#233: Add WP-CLI support with wp two-factor commands#905
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Unlinked AccountsThe following contributors have not linked their GitHub and WordPress.org accounts: @mikeselander, @gurumark. Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases. If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
wp two-factor commands for per-user 2FA inspection and resetwp two-factor commands
|
Thanks for taking this on — I've been curious when WP-CLI might be supported. It should enable effective bulk provisioning and maybe eventually some policy controls. After scanning this branch with AI tools and a local test run to verify, a few key issues stand out:
To make the first point concrete, here's a small failing test against your branch that exercises the command directly. It needs a couple of WP-CLI runtime doubles since the plugin's PHPUnit run doesn't load WP-CLI:
|
Adds PHPUnit coverage for Two_Factor_CLI_Command (status, disable, enable, list-providers, backup-codes generate, unlock) and for the new Two_Factor_Core::clear_login_rate_limit() helper. Because the WP-CLI runtime is not loaded during PHPUnit, lightweight test doubles for WP_CLI, WP_CLI_Command, and the WP_CLI\Utils helpers are added under tests/cli/ to capture output and simulate the error()/confirm() exit behaviour. Also fixes the issues raised in review on PR WordPress#905: - backup-codes generate now enables the Two_Factor_Backup_Codes provider (mirroring rest_generate_codes()) so the codes are usable at login instead of being stored but never offered. - enable, disable, and the full reset now destroy the user's sessions when their enabled providers change, matching the profile-page behaviour. - The full reset no longer clears _two_factor_password_was_reset, so a rescued user still sees the notice explaining why their old password stopped working. - Removes the misleading reference to a non-existent "Phase 3" totp subcommand from the TOTP enable error message. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds PHPUnit coverage for Two_Factor_CLI_Command (status, disable, enable, list-providers, backup-codes generate, unlock) and for the new Two_Factor_Core::clear_login_rate_limit() helper. Because the WP-CLI runtime is not loaded during PHPUnit, lightweight test doubles for WP_CLI, WP_CLI_Command, and the WP_CLI\Utils helpers are added under tests/cli/ to capture output and simulate the error()/confirm() exit behaviour. Also fixes the issues raised in review on PR WordPress#905: backup-codes generate now enables the Two_Factor_Backup_Codes provider (mirroring rest_generate_codes()) so the codes are usable at login instead of being stored but never offered. enable, disable, and the full reset now destroy the user's sessions when their enabled providers change, matching the profile-page behaviour. The full reset no longer clears _two_factor_password_was_reset, so a rescued user still sees the notice explaining why their old password stopped working. Removes the misleading reference to a non-existent "Phase 3" totp subcommand from the TOTP enable error message.
What?
Adds a
wp two-factorWP-CLI namespace with six subcommands for inspecting and managing two-factor authentication on a per-user basis.Fixes #233
Why?
The plugin ships no WP-CLI commands today. This PR adds support for it.
How?
cli/class-two-factor-cli-command.phpcontainingTwo_Factor_CLI_Command extends WP_CLI_Command. Registered underWP_CLI::add_command( 'two-factor', ... )in the plugin bootstrap behind adefined( 'WP_CLI' ) && WP_CLIguard.Two_Factor_Core::clear_login_rate_limit( $user )added toclass-two-factor-core.php. Both thedisable(full reset) andunlockcommands call this single method rather than deleting the rate-limit meta keys at each call site.Two_Factor_Coreand provider APIs — no raw SQL, no duplicated logic.Commands:
wp two-factor status <user>--formatwp two-factor disable <user> [<provider>]--yesskips promptwp two-factor list-providerswp two-factor enable <user> <provider>wp two-factor backup-codes generate <user> [--count=<n>]wp two-factor unlock <user>All commands accept user by ID, login, or email.
disable(full reset) assertsget_available_providers_for_user()is empty after clearing state, guarding against the fail-closed email fallback.Use of AI Tools
AI assistance: Yes
Tool(s): Claude Code
Model(s): Claude Sonnet 4.6
Used for: Full implementation of the CLI class, helper method, and bootstrap wiring, based on the given specification from my side. All generated code was reviewed and tested manually before submission.
Testing Instructions
Setup: Activate the Two-Factor plugin. Create a test user and enable at least one 2FA provider (TOTP or Email) via their profile page.
Registration
wp help two-factor— confirm all six subcommands are listedwp help two-factor disable— confirm OPTIONS and EXAMPLES are shownUser resolution
wp two-factor status 1— resolves by numeric IDwp two-factor status <login>— resolves by loginwp two-factor status <email>— resolves by emailwp two-factor status nobody— printsError: User not found: nobodystatususing_2faisfalse--format=jsonreturns valid JSONlist-providersWP_DEBUGis off--format=jsonworksdisable— full resetwp two-factor disable <user>→ prompts for confirmationwp two-factor disable <user> --yes→ no prompt;statusshowsusing_2fa: false_two_factor_enabled_providersin the DB to a non-existent class name, then rundisable --yes— command should succeed and not leave email 2FA activedisable— single providerwp two-factor disable <user> Two_Factor_Totp→ only TOTP removed; backup codes still appear instatusenablewp two-factor enable <user> Two_Factor_Email→ success; appears instatuswp two-factor enable <user> Two_Factor_Totp→ error referencing profile pagewp two-factor enable <user> Two_Factor_Backup_Codes→ error pointing tobackup-codes generatewp two-factor enable <user> FakeClass→ error "Is it a registered provider?"backup-codes generatewp two-factor backup-codes generate <user>→ prints 10 codes--count=5→ prints exactly 5 codesunlockwp two-factor unlock <user>→ "Login throttle cleared"Screenshots or screencast
N/A — CLI only, no UI changes.
Changelog Entry
Added - WP-CLI
wp two-factorcommands for per-user 2FA status, disable, enable, backup-code generation, and login-throttle reset.