Merge branch 'master' into release/0.9.2

.distignore

@@ -14,5 +14,6 @@
 /package-lock.json
 /phpcs*
 /phpunit*
+/phpstan.*
 /readme.md
-/SECURITY.md
+/SECURITY.md

.github/workflows/test.yml

@@ -59,6 +59,9 @@ jobs:
  - name: Lint PHP Compatibility
  run: composer lint-compat
 
+ - name: PHPStan
+ run: npm run lint:phpstan
+
  test-php:
  name: Test PHP ${{ matrix.php }} ${{ matrix.wp != '' && format( ' (WP {0}) ', matrix.wp ) || '' }}
  runs-on: ubuntu-latest

.gitignore

@@ -5,3 +5,4 @@
 /dist/
 /tests/logs/
 .phpunit.result.cache
+phpstan.neon

class-two-factor-compat.php

@@ -50,6 +50,6 @@ public function jetpack_rememberme( $rememberme ) {
  * @return boolean
  */
  public function jetpack_is_sso_active() {
- return ( method_exists( 'Jetpack', 'is_module_active' ) && Jetpack::is_module_active( 'sso' ) );
+ return ( class_exists( 'Jetpack' ) && method_exists( 'Jetpack', 'is_module_active' ) && Jetpack::is_module_active( 'sso' ) );
  }
 }

class-two-factor-core.php

@@ -93,7 +93,7 @@ class Two_Factor_Core {
  * @since 0.1-dev
  */
  public static function add_hooks( $compat ) {
- add_action( 'init', array( __CLASS__, 'get_providers' ) );
+ add_action( 'init', array( __CLASS__, 'get_providers' ) ); // @phpstan-ignore return.void
  add_action( 'wp_login', array( __CLASS__, 'wp_login' ), 10, 2 );
  add_filter( 'wp_login_errors', array( __CLASS__, 'maybe_show_reset_password_notice' ) );
  add_action( 'after_password_reset', array( __CLASS__, 'clear_password_reset_notice' ) );
@@ -132,13 +132,67 @@ public static function add_hooks( $compat ) {
  }
 
  /**
- * For each provider, include it and then instantiate it.
+ * Delete all plugin data on uninstall.
  *
- * @since 0.1-dev
+ * @return void
+ */
+ public static function uninstall() {
+ // Keep this updated as user meta keys are added or removed.
+ $user_meta_keys = array(
+ self::PROVIDER_USER_META_KEY,
+ self::ENABLED_PROVIDERS_USER_META_KEY,
+ self::USER_META_NONCE_KEY,
+ self::USER_RATE_LIMIT_KEY,
+ self::USER_FAILED_LOGIN_ATTEMPTS_KEY,
+ self::USER_PASSWORD_WAS_RESET_KEY,
+ );
+
+ $option_keys = array();
+
+ foreach ( self::get_providers_classes() as $provider_class ) {
+ // Merge with provider-specific user meta keys.
+ if ( method_exists( $provider_class, 'uninstall_user_meta_keys' ) ) {
+ try {
+ $user_meta_keys = array_merge(
+ $user_meta_keys,
+ call_user_func( array( $provider_class, 'uninstall_user_meta_keys' ) )
+ );
+ } catch ( Exception $e ) {
+ // Do nothing.
+ }
+ }
+
+ // Merge with provider-specific option keys.
+ if ( method_exists( $provider_class, 'uninstall_options' ) ) {
+ try {
+ $option_keys = array_merge(
+ $option_keys,
+ call_user_func( array( $provider_class, 'uninstall_options' ) )
+ );
+ } catch ( Exception $e ) {
+ // Do nothing.
+ }
+ }
+ }
+
+ // Delete options first since that is faster.
+ if ( ! empty( $option_keys ) ) {
+ foreach ( $option_keys as $option_key ) {
+ delete_option( $option_key );
+ }
+ }
+
+ foreach ( $user_meta_keys as $meta_key ) {
+ delete_metadata( 'user', null, $meta_key, null, true );
+ }
+ }
+
+ /**
+ * Get the registered providers of which some might not be enabled.
  *
- * @return array
+ * @return array List of provider keys and paths to class files.
  */
- public static function get_providers() {
+ public static function get_providers_registered() {
  $providers = array(
  'Two_Factor_Email' => TWO_FACTOR_DIR . 'providers/class-two-factor-email.php',
  'Two_Factor_Totp' => TWO_FACTOR_DIR . 'providers/class-two-factor-totp.php',
@@ -150,29 +204,29 @@ public static function get_providers() {
  /**
  * Filter the supplied providers.
  *
- * This lets third-parties either remove providers (such as Email), or
- * add their own providers (such as text message or Clef).
- *
  * @param array $providers A key-value array where the key is the class name, and
  * the value is the path to the file containing the class.
  */
- $providers = apply_filters( 'two_factor_providers', $providers );
+ $additional_providers = apply_filters( 'two_factor_providers', $providers );
 
- // FIDO U2F is PHP 5.3+ only.
- if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) {
- unset( $providers['Two_Factor_FIDO_U2F'] );
- trigger_error( // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_trigger_error
- sprintf(
- /* translators: %s: version number */
- __( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
- PHP_VERSION
- )
- );
+ // Merge them with the default providers.
+ if ( ! empty( $additional_providers ) ) {
+ return array_merge( $providers, $additional_providers );
  }
 
- /**
- * For each filtered provider,
- */
+ return $providers;
+ }
+
+ /**
+ * Get the classnames for all registered providers.
+ *
+ * Note some of these providers might not be enabled.
+ *
+ * @return array List of provider keys and classnames.
+ */
+ private static function get_providers_classes() {
+ $providers = self::get_providers_registered();
+
  foreach ( $providers as $provider_key => $path ) {
  require_once $path;
 
@@ -189,9 +243,56 @@ public static function get_providers() {
  /**
  * Confirm that it's been successfully included before instantiating.
  */
- if ( class_exists( $class ) ) {
+ if ( method_exists( $class, 'get_instance' ) ) {
+ $providers[ $provider_key ] = $class;
+ } else {
+ unset( $providers[ $provider_key ] );
+ }
+ }
+
+ return $providers;
+ }
+
+ /**
+ * Get all enabled two-factor providers.
+ *
+ * @since 0.1-dev
+ *
+ * @return array
+ */
+ public static function get_providers() {
+ $providers = self::get_providers_registered();
+
+ /**
+ * Filter the supplied providers.
+ *
+ * This lets third-parties either remove providers (such as Email), or
+ * add their own providers (such as text message or Clef).
+ *
+ * @param array $providers A key-value array where the key is the class name, and
+ * the value is the path to the file containing the class.
+ */
+ $providers = apply_filters( 'two_factor_providers', $providers );
+
+ // FIDO U2F is PHP 5.3+ only.
+ if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && version_compare( PHP_VERSION, '5.3.0', '<' ) ) {
+ unset( $providers['Two_Factor_FIDO_U2F'] );
+ trigger_error( // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_trigger_error
+ sprintf(
+ /* translators: %s: version number */
+ __( 'FIDO U2F is not available because you are using PHP %s. (Requires 5.3 or greater)', 'two-factor' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+ PHP_VERSION
+ )
+ );
+ }
+
+ // Map provider keys to classes so that we can instantiate them.
+ $providers = array_intersect_key( self::get_providers_classes(), $providers );
+
+ foreach ( $providers as $provider_key => $provider_class ) {
+ if ( method_exists( $provider_class, 'get_instance' ) ) {
  try {
- $providers[ $provider_key ] = call_user_func( array( $class, 'get_instance' ) );
+ $providers[ $provider_key ] = call_user_func( array( $provider_class, 'get_instance' ) );
  } catch ( Exception $e ) {
  unset( $providers[ $provider_key ] );
  }

composer.json

@@ -31,12 +31,14 @@
  "phpcompatibility/phpcompatibility-wp": "^2.1",
  "phpunit/phpunit": "^8.5|^9.6",
  "spatie/phpunit-watcher": "^1.23",
+ "szepeviktor/phpstan-wordpress": "^1.3",
  "wp-coding-standards/wpcs": "^3.1",
  "yoast/phpunit-polyfills": "^2.0"
  },
  "scripts": {
  "lint": "phpcs",
  "lint-compat": "phpcs -p --standard=PHPCompatibilityWP --runtime-set testVersion 7.2- --extensions=php --ignore='tests/,dist/,includes/Yubico/,vendor/,node_modules/' .",
+ "lint-phpstan": "phpstan analyse --verbose --memory-limit=1G",
  "test": "vendor/bin/phpunit",
  "test:watch": [
  "Composer\\Config::disableProcessTimeout",