rescuepayloadstorage
2 weeks ago
MfaBackupCodes.php
2 weeks ago
MfaBackupCodesInterface.php
2 weeks ago
MfaEndpoint.php
2 weeks ago
MfaEndpointInterface.php
2 weeks ago
MfaManager.php
2 weeks ago
MfaSettings.php
2 weeks ago
MfaSettingsInterface.php
2 weeks ago
MfaValidator.php
2 weeks ago
RescueCode.php
2 weeks ago
MfaValidator.php
85 lines
| 1 | <?php |
| 2 | |
| 3 | namespace LLAR\Core\Mfa; |
| 4 | |
| 5 | use LLAR\Core\MfaConstants; |
| 6 | |
| 7 | if ( ! defined( 'ABSPATH' ) ) { |
| 8 | exit; |
| 9 | } |
| 10 | |
| 11 | /** |
| 12 | * MFA validation: capability, block reason (availability), input validation. |
| 13 | * Single place for "can enable MFA" and rescue hash_id checks. |
| 14 | */ |
| 15 | class MfaValidator { |
| 16 | |
| 17 | /** |
| 18 | * Whether current user can manage MFA. Multisite: super_admin; else: manage_options. |
| 19 | * |
| 20 | * @return bool |
| 21 | */ |
| 22 | public static function current_user_can_manage() { |
| 23 | if ( is_multisite() ) { |
| 24 | return is_super_admin(); |
| 25 | } |
| 26 | return current_user_can( 'manage_options' ); |
| 27 | } |
| 28 | |
| 29 | /** |
| 30 | * Reason why MFA cannot be enabled, or null if it can. |
| 31 | * Requires OpenSSL (no base64 fallback — do not enable without proper encryption). |
| 32 | * SSL is not required but recommended; a warning is shown when MFA is used without HTTPS. |
| 33 | * Rescue endpoint rate limit uses global cooldown (no salt required). |
| 34 | * |
| 35 | * @return string|null One of MfaConstants::MFA_BLOCK_REASON_* or null |
| 36 | */ |
| 37 | public static function get_block_reason() { |
| 38 | if ( ! MfaConstants::is_openssl_available() ) { |
| 39 | return MfaConstants::MFA_BLOCK_REASON_OPENSSL; |
| 40 | } |
| 41 | return null; |
| 42 | } |
| 43 | |
| 44 | /** |
| 45 | * Human-readable message for a block reason. |
| 46 | * |
| 47 | * @param string $block_reason One of MfaConstants::MFA_BLOCK_REASON_* |
| 48 | * @return string |
| 49 | */ |
| 50 | public static function get_block_message( $block_reason ) { |
| 51 | if ( MfaConstants::MFA_BLOCK_REASON_SSL === $block_reason ) { |
| 52 | return __( 'SSL/HTTPS is required for 2FA functionality. Please enable SSL on your site.', 'limit-login-attempts-reloaded' ); |
| 53 | } |
| 54 | if ( MfaConstants::MFA_BLOCK_REASON_SALT === $block_reason ) { |
| 55 | return __( '2FA cannot be enabled: WordPress salt (AUTH_SALT or NONCE_SALT) or wp_salt() is required for secure rate limiting. Please define salts in wp-config.php.', 'limit-login-attempts-reloaded' ); |
| 56 | } |
| 57 | if ( MfaConstants::MFA_BLOCK_REASON_OPENSSL === $block_reason ) { |
| 58 | return __( 'OpenSSL is required for secure rescue links. Enable the OpenSSL PHP extension. 2FA cannot be enabled without proper encryption.', 'limit-login-attempts-reloaded' ); |
| 59 | } |
| 60 | return __( '2FA cannot be enabled.', 'limit-login-attempts-reloaded' ); |
| 61 | } |
| 62 | |
| 63 | /** |
| 64 | * Validate rescue token from URL. |
| 65 | * Supports new format (32 chars, base62) and legacy format (64 chars, hex). |
| 66 | * |
| 67 | * @param string $hash_id Raw token from query. |
| 68 | * @return string|false Sanitized token or false if invalid. |
| 69 | */ |
| 70 | public static function validate_rescue_hash_id( $hash_id ) { |
| 71 | $hash_id = is_string( $hash_id ) ? sanitize_text_field( $hash_id ) : ''; |
| 72 | $len = strlen( $hash_id ); |
| 73 | |
| 74 | if ( MfaConstants::RESCUE_TOKEN_LENGTH === $len && preg_match( '/^[A-Za-z0-9]{' . MfaConstants::RESCUE_TOKEN_LENGTH . '}$/', $hash_id ) ) { |
| 75 | return $hash_id; |
| 76 | } |
| 77 | |
| 78 | if ( 64 === $len && preg_match( '/^[a-f0-9]{64}$/i', $hash_id ) ) { |
| 79 | return strtolower( $hash_id ); |
| 80 | } |
| 81 | |
| 82 | return false; |
| 83 | } |
| 84 | } |
| 85 |