PluginProbe ʕ •ᴥ•ʔ
Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention / 3.2.4
Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention v3.2.4
3.2.4 3.2.3 3.2.2 3.2.1 3.2.0 trunk 2.0.0 2.1.0 2.10.0 2.10.1 2.11.0 2.12.0 2.12.1 2.12.2 2.12.3 2.13.0 2.14.0 2.15.0 2.15.1 2.15.2 2.16.0 2.17.0 2.17.1 2.17.2 2.17.3 2.17.4 2.18.0 2.19.0 2.19.1 2.19.2 2.2.0 2.20.0 2.20.1 2.20.2 2.20.3 2.20.4 2.20.5 2.20.6 2.21.0 2.21.1 2.22.0 2.22.1 2.23.0 2.23.1 2.23.2 2.24.0 2.24.1 2.25.0 2.25.1 2.25.10 2.25.11 2.25.12 2.25.13 2.25.14 2.25.15 2.25.16 2.25.17 2.25.18 2.25.19 2.25.2 2.25.20 2.25.21 2.25.22 2.25.23 2.25.24 2.25.25 2.25.26 2.25.27 2.25.28 2.25.29 2.25.3 2.25.4 2.25.5 2.25.6 2.25.7 2.25.8 2.25.9 2.26.0 2.26.1 2.26.10 2.26.11 2.26.12 2.26.13 2.26.14 2.26.15 2.26.16 2.26.17 2.26.18 2.26.19 2.26.2 2.26.20 2.26.21 2.26.22 2.26.23 2.26.24 2.26.25 2.26.26 2.26.27 2.26.28 2.26.3 2.26.4 2.26.5 2.26.6 2.26.7 2.26.8 2.26.9 2.3.0 2.4.0 2.5.0 2.6.1 2.6.2 2.6.3 2.7.0 2.7.1 2.7.2 2.7.3 2.7.4 2.8.0 2.8.1 2.9.0 3.0.0 3.0.1 3.0.2 3.1.0
limit-login-attempts-reloaded / core / mfa-flow / MfaRestApi.php
limit-login-attempts-reloaded / core / mfa-flow Last commit date
Providers 2 weeks ago CallbackHandler.php 2 weeks ago MfaApiClient.php 2 weeks ago MfaFlowSendCode.php 2 weeks ago MfaProviderRegistry.php 2 weeks ago MfaRestApi.php 2 weeks ago SessionStore.php 2 weeks ago
MfaRestApi.php
124 lines
1 <?php
2
3 namespace LLAR\Core\MfaFlow;
4
5 if ( ! defined( 'ABSPATH' ) ) {
6 exit;
7 }
8
9 /**
10 * REST API for MFA flow: send-code endpoint (fallback is AJAX via admin-ajax.php).
11 */
12 class MfaRestApi {
13
14 const REST_NAMESPACE = 'llar/v1';
15 const SEND_CODE_ROUTE = 'mfa/send-code';
16
17 /**
18 * Register REST routes on rest_api_init.
19 */
20 public static function register() {
21 add_action( 'rest_api_init', array( __CLASS__, 'register_routes' ) );
22 }
23
24 /**
25 * Register REST routes.
26 */
27 public static function register_routes() {
28 register_rest_route(
29 self::REST_NAMESPACE,
30 self::SEND_CODE_ROUTE,
31 array(
32 'methods' => 'POST',
33 'callback' => array( __CLASS__, 'send_code_callback' ),
34 'permission_callback' => '__return_true',
35 'args' => array(
36 'token' => array(
37 'required' => true,
38 'type' => 'string',
39 'sanitize_callback' => 'sanitize_text_field',
40 ),
41 'secret' => array(
42 'required' => true,
43 'type' => 'string',
44 'sanitize_callback' => 'sanitize_text_field',
45 ),
46 'code' => array(
47 'required' => false,
48 'type' => 'string',
49 'sanitize_callback' => 'sanitize_text_field',
50 ),
51 'ip' => array(
52 'required' => false,
53 'type' => 'string',
54 'sanitize_callback' => 'sanitize_text_field',
55 ),
56 'browser' => array(
57 'required' => false,
58 'type' => 'string',
59 'sanitize_callback' => 'sanitize_text_field',
60 ),
61 'location' => array(
62 'required' => false,
63 'type' => 'string',
64 'sanitize_callback' => 'sanitize_text_field',
65 ),
66 ),
67 )
68 );
69 }
70
71 /**
72 * REST callback: MFA send-code. POST only (token, secret, code in request body).
73 *
74 * @param \WP_REST_Request $request Request object.
75 * @return \WP_REST_Response
76 */
77 public static function send_code_callback( $request ) {
78 $token = $request->get_param( 'token' );
79 $secret = $request->get_param( 'secret' );
80 $code = $request->get_param( 'code' );
81 $code = is_string( $code ) ? $code : '';
82 $ip = $request->get_param( 'ip' );
83 $browser = $request->get_param( 'browser' );
84 $location = $request->get_param( 'location' );
85 $context = array(
86 'ip' => is_string( $ip ) ? $ip : '',
87 'browser' => is_string( $browser ) ? $browser : '',
88 'location' => is_string( $location ) ? $location : '',
89 );
90
91 if ( '' === $token || '' === $secret ) {
92 return new \WP_REST_Response(
93 array(
94 'success' => false,
95 'message' => 'Forbidden',
96 ),
97 403
98 );
99 }
100
101 $result = MfaFlowSendCode::execute( $token, $secret, $code, $context );
102
103 $status = isset( $result['http_status'] ) ? (int) $result['http_status'] : 200;
104 $body = array(
105 'success' => (bool) $result['success'],
106 );
107 if ( ! empty( $result['message'] ) ) {
108 $body['message'] = $result['message'];
109 }
110
111 return new \WP_REST_Response( $body, $status );
112 }
113
114 /**
115 * Build REST URL for send-code (POST). Used in handshake as primary send_email_url.
116 * No query args; the MFA app must POST token, secret, and code in the request body.
117 *
118 * @return string
119 */
120 public static function get_send_code_rest_url() {
121 return rest_url( self::REST_NAMESPACE . '/' . self::SEND_CODE_ROUTE );
122 }
123 }
124