two-factor not logging-in with custom login redir url
pgnd opened this issue · 2 comments
pgnd commented
i'm running WP 6.1.1
wp-cli core version
6.1.1
with
wp-cli plugin list | egrep "registration|two"
custom-registration-form-builder-with-submission-manager active none 5.1.9.7
registrationmagic-premium active none 5.1.9.7
two-factor active none 0.7.3
i redir login
cat functions.php
...
function custom_login(){
global $pagenow;
$redirPage = 'https://example.com/alt-login';
if(
'wp-login.php' == $pagenow &&
$_GET['action']!= "logout" &&
$_GET['action']!= "lostpassword"
) {
wp_redirect($redirPage);
exit();
}
}
add_action('init','custom_login');
...
login/logout works as expected
i enable two-factor for a user
i nav to login page, enter/pass user/password credentials as usual
i'm redir'd to 2fa dialog
Powered by WordPress
Please enter the code generated by your authenticator app.
Authentication Code:
[XXXXXX]
on auth code entry+submit, i'm just redir'd to the login page
https://example.com/alt-login
and status remains NOT logged in
in my current logs, i see
egrep -ai "validate|2fa" r*.log
access.log:2001:DB8::1 - - [26/Feb/2023:09:39:42 -0500] "POST /wp-login.php?action=validate_2fa HTTP/2.0" 302 0 "https://example.com/alt-login/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http args: "action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http2 header: ":path: /wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http2 request line: "POST /wp-login.php?action=validate_2fa HTTP/2.0"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http finalize request: -4, "/wp-login.php?action=validate_2fa" a:1, c:2
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http run request: "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http script var: "action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 fastcgi param: "QUERY_STRING: action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http script var: "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 fastcgi param: "REQUEST_URI: /wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http run request: "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http upstream request: "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http upstream request: "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http upstream request: "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http upstream request: "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http output filter "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http copy filter: "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http postpone filter "/wp-login.php?action=validate_2fa" 00007FFC3748AAC0
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http copy filter: 0 "/wp-login.php?action=validate_2fa"
error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http finalize request: 0, "/wp-login.php?action=validate_2fa" a:1, c:1
iiuc, this
"Display on a custom page instead of wp-login.php #222
https://github.com/WordPress/two-factor/issues/222
touched on the issue, but not clear how to apply fix here ^^
dd32 commented
The problem in this case is your custom custom_login(), as it prevents access to most wp-login.php functionalities. Login only works by pure chance IMHO.
You probably want to change it to this, which won't cover as much as you want, but is the only way you can realistically do this in a way that isn't going to break other plugins.
-if(
- 'wp-login.php' == $pagenow &&
- $_GET['action']!= "logout" &&
- $_GET['action']!= "lostpassword"
- ) {
+ if ( 'wp-login.php' == $pagenow && ! isset( $_REQUEST['action'] ) ) {