two-factor icon indicating copy to clipboard operation
two-factor copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Add logging function when failed to authenticate

Open Lucisu opened this issue 3 years ago • 3 comments

I've added the method is_valid_authcode to the class Two_Factor_Provider so providers can use it when failing to validate the authentication.

By default, it uses the error_log function, but there are actions and filters that can be used to extend it.

Related issue: #459

Lucisu avatar Oct 04 '22 03:10 Lucisu

It's done.

For me, it would make more sense to call a method inside the Two_Factor_Provider class to validate the authentication, which would call the child provider method validate_authentication, getting its result and logging the failure in the parent method if needed, instead of adding to every new provider the code:

if ( ! $success ) {
	$this->log_failure( $user, $response );
}
return $success;

Please, let me know what you think about this.

Lucisu avatar Oct 04 '22 19:10 Lucisu

That sounds fair.

On Fri, Oct 14, 2022 at 10:49 AM Jeffrey Paul @.***> wrote:

@.**** commented on this pull request.

In providers/class-two-factor-provider.php https://github.com/WordPress/two-factor/pull/462#discussion_r995846890:

  •   do_action( 'two_factor_user_login_failed', $user, $code, $this );

  • /* translators: %1$d: the user's ID %2$s: the code used to authenticate */

  • $log_message = sprintf( esc_html__( 'The user with ID %1$d failed to login using the code "%2$s"', 'two-factor' ), $user->ID, esc_html( $code ) );

  • /**

  •  * This filter is triggered to checke whether it's needed to log the authentication failure.

  •  *

  •  * @param boolean      $should_log  Whether or not the authentication failure should be logged.

  •  * @param WP_User      $user        WP_User object of the user trying to login.

  •  * @param string|false $code        The code used to authenticate, if available.

  •  * @param string       $log_message The generated log message.

  •  * @param Two_Factor_Provider $this The Provider class used during the authentication.

  •  */

  • if ( apply_filters( 'two_factor_log_failure', true, $user, $code, $log_message, $this ) ) {

  • 	error_log( $log_message );

Maybe support the admin_email but have it disabled and filterable to enable? I think I'd want it enabled on sites I'm using, but I could see where that could get VERY chatty for someone with a large amount of users?

— Reply to this email directly, view it on GitHub https://github.com/WordPress/two-factor/pull/462#discussion_r995846890, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHFXX7FOCMFLQZ6KZS2DIDWDFXHTANCNFSM6AAAAAAQ4FHI74 . You are receiving this because you were mentioned.Message ID: @.***>

georgestephanis avatar Oct 14 '22 15:10 georgestephanis

Once #427 lands, logging should be added there too.

iandunn avatar Oct 14 '22 21:10 iandunn