WordPress · iandunn · Oct 24, 2022 · Oct 12, 2022 · Oct 13, 2022 · Oct 13, 2022
diff --git a/class-two-factor-core.php b/class-two-factor-core.php
@@ -731,12 +731,20 @@ public static function login_url( $params = array(), $scheme = 'login' ) {
 	/**
 	 * Get the hash of a nonce for storage and comparison.
 	 *
-	 * @param string $nonce Nonce value to be hashed.
+	 * @param array $nonce Nonce array to be hashed. ⚠️ This must contain user ID and expiration,
+	 *                     to guarantee the nonce only works for the intended user during the
+	 *                     intended time window.
 	 *
-	 * @return string
+	 * @return string|false
 	 */
 	protected static function hash_login_nonce( $nonce ) {
-		return wp_hash( $nonce, 'nonce' );
+		$message = wp_json_encode( $nonce );
+
+		if ( ! $message ) {
+			return false;
+		}
+
+		return wp_hash( $message, 'nonce' );
 	}
 
 	/**
@@ -745,11 +753,12 @@ protected static function hash_login_nonce( $nonce ) {
 	 * @since 0.1-dev
 	 *
 	 * @param int $user_id User ID.
-	 * @return array
+	 * @return array|false
 	 */
 	public static function create_login_nonce( $user_id ) {
 		$login_nonce = array(
-			'expiration' => time() + HOUR_IN_SECONDS,
+			'user_id'    => $user_id,
+			'expiration' => time() + ( 10 * MINUTE_IN_SECONDS ),
 		);
 
 		try {
@@ -759,14 +768,20 @@ public static function create_login_nonce( $user_id ) {
 		}
 
 		// Store the nonce hashed to avoid leaking it via database access.
-		$login_nonce_stored        = $login_nonce;
-		$login_nonce_stored['key'] = self::hash_login_nonce( $login_nonce['key'] );
+		$hashed_key = self::hash_login_nonce( $login_nonce );
 
-		if ( ! update_user_meta( $user_id, self::USER_META_NONCE_KEY, $login_nonce_stored ) ) {
-			return false;
+		if ( $hashed_key ) {
+			$login_nonce_stored = array(
+				'expiration' => $login_nonce['expiration'],
+				'key'        => $hashed_key,
+			);
+
+			if ( update_user_meta( $user_id, self::USER_META_NONCE_KEY, $login_nonce_stored ) ) {
+				return $login_nonce;
+			}
 		}
 
-		return $login_nonce;
+		return false;
 	}
 
 	/**
@@ -797,7 +812,16 @@ public static function verify_login_nonce( $user_id, $nonce ) {
 			return false;
 		}
 
-		if ( hash_equals( $login_nonce['key'], self::hash_login_nonce( $nonce ) ) && time() < $login_nonce['expiration'] ) {
+		$unverified_nonce = array(
+			'user_id'    => $user_id,
+			'expiration' => $login_nonce['expiration'],
+			'key'        => $nonce,
+		);
+
+		$unverified_hash = self::hash_login_nonce( $unverified_nonce );
+		$hashes_match    = $unverified_hash && hash_equals( $login_nonce['key'], $unverified_hash );
+
+		if ( $hashes_match && time() < $login_nonce['expiration'] ) {
 			return true;
 		}
 

diff --git a/tests/class-two-factor-core.php b/tests/class-two-factor-core.php
@@ -379,8 +379,44 @@ public function test_can_distroy_auth_sessions() {
 		$session_manager->destroy_all();
 	}
 
+	/**
+	 * @covers Two_Factor_Core::create_login_nonce()
+	 * @covers Two_Factor_Core::hash_login_nonce()
+	 */
+	public function test_invalid_hash_input_fails() {
+		$nonce = Two_Factor_Core::create_login_nonce( NAN );
+
+		$this->assertFalse( $nonce );
+		$this->assertNotEmpty( json_last_error() );
+	}
+
+	/**
+	 * @covers Two_Factor_Core::create_login_nonce()
+	 * @covers Two_Factor_Core::hash_login_nonce()
+	 */
+	public function test_create_login_nonce() {
+		$user              = self::factory()->user->create_and_get();
+		$plain_nonce       = Two_Factor_Core::create_login_nonce( $user->ID );
+		$hashed_nonce      = get_user_meta( $user->ID, Two_Factor_Core::USER_META_NONCE_KEY, true );
+		$plain_key_length  = strlen( $plain_nonce['key'] );
+		$hashed_key_length = strlen( $hashed_nonce['key'] );
+
+		$this->assertSame( $user->ID, $plain_nonce['user_id'] );
+		$this->assertGreaterThan( time() + ( 9 * MINUTE_IN_SECONDS ), $plain_nonce['expiration'] );
+		$this->assertIsString( $plain_nonce['key'] );
+		$this->assertTrue( 64 === $plain_key_length || 32 === $plain_key_length );
+
+		$this->assertSame( $plain_nonce['expiration'], $hashed_nonce['expiration'] );
+		$this->assertIsString( $hashed_nonce['key'] );
+		$this->assertTrue( 32 === $hashed_key_length );
+		$this->assertNotEquals( $plain_nonce['key'], $hashed_nonce['key'] );
+	}
+
 	/**
 	 * Check if nonce can be verified.
+	 *
+	 * @covers Two_Factor_Core::create_login_nonce()
+	 * @covers Two_Factor_Core::verify_login_nonce()
 	 */
 	public function test_can_verify_login_nonce() {
 		$user_id = 123456;
@@ -390,7 +426,7 @@ public function test_can_verify_login_nonce() {
 		$this->assertNotEmpty( $nonce['expiration'], 'Nonce expiration is set' );
 
 		$this->assertGreaterThan( time(), $nonce['expiration'], 'Nonce expiration is in the future' );
-		$this->assertLessThan( time() + HOUR_IN_SECONDS + 1, $nonce['expiration'], 'Nonce expiration is not more than an hour' );
+		$this->assertLessThan( time() + ( 10 * MINUTE_IN_SECONDS ) + 1, $nonce['expiration'], 'Nonce expiration is not more than 10 minutes' );
 
 		$this->assertTrue(
 			Two_Factor_Core::verify_login_nonce( $user_id, $nonce['key'] ),
@@ -418,8 +454,10 @@ public function test_can_verify_login_nonce() {
 
 	/**
 	 * Invalid nonce deletes the valid nonce.
+	 *
+	 * @covers Two_Factor_Core::verify_login_nonce()
 	 */
-	public function test_login_nonce_can_be_used_only_once() {
+	public function test_invalid_nonce_deletes_valid_nonce() {
 		$user_id = 123456;
 		$nonce   = Two_Factor_Core::create_login_nonce( $user_id );