Store the two-factor details in the user session at login time

[dd32]

This PR is part of some larger work for #484.

This PR causes the two-factor timestamp and provider to be stored in the user session, which can be later used to validate that the user session is two-factor authenticated.

Before	After

Code Notes:

• The 'attach_session_information' hook is poorly designed for this case, requiring the usage of an anonymous function so as to retrieve the details from the current-scope of the class.
• It's possible not to use the callback (See the commit history where I've gone back and forth) by creating the session token yourself and passing that into wp_set_auth_cookie(), but that requires the caller to duplicate significantly more code than this option.
• Note: The screenshots were taken with 0749b4a which places the extra array fields at the end, with dbee826 the fields are placed at the start of the array. This has no meaningful effect.
• Unit testing this should be possible, but has not been included at time of PR creation.

To test, you can use something like $session = WP_Session_Tokens::get_instance( $user->ID )->get( wp_get_session_token() ); on an admin page to inspect the current sessions session, this is what's used in the above screenshots.

[dd32]

Unit testing this should be possible, but has not been included at time of PR creation.

Unfortunately full unit testing isn't possible unless #527 lands.

I've added a unit test to verify that this new getter returns false for a user session set outside of the two-factor auth flow though.

[dd32]

Unit testing this should be possible, but has not been included at time of PR creation.

Unfortunately full unit testing isn't possible unless #527 lands.

I've rebased this PR after I merged #527, and tests are now included that covers the login flow - validating that a cookie set outside of the login flow doesn't get flagged as 2fa, and that a login via the 2fa flow sets the appropriate session flags.

This unfortunately did require changing how the login_form_validate_2fa handler works, splitting it in two - the part that does the login, and the part that does the exit. Not ideal, but does now allow for validate_2fa to be unit testable,

[iandunn]

I ran out of time today, but wanted to send what I have so far. I'll pick it back up tomorrow.

[iandunn]

Looks good and works in my tests 👍🏻