Skip to content

Fix #644: Expose existing 2FA revalidation flow to third-party plugins via action hook#924

Open
chetanupare wants to merge 1 commit into
WordPress:masterfrom
chetanupare:issue-644-revalidate-session
Open

Fix #644: Expose existing 2FA revalidation flow to third-party plugins via action hook#924
chetanupare wants to merge 1 commit into
WordPress:masterfrom
chetanupare:issue-644-revalidate-session

Conversation

@chetanupare

@chetanupare chetanupare commented Jul 6, 2026

Copy link
Copy Markdown

What?

Introduces the two_factor_revalidate_session action hook which allows developers to programmatically trigger a 2FA re-authentication check.

Fixes #644

Why?

There are cases where other plugins or custom site logic need to verify that an authenticated user has recently passed a 2FA check before allowing them to perform a sensitive action (such as accessing a billing portal or publishing a high-profile post). This PR exposes the core plugin's existing re-authentication flow through a standardized, easy-to-use action hook.

How?

  1. Added the action_revalidate_session( $time_window, $redirect_to ) method to Two_Factor_Core.
  2. Hooked the method into a new two_factor_revalidate_session action hook.
  3. The method checks is_current_user_session_two_factor() against the provided time window (defaulting to 5 minutes).
  4. If the last 2FA verification is missing or older than the time window, the user is safely redirected to the plugin's revalidate_2fa screen.
  5. Added PHPUnit tests to cover both the recent-session bypass and the old-session redirect flows.

Use of AI Tools

AI Assistance: No

Testing Instructions

  1. Ensure your user account has a 2FA method properly configured and enabled in your profile.
  2. Add a temporary testing script to your site (e.g., in mu-plugins or functions.php) to intercept the post editor:
    add_action( 'admin_init', function() { global $pagenow; if ( $pagenow === 'post.php' || $pagenow === 'post-new.php' ) { // Force re-auth if the 2FA session is older than 60 seconds do_action( 'two_factor_revalidate_session', 60 ); } } );
  3. Log into the site via 2FA.
  4. Immediately navigate to Posts > Add New. You should be granted access normally.
  5. Wait for 60 seconds.
  6. Refresh the "Add New Post" page or attempt to edit an existing post.
  7. You should be intercepted and prompted with the 2FA re-authentication screen.
  8. Validate your 2FA credential. Upon success, you should be safely redirected back to the post editor.

Changelog Entry

Added - two_factor_revalidate_session action hook to allow third-party code to trigger a 2FA revalidation flow for an existing user session.

Open WordPress Playground Preview

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: chetanupare <chetanupare@git.wordpress.org>
Co-authored-by: dd32 <dd32@git.wordpress.org>
Co-authored-by: jeffpaul <jeffpaul@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

This hook allows third-party plugins to easily trigger a 2FA re-authentication flow for sensitive actions. Fixes WordPress#644.
@chetanupare chetanupare force-pushed the issue-644-revalidate-session branch from 48c33a9 to 24d111a Compare July 6, 2026 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Hooks to support requesting 2FA for plugins extending two-factor core functionality

1 participant