/**
* TSS Redesign — Frontend login popup 2FA bypass
*
* Wordfence's `authenticate` filter (priority 25 in
* `wp-content/plugins/wordfence/lib/wordfenceClass.php:3023`) issues a
* `twofactor_required` WP_Error for any user with 2FA activated, regardless
* of login surface. Since the redesign's Sign In popup uses a single-shot
* AJAX call (`ajaxlogin`) with no UI to handle the 2FA challenge nonce, an
* admin-on-popup login is impossible to complete there — but the popup is
* for END USERS (subscribers, lp_provider, customers), who don't have 2FA
* enabled and shouldn't be blocked.
*
* Strategy: hook `authenticate` at priority 30 (AFTER Wordfence's 25). For
* non-admin/non-editor roles attempting frontend AJAX login, if Wordfence
* returned `twofactor_required` simply because some OTHER user (admin) has
* 2FA enabled, swap the error back for the resolved WP_User → login proceeds.
*
* Admin-role logins via the popup are explicitly rejected with a clean
* error directing them to the proper admin login URL. The wp-login.php
* flow (used at /tss-portal) is untouched — admin 2FA stays mandatory there.
*
* Wordfence stores the resolved user ID for the 2FA-required case in user
* meta `_wf_twoFactorNonce`. We use the `$username` argument passed to the
* filter to look up the user by login or email, then check that user's
* roles to decide whether to bypass.
*
* @package listingpro-custom-layout-replacements
*/
if (!defined('ABSPATH')) { exit; }
class TSS_Redesign_Login_Bypass {
/** Roles allowed to bypass 2FA on the frontend popup. */
const FRONTEND_ROLES = array('subscriber', 'lp_provider', 'lp_subscriber', 'customer', 'contributor');
/** Roles that must complete 2FA at /tss-portal — never bypassed. */
const ADMIN_ROLES = array('administrator', 'editor', 'author', 'shop_manager');
public function __construct() {
// Priority 30 → runs AFTER Wordfence's authenticate filter (25).
add_filter('authenticate', array($this, 'maybe_bypass_2fa'), 30, 3);
}
/**
* @param WP_User|WP_Error|null $user Result from earlier authenticate filters
* @param string $username Username or email submitted to login
* @param string $password Password submitted
* @return WP_User|WP_Error|null
*/
public function maybe_bypass_2fa($user, $username, $password) {
// Only intervene on frontend popup AJAX. Leave wp-login.php (admin
// portal) completely alone so admin 2FA stays mandatory there.
if (!$this->is_frontend_popup_login()) {
return $user;
}
// Only intervene if Wordfence (or another plugin) returned a
// 2FA-required error. Any other error/result passes through unchanged.
if (!is_wp_error($user)) {
// Successful login already. Apply admin-role guard below.
$resolved_user = $user;
} else {
$code = $user->get_error_code();
// Wordfence uses 'twofactor_required'. Other 2FA plugins may differ;
// adjust if a different one ever becomes active.
if ($code !== 'twofactor_required') {
return $user;
}
// Resolve the user from the submitted username/email so we can
// check their role.
$resolved_user = $this->resolve_user($username);
if (!$resolved_user) {
// Couldn't resolve — leave the original error in place.
return $user;
}
// Re-verify the password since we're bypassing the chain — guards
// against the case where some prior filter returned 2FA-required
// without actually validating the password.
if (!wp_check_password($password, $resolved_user->user_pass, $resolved_user->ID)) {
return $user; // wrong password, original error stands
}
}
// Apply admin-role guard: admin/editor/etc must NOT log in via popup.
$role_intersection = array_intersect((array) $resolved_user->roles, self::ADMIN_ROLES);
if (!empty($role_intersection)) {
return new WP_Error(
'admin_use_portal',
__('Administrator accounts must sign in through the admin portal.', 'listingpro-custom-layout-replacements')
);
}
// Non-admin role + frontend popup → bypass 2FA, return resolved user.
// Wordfence's nonce metadata is left in place; it expires harmlessly.
return $resolved_user;
}
/**
* True iff this is a frontend AJAX login (the ListingPro popup or its
* shim). Explicit allowlist of actions; defaults closed.
*/
private function is_frontend_popup_login() {
if (!defined('DOING_AJAX') || !DOING_AJAX) return false;
if (defined('WP_ADMIN') && WP_ADMIN && !wp_doing_ajax()) return false;
$action = isset($_REQUEST['action']) ? (string) $_REQUEST['action'] : '';
return in_array($action, array('ajaxlogin', 'listingpro_login', 'lp_ajax_signin'), true);
}
/**
* Resolve a WP_User from a username-or-email string. Returns null if
* neither matches. Mirrors how WordPress core's wp_authenticate does
* lookups before delegating to filters.
*/
private function resolve_user($username_or_email) {
$username_or_email = trim((string) $username_or_email);
if ($username_or_email === '') return null;
if (strpos($username_or_email, '@') !== false) {
$u = get_user_by('email', $username_or_email);
if ($u) return $u;
}
$u = get_user_by('login', $username_or_email);
return $u ?: null;
}
}
Page not found - Trucking Service Solution
4