array('code' => $code)));
} elseif ('untrust_device' == $subaction && isset($_POST['device_id'])) {
$this->untrust_device(stripslashes($_POST['device_id']));
ob_start();
$this->include_template('trusted-devices-inner-box.php', array('trusted_devices' => $this->user_get_trusted_devices()));
echo json_encode(array('trusted_list' => ob_get_clean()));
}
exit;
}
/**
* Mark a device as untrusted for the current user
*
* @param String $device_id
*/
protected function untrust_device($device_id) {
$trusted_devices = $this->user_get_trusted_devices();
unset($trusted_devices[$device_id]);
global $current_user;
$current_user_id = $current_user->ID;
$this->user_set_trusted_devices($current_user_id, $trusted_devices);
}
/**
* Called upon the AJAX action simbatfa-init-otp . Will die.
*
* Uses these keys from $_POST: user
*/
public function tfaInitLogin() {
if (empty($_POST['user'])) die('Security check (2).');
if (defined('TWO_FACTOR_DISABLE') && TWO_FACTOR_DISABLE) {
$res = array('result' => false, 'user_can_trust' => false);
} else {
if (!function_exists('sanitize_user')) require_once ABSPATH.WPINC.'/formatting.php';
// WP's password-checking sanitizes the supplied user, so we must do the same to check if TFA is enabled for them
$auth_info = array('log' => sanitize_user(stripslashes((string)$_POST['user'])));
if (!empty($_COOKIE['simbatfa_trust_token'])) $auth_info['trust_token'] = (string) $_COOKIE['simbatfa_trust_token'];
$res = $this->pre_auth($auth_info, 'array');
}
$results = array(
'jsonstarter' => 'justhere',
'status' => $res['result'],
);
if (!empty($res['user_can_trust'])) {
$results['user_can_trust'] = 1;
if (!empty($res['user_already_trusted'])) $results['user_already_trusted'] = 1;
}
if (!empty($this->output_buffering)) {
if (!empty($this->logged)) {
$results['php_output'] = $this->logged;
}
restore_error_handler();
$buffered = ob_get_clean();
if ($buffered) $results['extra_output'] = $buffered;
}
$results = apply_filters('simbatfa_check_tfa_requirements_ajax_response', $results);
echo json_encode($results);
exit;
}
/**
* Enable or disable TFA for a user
*
* @param Integer $user_id - the WordPress user ID
* @param String $setting - either "true" (to turn on) or "false" (to turn off)
*/
public function change_tfa_enabled_status($user_id, $setting) {
$previously_enabled = $this->is_activated_by_user($user_id) ? 1 : 0;
$setting = ('true' === $setting) ? 1 : 0;
update_user_meta($user_id, 'tfa_enable_tfa', $setting);
do_action('simba_tfa_activation_status_saved', $user_id, $setting, $previously_enabled, $this);
}
/**
* Here's where the login action happens. Called on the WP 'authenticate' action (which also happens when wp-login.php loads, so parameters need checking).
*
* @param WP_Error|WP_User $user
* @param String $username - this is not necessarily the WP username; it is whatever was typed in the form, so can be an email address
* @param String $password
*
* @return WP_Error|WP_User
*/
public function tfaVerifyCodeAndUser($user, $username, $password) {
// Do not require a TFA code when authenticating via cookie (or other non-login-form mechanism)
if ('' === $username && is_multisite()) return $user;
// When both the AIOWPS and Two Factor Authentication plugins are active, this function is called more than once; that should be short-circuited.
if (isset(self::$is_authenticated[$this->authentication_slug]) && self::$is_authenticated[$this->authentication_slug]) {
return $user;
}
if (is_a($user, 'WP_User') && !empty($user->ID)) {
if (in_array($user->ID, $this->application_passwords_authenticated)) {
// User authenticated via an application password (and thus - see wp_authenticate_application_password - via an API request). Do not require a TFA code.
return $user;
}
}
$original_user = $user;
$params = stripslashes_deep($_POST);
// If (only) the error was a wrong password, but it looks like the user appended a TFA code to their password, then have another go
if (is_wp_error($user) && array('incorrect_password') == $user->get_error_codes() && !isset($params['two_factor_code']) && false !== ($from_password = apply_filters('simba_tfa_tfa_from_password', false, $password))) {
// This forces a new password authentication below
$user = false;
}
if (is_wp_error($user)) {
$ret = $user;
} else {
if (is_object($user) && isset($user->ID) && isset($user->user_login)) {
$params['log'] = $user->user_login;
// Confirm that this is definitely a username regardless of its format
$may_be_email = false;
} else {
$params['log'] = $username;
$may_be_email = true;
}
$params['caller'] = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['REQUEST_URI'];
if (!empty($_COOKIE['simbatfa_trust_token'])) $params['trust_token'] = (string) $_COOKIE['simbatfa_trust_token'];
if (isset($from_password) && false !== $from_password) {
// Support login forms that can't be hooked via appending to the password
$speculatively_try_appendage = true;
$params['two_factor_code'] = $from_password['tfa_code'];
}
$code_ok = $this->authorise_user_from_login($params, $may_be_email);
if (is_wp_error($code_ok)) {
$ret = $code_ok;
} elseif (!$code_ok) {
$encryption_enabled = $this->get_option('tfa_encrypt_secrets');
$additional = ($encryption_enabled && (!defined('SIMBA_TFA_DB_ENCRYPTION_KEY') || '' === SIMBA_TFA_DB_ENCRYPTION_KEY)) ? ' ' . htmlspecialchars(__('The "encrypt secrets" feature is currently enabled, but no encryption key has been found (set via the SIMBA_TFA_DB_ENCRYPTION_KEY constant).', 'all-in-one-wp-security-and-firewall').' '.__('This indicates that either setup failed, or your WordPress installation has been corrupted.', 'all-in-one-wp-security-and-firewall')) . ' '. __('Go here for the FAQs, which explain how a website owner can de-activate the plugin without needing to login.', 'all-in-one-wp-security-and-firewall') .'' : '';
$ret = new WP_Error('authentication_failed', ''.__('Error:', 'all-in-one-wp-security-and-firewall').' '.apply_filters('simba_tfa_message_code_incorrect', __('The one-time password (TFA code) you entered was incorrect.', 'all-in-one-wp-security-and-firewall') . $additional));
if (is_a($user, 'WP_User')) $this->log_incorrect_tfa_code_attempt($user);
} elseif ($user) {
$ret = $user;
} else {
if (!empty($speculatively_try_appendage) && true === $code_ok) {
$password = $from_password['password'];
}
$username_is_email = false;
if (function_exists('wp_authenticate_username_password') && $may_be_email && filter_var($username, FILTER_VALIDATE_EMAIL)) {
global $wpdb;
// This has to match self::authorise_user_from_login()
$response = $wpdb->get_row($wpdb->prepare("SELECT ID, user_registered from ".$wpdb->users." WHERE user_email=%s", $username));
if (is_object($response)) $username_is_email = true;
}
$ret = $username_is_email ? wp_authenticate_email_password(null, $username, $password) : wp_authenticate_username_password(null, $username, $password);
}
}
$ret = apply_filters('simbatfa_verify_code_and_user_result', $ret, $original_user, $username, $password);
// If the TFA code was actually validated (not just not required, for example), then $code_ok is (boolean)true
if (isset($code_ok) && true === $code_ok && is_a($ret, 'WP_User')) {
// Though $_SERVER['SERVER_NAME'] can't always be trusted (if the webserver is misconfigured), anyone using this already has password and TFA clearance.
if (!empty($params['simba_tfa_mark_as_trusted']) && $this->user_can_trust($ret->ID) && (is_ssl() || (!empty($_SERVER['SERVER_NAME']) && ('localhost' == $_SERVER['SERVER_NAME'] ||'127.0.0.1' == $_SERVER['SERVER_NAME'] || preg_match('/\.localdomain$/', $_SERVER['SERVER_NAME']))))) {
$trusted_for = $this->get_option('tfa_trusted_for');
$trusted_for = (false === $trusted_for) ? 30 : (string) absint($trusted_for);
$this->trust_device($ret->ID, $trusted_for);
}
}
self::$is_authenticated[$this->authentication_slug] = true;
return $ret;
}
/**
* Save incorrect TFA code attempts in database
*
* @param Array $tfa_incorrect_code_attempts - all user info with incorrent code attempts
* @param Boolean $udpate - update in option table
*
* @retrun Void
*/
private function save_incorrect_tfa_code_attempts($tfa_incorrect_code_attempts, $update = false) {
if ($update) {
update_site_option('tfa_incorrect_code_attempts', $tfa_incorrect_code_attempts);
} else {
add_site_option('tfa_incorrect_code_attempts', $tfa_incorrect_code_attempts);
}
}
/**
* Remove old incorrect TFA code attempts
*
* @param Array $user_info - user invalid attempts
*
* @retrun Array
*/
private function remove_incorrect_tfa_code_old_attempts($user_info) {
$splice_recs = 0;
foreach ($user_info['attempts'] as $attempt) {
$mins_diff = (time() - $attempt['activity_time']) / 60;
if ($mins_diff >= TFA_INCORRECT_ATTEMPTS_WITHIN_MINUTES_LIMIT) {
$splice_recs++;
}
}
if ($splice_recs > 0) array_splice($user_info['attempts'], 0, $splice_recs); // remove all older attempts.
return $user_info;
}
/**
* Log incorrect TFA code attempt and email user if attempt exceeded limit
*
* @param WP_User $user - user object for teh user logging in
*
* @retrun Void
*/
private function log_incorrect_tfa_code_attempt($user) {
$tfa_incorrect_code_attempts = get_site_option('tfa_incorrect_code_attempts');
if (empty($tfa_incorrect_code_attempts)) $tfa_incorrect_code_attempts = array();
$userinfo_added = false;
$update = false;
if (count($tfa_incorrect_code_attempts) > 0) {
foreach ($tfa_incorrect_code_attempts as $i => $user_info) {
$user_info = $this->remove_incorrect_tfa_code_old_attempts($user_info); // remove old (before 30 mins) incorrect tfa code attempts by users
if ($user_info['username'] == $user->user_login) {
$userinfo_added = true;
if (count($user_info['attempts']) >= TFA_INCORRECT_MAX_ATTEMPTS_ALLOWED_LIMIT && empty($user_info['mailsent'])) {
$this->notify_incorrect_tfa_code_attempts($user_info, $user->user_email); // if incorrect tfa attempts are more than max allowed notify user by email that some one else has your password.
$user_info['mailsent'] = 1;
} else {
if (0 == count($user_info['attempts'])) $user_info['mailsent'] = 0;
$user_info['attempts'][] = $this->get_incorrect_tfa_attempt_info(); //add new incorrect attempt for existing user.
}
}
$tfa_incorrect_code_attempts[$i] = $user_info;
}
$update = true;
}
if (false == $userinfo_added) {
$tfa_incorrect_code_attempts[] = $this->get_incorrect_tfa_user_info($user); //add incorrect attempt with username etc info.
}
$this->save_incorrect_tfa_code_attempts($tfa_incorrect_code_attempts, $update);
}
/**
* Get incorrect attempt info time and IP address to save in database
*
* @retrun Array
*/
private function get_incorrect_tfa_attempt_info() {
$ip_address = apply_filters('tfa_user_ip_address', $_SERVER['REMOTE_ADDR']);
return array('activity_time' => time(), 'ip_address' => $ip_address);
}
/**
* Get incorrect attempt with userinfo to save in database
*
* @param WP_User $user - logging in user object
*
* @retrun Array
*/
private function get_incorrect_tfa_user_info($user) {
return array('username' => $user->user_login, 'attempts' => array($this->get_incorrect_tfa_attempt_info()));
}
/**
* Notify user might be someone else has your possword
*
* @param Array $user_info - user's incorrect attempt informaion
* @param String $user_email - user email address notification to be sent.
*/
private function notify_incorrect_tfa_code_attempts($user_info, $user_email) {
$subject = __('Incorrect TFA code attempts', 'all-in-one-wp-security-and-firewall');
$email_msg = sprintf(__('There has been an incorrect TFA code entered for logging in to your account %s.', 'all-in-one-wp-security-and-firewall'), $user_info['username']) . "\n\n" .
__('Attempts', 'all-in-one-wp-security-and-firewall') . "\n\n";
foreach ($user_info['attempts'] as $index => $attempt) {
$email_msg.= ($index+1) . '. ' . wp_date('F j, Y g:i a', $attempt['activity_time'], wp_timezone()) . ' ' . __('from', 'all-in-one-wp-security-and-firewall') . ' ' . $attempt['ip_address']. "\n";
}
$email_msg.= "\n" . __('If the above attempts were not by you then someone else has your password.', 'all-in-one-wp-security-and-firewall') . "\n" .
__('TFA codes are checked only after the password has been successfully checked.', 'all-in-one-wp-security-and-firewall') . "\n\n" .
__('Please change your password urgently.', 'all-in-one-wp-security-and-firewall') . "\n";
$mail_sent = wp_mail($user_email, $subject, $email_msg);
}
// N.B. - This doesn't check is_activated_for_user() - the caller would normally want to do that first
public function user_can_trust($user_id) {
// Default is false because this is a new feature and we don't want to surprise existing users by granting broader access than they expected upon an upgrade
return apply_filters('simba_tfa_user_can_trust', false, $user_id);
}
/**
* Should the user be asked for a TFA code? And optionally, is the user allowed to trust devices?
*
* @param Array $params - the key used is 'log', indicating the username or email address
* @param String $response_format - 'simple' (historic format) or 'array' (richer info)
*
* @return Boolean
*/
public function pre_auth($params, $response_format = 'simple') {
global $wpdb;
$query = filter_var($params['log'], FILTER_VALIDATE_EMAIL) ? $wpdb->prepare("SELECT ID, user_email from ".$wpdb->users." WHERE user_email=%s", $params['log']) : $wpdb->prepare("SELECT ID, user_email from ".$wpdb->users." WHERE user_login=%s", $params['log']);
$user = $wpdb->get_row($query);
if (!$user && filter_var($params['log'], FILTER_VALIDATE_EMAIL)) {
// Corner-case: login looks like an email, but is a username rather than email address
$user = $wpdb->get_row($wpdb->prepare("SELECT ID, user_email from ".$wpdb->users." WHERE user_login=%s", $params['log']));
}
$is_activated_for_user = true;
$is_activated_by_user = false;
$result = false;
$totp_controller = $this->get_controller('totp');
if ($user) {
$tfa_priv_key = get_user_meta($user->ID, 'tfa_priv_key_64', true);
$is_activated_for_user = $this->is_activated_for_user($user->ID);
$is_activated_by_user = $this->is_activated_by_user($user->ID);
if ($is_activated_for_user && $is_activated_by_user) {
// No private key yet, generate one. This shouldn't really be possible.
if (!$tfa_priv_key) $tfa_priv_key = $totp_controller->addPrivateKey($user->ID);
$code = $totp_controller->generateOTP($user->ID, $tfa_priv_key);
$result = true;
}
}
if ('array' != $response_format) return $result;
$ret = array('result' => $result);
if ($result) {
$ret['user_can_trust'] = $this->user_can_trust($user->ID);
if (!empty($params['trust_token']) && $this->user_trust_token_valid($user->ID, $params['trust_token'])) {
$ret['user_already_trusted'] = 1;
}
}
return $ret;
}
/**
* Print the radio buttons for enabling/disabling TFA
*
* @param Integer $user_id - the WordPress user ID
* @param Boolean $long_label - whether to use a long label rather than a short one
* @param String $style - valid values are "show_current" and "require_current"
*/
public function paint_enable_tfa_radios($user_id, $long_label = false, $style = 'show_current') {
if (!$user_id) return;
if ('require_current' != $style) $style = 'show_current';
$is_required = $this->is_required_for_user($user_id);
$is_activated = $this->is_activated_by_user($user_id);
if ($is_required) {
$require_after = absint($this->get_option('tfa_requireafter'));
echo '
'.sprintf(__('N.B. This site is configured to forbid you to log in if you disable two-factor authentication after your account is %d days old', 'all-in-one-wp-security-and-firewall'), $require_after).'
';
}
$tfa_enabled_label = $long_label ? __('Enable two-factor authentication', 'all-in-one-wp-security-and-firewall') : __('Enabled', 'all-in-one-wp-security-and-firewall');
if ('show_current' == $style) {
$tfa_enabled_label .= ' '.sprintf(__('(Current code: %s)', 'all-in-one-wp-security-and-firewall'), $this->get_controller('totp')->current_otp_code($user_id));
} elseif ('require_current' == $style) {
$tfa_enabled_label .= ' '.sprintf(__('(you must enter the current code: %s)', 'all-in-one-wp-security-and-firewall'), '');
}
$show_disable = ((is_multisite() && is_super_admin()) || (!is_multisite() && current_user_can($this->get_management_capability())) || false == $is_activated || !$is_required || !$this->get_option('tfa_hide_turn_off')) ? true : false;
$tfa_disabled_label = $long_label ? __('Disable two-factor authentication', 'all-in-one-wp-security-and-firewall') : __('Disabled', 'all-in-one-wp-security-and-firewall');
if ('require_current' == $style) echo ''."\n";
echo ' ';
// Show the 'disabled' option if the user is an admin, or if it is currently set, or if TFA is not compulsory, or if the site owner doesn't require it to be hidden
// Note that this just hides the option in the UI. The user could POST to turn off TFA, but, since it's required, they won't be able to log in.
if ($show_disable) {
echo ' ';
}
}
/**
* Retrieve a saved option
*
* @param String $key - option key
*
* @return Mixed
*/
public function get_option($key) {
if (!is_multisite()) return get_option($key);
$main_site_id = function_exists('get_main_site_id') ? get_main_site_id() : 1;
$get_option_site_id = apply_filters('simba_tfa_get_option_site_id', $main_site_id);
switch_to_blog($get_option_site_id);
$value = get_option($key);
restore_current_blog();
return $value;
}
/**
* Updates an option.
*
* @param String $key - option key
* @param Mixed $value - option value
*
* @return Boolean
*/
public function update_option($key, $value) {
if (!is_multisite()) return update_option($key, $value);
$main_site_id = function_exists('get_main_site_id') ? get_main_site_id() : 1;
$update_option_site_id = apply_filters('simba_tfa_update_option_site_id', $main_site_id);
switch_to_blog($update_option_site_id);
$result = update_option($key, $value);
restore_current_blog();
return $result;
}
/**
* Deletes an option.
*
* @param String $key - option key
*
* @return Boolean
*/
public function delete_option($key) {
if (!is_multisite()) return delete_option($key);
$main_site_id = function_exists('get_main_site_id') ? get_main_site_id() : 1;
$delete_option_site_id = apply_filters('simba_tfa_delete_option_site_id', $main_site_id);
switch_to_blog($delete_option_site_id);
$result = delete_option($key);
restore_current_blog();
return $result;
}
/**
* Paint a list of checkboxes, one for each role
*
* @param String $prefix
* @param Integer $default - default value (0 or 1)
*/
public function list_user_roles_checkboxes($prefix = '', $default = 1) {
if (is_multisite()) {
// Not a real WP role; needs separate handling
$id = '_super_admin';
$name = __('Multisite Super Admin', 'all-in-one-wp-security-and-firewall');
$setting = $this->get_option('tfa_'.$prefix.$id);
$setting = ($setting === false) ? $default : ($setting ? 1 : 0);
echo ' \n";
}
global $wp_roles;
if (!isset($wp_roles)) $wp_roles = new WP_Roles();
foreach ($wp_roles->role_names as $id => $name) {
$setting = $this->get_option('tfa_'.$prefix.$id);
$setting = ($setting === false) ? $default : ($setting ? 1 : 0);
echo ' \n";
}
}
public function tfa_list_xmlrpc_status_radios() {
$setting = $this->get_option('tfa_xmlrpc_on');
$setting = $setting ? 1 : 0;
$types = array(
'0' => __('Do not require 2FA over XMLRPC (best option if you must use XMLRPC and your client does not support 2FA)', 'all-in-one-wp-security-and-firewall'),
'1' => __('Do require 2FA over XMLRPC (best option if you do not use XMLRPC or are unsure)', 'all-in-one-wp-security-and-firewall')
);
foreach($types as $id => $name) {
print ' \n";
}
}
protected function is_caller_active() {
if (!defined('XMLRPC_REQUEST') || !XMLRPC_REQUEST) return true;
$saved_data = $this->get_option('tfa_xmlrpc_on');
return $saved_data ? true : false;
}
/**
* @param Array $params
* @param Boolean $may_be_email
*
* @return WP_Error|Boolean|Integer - WP_Error or false means failure; true or 1 means success, but true means the TFA code was validated
*/
public function authorise_user_from_login($params, $may_be_email = false) {
$params = apply_filters('simbatfa_auth_user_from_login_params', $params);
global $wpdb;
if (!$this->is_caller_active()) return 1;
$query = ($may_be_email && filter_var($params['log'], FILTER_VALIDATE_EMAIL)) ? $wpdb->prepare("SELECT ID, user_registered from ".$wpdb->users." WHERE user_email=%s", $params['log']) : $wpdb->prepare("SELECT ID, user_registered from ".$wpdb->users." WHERE user_login=%s", $params['log']);
$response = $wpdb->get_row($query);
if (!$response && $may_be_email && filter_var($params['log'], FILTER_VALIDATE_EMAIL)) {
// Corner-case: login looks like an email, but is a username rather than email address
$response = $wpdb->get_row($wpdb->prepare("SELECT ID, user_registered from ".$wpdb->users." WHERE user_login=%s", $params['log']));
}
$user_id = is_object($response) ? $response->ID : false;
$user_registered = is_object($response) ? $response->user_registered : false;
$user_code = isset($params['two_factor_code']) ? str_replace(' ', '', trim($params['two_factor_code'])) : '';
// This condition in theory should not be possible
if (!$user_id) return new WP_Error('tfa_user_not_found', apply_filters('simbatfa_tfa_user_not_found', ''.__('Error:', 'all-in-one-wp-security-and-firewall').' '.__('The indicated user could not be found.', 'all-in-one-wp-security-and-firewall')));
if (!$this->is_activated_for_user($user_id)) return 1;
if (!empty($params['trust_token']) && $this->user_trust_token_valid($user_id, $params['trust_token'])) {
return 1;
}
if (!$this->is_activated_by_user($user_id)) {
if (!$this->is_required_for_user($user_id)) return 1;
$enforce_require_after_check = true;
$require_enforce_after = $this->get_option('tfa_require_enforce_after');
// Don't enforce if the setting has never been saved
if (is_string($require_enforce_after) && preg_match('#^(\d+)-(\d+)-(\d+)$#', $require_enforce_after, $enforce_matches)) {
// wp_date() is WP 5.3+, but performs translation into the site locale
$current_date = function_exists('wp_date') ? wp_date('Y-m-d') : get_date_from_gmt(gmdate('Y-m-d H:i:s'), 'Y-m-d');
if (preg_match('#^(\d+)-(\d+)-(\d+)$#', $current_date, $current_date_matches)) {
if ($current_date_matches[0] < $enforce_matches[0] || ($current_date_matches[0] == $enforce_matches[0] && ($current_date_matches[1] < $enforce_matches[1] || ($current_date_matches[1] == $enforce_matches[1] && $current_date_matches[2] < $enforce_matches[2])))) {
// Enforcement not yet begun; skip
$enforce_require_after_check = false;
}
}
}
$require_after = absint($this->get_option('tfa_requireafter')) * 86400;
$account_age = time() - strtotime($user_registered);
if ($account_age > $require_after && apply_filters('simbatfa_enforce_require_after_check', $enforce_require_after_check, $user_id, $require_after, $account_age)) {
return new WP_Error('tfa_required', apply_filters('simbatfa_notfa_forbidden_login', ''.__('Error:', 'all-in-one-wp-security-and-firewall').' '.__('The site owner has forbidden you to login without two-factor authentication. Please contact the site owner to re-gain access.', 'all-in-one-wp-security-and-firewall')));
}
return 1;
}
$tfa_creds_user_id = !empty($params['creds_user_id']) ? $params['creds_user_id'] : $user_id;
if ($tfa_creds_user_id != $user_id) {
// Authenticating using a different user's credentials (e.g. https://wordpress.org/plugins/use-administrator-password/)
// In this case, we require that different user to have TFA active - so that this mechanism can't be used to avoid TFA
if (!$this->is_activated_for_user($tfa_creds_user_id) || !$this->is_activated_by_user($tfa_creds_user_id)) {
return new WP_Error('tfa_required', apply_filters('simbatfa_notfa_forbidden_login_altuser', ''.__('Error:', 'all-in-one-wp-security-and-firewall').' '.__('You are attempting to log in to an account that has two-factor authentication enabled; this requires you to also have two-factor authentication enabled on the account whose credentials you are using.', 'all-in-one-wp-security-and-firewall')));
}
}
return $this->get_controller('totp')->check_code_for_user($tfa_creds_user_id, $user_code);
}
/**
* Evaluate whether a trust token is valid for a user
*
* @param Integer $user_id - WP user ID
* @param String $trust_token - trust token
*
* @return Boolean
*/
protected function user_trust_token_valid($user_id, $trust_token) {
if (!is_string($trust_token) || strlen($trust_token) < 30) return false;
$trusted_devices = $this->user_get_trusted_devices($user_id);
$time_now = time();
foreach ($trusted_devices as $device) {
if (empty($device['until']) || $device['until'] <= $time_now) continue;
if (!empty($device['token']) && $device['token'] === $trust_token) {
return true;
}
}
return false;
}
/**
* This deals with the issue that wp-login.php does not redirect to a canonical URL. As a result, if a website is available under more than one host, then admin_url('admin-ajax.php') might return a different one than the visitor is using, resulting in AJAX failing due to CORS errors.
*
* @return String
*/
protected function get_ajax_url() {
$ajax_url = admin_url('admin-ajax.php');
$parsed_url = parse_url($ajax_url);
if (strtolower($parsed_url['host']) !== strtolower($_SERVER['HTTP_HOST']) && !empty($parsed_url['path'])) {
// Mismatch - return the relative URL only
$ajax_url = $parsed_url['path'];
}
return $ajax_url;
}
/**
* Called not only upon the WP action login_enqueue_scripts, but potentially upon the action 'init' and various others from other plugins too. It can handle being called multiple times.
*/
public function login_enqueue_scripts() {
if (!$this->should_enqueue_login_scripts()) {
return;
}
if (isset($_GET['action']) && 'logout ' != $_GET['action'] && 'login' != $_GET['action']) return;
static $already_done = false;
if ($already_done) return;
$already_done = true;
// Prevent caching when in debug mode
$script_ver = (defined('WP_DEBUG') && WP_DEBUG) ? time() : filemtime($this->includes_dir().'/tfa.js');
wp_enqueue_script('tfa-ajax-request', $this->includes_url().'/tfa.js', array('jquery'), $script_ver);
$trusted_for = $this->get_option('tfa_trusted_for');
$trusted_for = (false === $trusted_for) ? 30 : (string) absint($trusted_for);
$localize = array(
'ajaxurl' => $this->get_ajax_url(),
'click_to_enter_otp' => __("Click to enter One Time Password", 'all-in-one-wp-security-and-firewall'),
'enter_username_first' => __('You have to enter a username first.', 'all-in-one-wp-security-and-firewall'),
'otp' => __('One Time Password (i.e. 2FA)', 'all-in-one-wp-security-and-firewall'),
'otp_login_help' => __('(check your OTP app to get this password)', 'all-in-one-wp-security-and-firewall'),
'mark_as_trusted' => sprintf(_n('Trust this device (allow login without 2FA for %d day)', 'Trust this device (allow login without TFA for %d days)', $trusted_for, 'all-in-one-wp-security-and-firewall'), $trusted_for),
'is_trusted' => __('(Trusted device - no OTP code required)', 'all-in-one-wp-security-and-firewall'),
'nonce' => wp_create_nonce('simba_tfa_loginform_nonce'),
'login_form_selectors' => '',
'login_form_off_selectors' => '',
'error' => __('An error has occurred. Site owners can check the JavaScript console for more details.', 'all-in-one-wp-security-and-firewall'),
);
// Spinner exists since WC 3.8. Use the proper functions to avoid SSL warnings.
if (file_exists(ABSPATH.'wp-admin/images/spinner-2x.gif')) {
$localize['spinnerimg'] = admin_url('images/spinner-2x.gif');
} elseif (file_exists(ABSPATH.WPINC.'/images/spinner-2x.gif')) {
$localize['spinnerimg'] = includes_url('images/spinner-2x.gif');
}
$localize = apply_filters('simba_tfa_login_enqueue_localize', $localize);
wp_localize_script('tfa-ajax-request', 'simba_tfasettings', $localize);
}
/**
* Check whether TFA login scripts should be enqueued or not.
*
* @return boolean True if the TFA login script should be enqueued, otherwise false.
*/
private function should_enqueue_login_scripts() {
if (defined('TWO_FACTOR_DISABLE') && TWO_FACTOR_DISABLE) {
return apply_filters('simbatfa_enqueue_login_scripts', false);
}
global $wpdb;
$sql = $wpdb->prepare('SELECT COUNT(user_id) FROM ' . $wpdb->usermeta . ' WHERE meta_key = %s AND meta_value = %d LIMIT 1', 'tfa_enable_tfa', 1);
$count_user_id = $wpdb->get_var($sql);
if (is_null($count_user_id)) { // Error in query.
return apply_filters('simbatfa_enqueue_login_scripts', true);
} elseif ($count_user_id > 0) { // A user exists with TFA enabled.
return apply_filters('simbatfa_enqueue_login_scripts', true);
}
// No user exists with TFA enabled.
return apply_filters('simbatfa_enqueue_login_scripts', false);
}
/**
* Return or output view content
*
* @param String $path - path to template, usually relative to templates/ within the plugin directory
* @param Array $extract_these - key/value pairs for substitution into the scope of the template
* @param Boolean $return_instead_of_echo - what to do with the results
*
* @return String|Void
*/
public function include_template($path, $extract_these = array(), $return_instead_of_echo = false) {
if ($return_instead_of_echo) ob_start();
$template_file = apply_filters('simatfa_template_file', $this->templates_dir().'/'.$path, $path, $extract_these, $return_instead_of_echo);
do_action('simbatfa_before_template', $path, $return_instead_of_echo, $extract_these, $template_file);
if (!file_exists($template_file)) {
error_log("TFA: template not found: $template_file (from $path)");
echo __('Error:', 'all-in-one-wp-security-and-firewall').' '.__('Template path not found:', 'all-in-one-wp-security-and-firewall')." (".htmlspecialchars($path).")";
} else {
extract($extract_these);
// The following are useful variables which can be used in the template.
// They appear as unused, but may be used in the $template_file.
$wpdb = $GLOBALS['wpdb'];// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- $wpdb might be used in the included template
$simba_tfa = $this;// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- $wp_optimize might be used in the included template
$totp_controller = $this->get_controller('totp');// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- $wp_optimize might be used in the included template
include $template_file;
}
do_action('simbatfa_after_template', $path, $return_instead_of_echo, $extract_these, $template_file);
if ($return_instead_of_echo) return ob_get_clean();
}
/**
* Make sure that self::$frontend is the instance of Simba_TFA_Frontend, and return it
*
* @return Simba_TFA_Frontend
*/
public function load_frontend() {
if (!class_exists('Simba_TFA_Frontend')) require_once($this->includes_dir().'/tfa_frontend.php');
if (empty($this->frontend)) $this->frontend = new Simba_TFA_Frontend($this);
return $this->frontend;
}
// __return_empty_string() does not exist until WP 3.7
public function shortcode_when_not_logged_in() {
return '';
}
/**
* Set authentication slug.
*
* @param String $authentication_slug - Authentication slug. Verify that two-factor authentication should not be repeated for the same slug.
*/
public function set_authentication_slug($authentication_slug) {
$this->authentication_slug = $authentication_slug;
}
}
Fatal error: Uncaught Error: Class 'Simba_Two_Factor_Authentication_1' not found in /var/www/html/dportilho.com.br/web/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-two-factor-login.php:11
Stack trace:
#0 /var/www/html/dportilho.com.br/web/wp-content/plugins/all-in-one-wp-security-and-firewall/wp-security-core.php(221): include_once()
#1 /var/www/html/dportilho.com.br/web/wp-content/plugins/all-in-one-wp-security-and-firewall/wp-security-core.php(85): AIO_WP_Security->includes()
#2 /var/www/html/dportilho.com.br/web/wp-content/plugins/all-in-one-wp-security-and-firewall/wp-security-core.php(684): AIO_WP_Security->__construct()
#3 /var/www/html/dportilho.com.br/web/wp-content/plugins/all-in-one-wp-security-and-firewall/wp-security.php(54): require_once('/var/www/html/d...')
#4 /var/www/html/dportilho.com.br/web/wp-settings.php(526): include_once('/var/www/html/d...')
#5 /var/www/html/dportilho.com.br/web/wp-config.php(126): require_once('/var/www/html/d...')
#6 /var/www/html/dportilho.com.br/we in /var/www/html/dportilho.com.br/web/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-two-factor-login.php on line 11