The 'two_factor_enabled_providers_for_user' filter behaves differently in version 0.16.0

[sirolf]

Describe the bug

Hi,

Prior to version 0.16.0, we used the two_factor_enabled_providers_for_user filter to programmatically disable all providers for a specific user when they accessed the site from our company IP address.

After updating to version 0.16.0, this behavior seems to have changed. When the provider list is empty, the plugin now automatically enables email as a provider.

Would it be possible to add either:

• an extra filter to explicitly allow an empty provider list, or
• an IP whitelist filter to support this use case?

Regards,
Floris Jansen

Steps to Reproduce

Update to version 0.16.0

Screenshots, screen recording, code snippet

No response

Environment information

No response

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

[alexclst]

I just ran into this problem. In my case, I've written a sms login plugin that can send codes via sms, and want to completely disable Two Factor when it is used. I have the following attached to the two_factor_enabled_providers_for_user hook:

public function bypass_two_factor( $enabled, $user_id ) {
  if ( rgar( $_POST, 'tg_sms_code' ) ) { // disable 2FA when a sms code of ours is present in POST
	return [];
  }
  return $enabled;
}

But I too now see the (never configured for my user) Email auth method. In my situation I really do want a filter to completely disable Two Factor. Please fix this regression in functionality of this filter.

[abovowebdevelopment]

We are facing the same issue in 0.16.0. We also want to disable the two factor based on certain IP addresses. Would be nice if this functionality will be available again.

[masteradhoc]

Hey @sirolf, @abovowebdevelopment and @alexclst

Thanks for the detailed report!

I've drafted a fix for this in #882. The PR adds a new two_factor_email_fallback_enabled filter that lets you opt out of the email fallback when you're intentionally clearing the provider list.

Your code would become:

add_filter( 'two_factor_enabled_providers_for_user', function( $providers, $user_id ) {
    if ( is_company_ip() ) {
        return [];
    }
    return $providers;
}, 10, 2 );

add_filter( 'two_factor_email_fallback_enabled', function( $fallback, $user_id ) {
    if ( is_company_ip() ) {
        return false;
    }
    return $fallback;
}, 10, 2 );

Would you be able to test the branch against your setup and confirm it resolves the issue? Any feedback is welcome!

[alexclst]

@masteradhoc That PR seems to take care of my needs. Heck, I even use the same function attached to both filters, and check the type of the parameter to know if to return an empty array or false.

[sirolf]

Seems good! tnx

[sirolf]

Is there already a known release date for version 0.17.0?

We use this plugin on 100+ sites, and everywhere we try to log in now, we have to go through the TFA email login process. For us, it was very convenient to be able to skip that step based on our IP address.

It would really help us a lot if this could be released in an upcoming update. :)

[masteradhoc]

Thanks for your patience @sirolf ! Its great to hear that the PR works fine for your and would be good to go.
As soon as we can get some review capacity back we'll make sure to release this PR within the next version.
At the moment though there is no planned release date, sorry.

[sirolf]

Thanks for the update. I understand there’s no planned release date yet.

Just to clarify the impact: this is currently affecting our workflow across 100+ sites, because we now have to complete the TFA email login process every time, while this used to be avoidable based on IP address. Since this regression was introduced by a recent change, it would really help if this PR could be prioritized for review or included in a patch release if possible.

Is there anything we can do to help move the review forward?

[masteradhoc]

Thanks @sirolf - the impact is clear and noted :) We'll be back soon with resources to push this PR and a release further. Still i dont have a clear ETA. If the PR is tested from your side as well and works as needed please note it here in a comment.