2FA implementation

[9uenther]

I hacked a quick and dirty solution into the authenticateUser() function used the RobThree\Auth\TwoFactorAuth library and attached it to a user role.

You could also implement it via hooks, so you could use any library or even use DIY mailing or SMS for 2FA. Or you can build it in directly. I could try to create a suitable fork.

use RobThree\Auth\TwoFactorAuth;

public function authenticateUser()
{
    ...
    $passwordMatch = $this->wordPressData->checkPassword($password, $passwordHash, $dbPassword);
    
    if ($passwordMatch === false) {
        throw new Exception(
            __('Wrong user credentials.', 'simple-jwt-login'),
            ErrorCodes::AUTHENTICATION_WRONG_CREDENTIALS
        );
    }
    
    // use 2FA
    if(in_array('administrator', get_userdata($user->ID)->roles)) {
        $tfa = new TwoFactorAuth();
    
        if(!get_user_meta($user->ID, 'simple_jwt_login_2fa_secret')) {
            $secret = $tfa->createSecret();
            update_user_meta($user->ID, 'simple_jwt_login_2fa_secret', $secret, true);
        } else {
            $secret = get_user_meta($user->ID, 'simple_jwt_login_2fa_secret', true);
        }
    
        if(!$tfa->verifyCode($secret, $this->request['2fa_code'])) {
    
            return $this->wordPressData->createResponse([
                'success' => false,
                '2FA' => false,
            ]);
        }
    }
    
    //Generate payload
    $payload = isset($this->request['payload'])
        ? json_decode(stripslashes($this->request['payload']), true)
        : [];
    
    $payload = self::generatePayload(
    ...
}

[dani3l3]

Actually I have been wondering - but I have not had time to test - what happens to a user that has been logged in via this plugin, in case ANOTHER 2FA implementation - for example the very widely used one in WordFence - is also used.... have you tried/do you know?

[9uenther]

Nothing. It is completely bypassed and does not work with the WordFence or WordPress 2FA.

The login data or the auth token is processed by a separate script and can be stored, for example, in the sessionStorage.

The default WordPress login runs via cookies. So the two login methods are completely independent.

I generate the QR-Code image with:

$tfa->getQRCodeImageAsDataUri('My jwt 2FA useraccount', $secret);

[dani3l3]

Interesting. I wonder if there would be a way to make it play nicely with other methods rather than re-implementing it...

[9uenther]

No, unfortunately not. Currently, or as far as I know, the 2fA functions of WordPress itself or WordFence do not offer any way for third-party usage.

[dani3l3]

No, unfortunately not. Currently, or as far as I know, the 2fA functions of WordPress itself or WordFence do not offer any way for third-party usage.

We shuold check with wordfence author... I suspect there is a way to force redirect to the 2FA "additional" login screen after login... even if login has not happened with the default form/flow.
Some hints here https://wordpress.org/support/topic/2fa-not-working-on-a-custom-login-page/ but I don't currently have a lot of time to investigate it.