WordPress · iandunn · Sep 4, 2023 · Jun 7, 2023 · Jul 14, 2023 · Jul 14, 2023
diff --git a/class-two-factor-core.php b/class-two-factor-core.php
@@ -1873,6 +1873,22 @@ public static function user_two_factor_options_update( $user_id ) {
 					) );
 				}
 			}
+
+			// Destroy other sessions if setup 2FA for the first time, or deactivated a provider
+			if (
+				// No providers, enabling one (or more)
+				( ! $existing_providers && $enabled_providers ) ||
+				// Has providers, and is disabling one (or more), but remaining with 2FA.
+				( $existing_providers && $enabled_providers && array_diff( $existing_providers, $enabled_providers ) )
+			) {
+				if ( $user_id === get_current_user_id() ) {
+					// Keep the current session, destroy others sessions for this user.
+					wp_destroy_other_sessions();
+				} else {
+					// Destroy all sessions for the user.
+					WP_Session_Tokens::get_instance( $user_id )->destroy_all();
+				}
+			}
 		}
 	}
 

diff --git a/tests/class-two-factor-core.php b/tests/class-two-factor-core.php
@@ -1342,4 +1342,162 @@ public function test_filter_session_information() {
 		$this->assertArrayNotHasKey( 'tests-key', $session );
 	}
 
+
+	/**
+	 * Validate that other sessions are destroyed once Two-Factor is enabled.
+	 *
+	 * @covers Two_Factor_Core::user_two_factor_options_update
+	 */
+	public function test_other_sessions_destroyed_when_enabling_2fa() {
+		$user_id = self::factory()->user->create(
+			array(
+				'user_login' => 'username',
+				'user_pass'  => 'password',
+			)
+		);
+
+		$user = new WP_User( $user_id );
+
+		$session_manager = WP_Session_Tokens::get_instance( $user->ID );
+
+		$this->assertCount( 0, $session_manager->get_all(), 'No user sessions are present first' );
+
+		// Generate multiple existing sessions.
+		$session_manager->create( time() + HOUR_IN_SECONDS );
+		$session_manager->create( time() + DAY_IN_SECONDS  );
+		$this->assertCount( 2, $session_manager->get_all(), 'Can fetch active sessions' );
+
+		// Shim the cookie... this allows for functions that use sessions to know the current session.
+		add_action( 'set_logged_in_cookie', function( $logged_in_cookie ) {
+			$_COOKIE[ LOGGED_IN_COOKIE ] = $logged_in_cookie;
+		} );
+
+		$user_authenticated = wp_signon(
+			array(
+				'user_login'    => 'username',
+				'user_password' => 'password',
+			)
+		);
+		$this->assertEquals( $user_authenticated, $user, 'User can authenticate' );
+
+		// Enable Two-Factor for the user.
+		wp_set_current_user( $user->ID );
+
+		$key              = '_nonce_user_two_factor_options';
+		$nonce            = wp_create_nonce( 'user_two_factor_options' );
+		$_POST[ $key ]    = $nonce;
+		$_REQUEST[ $key ] = $nonce;
+
+		$_POST[ Two_Factor_Core::ENABLED_PROVIDERS_USER_META_KEY ] = array(
+			'Two_Factor_Dummy' => 'Two_Factor_Dummy'
+		);
+
+		Two_Factor_Core::user_two_factor_options_update( $user->ID );
+
+		// Validate that Two-Factor is now enabled.
+		$this->assertCount( 1, Two_Factor_Core::get_available_providers_for_user( $user->ID ) );
+		$this->assertCount( 1, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ) );
+
+		// Validate that only the current session still exists.
+		$this->assertCount( 1, $session_manager->get_all(), 'All known authentication sessions have been destroyed' );
+
+		// Create another session, activate another provider, verify sessions are still valid.
+		$session_manager->create( time() + DAY_IN_SECONDS  );
+		$this->assertCount( 2, $session_manager->get_all(), 'Failed to create another session' );
+
+		$_POST[ Two_Factor_Core::ENABLED_PROVIDERS_USER_META_KEY ] = array(
+			'Two_Factor_Dummy' => 'Two_Factor_Dummy',
+			'Two_Factor_Email' => 'Two_Factor_Email',
+		);
+
+		Two_Factor_Core::user_two_factor_options_update( $user->ID );
+
+		// Validate that Two-Factor is now enabled with two providers.
+		$this->assertCount( 2, Two_Factor_Core::get_available_providers_for_user( $user->ID ) );
+		$this->assertCount( 2, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ) );
+
+		$this->assertCount( 2, $session_manager->get_all(), 'Adding an additional provider should not destroy other sessions.' );
+
+		// Disable a provider, verify other sessions are destroyed.
+		$_POST[ Two_Factor_Core::ENABLED_PROVIDERS_USER_META_KEY ] = array(
+			'Two_Factor_Dummy' => 'Two_Factor_Dummy',
+		);
+
+		Two_Factor_Core::user_two_factor_options_update( $user->ID );
+
+		// Validate that Two-Factor is now enabled with two providers.
+		$this->assertCount( 1, Two_Factor_Core::get_available_providers_for_user( $user->ID ) );
+		$this->assertCount( 1, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ) );
+
+		$this->assertCount( 1, $session_manager->get_all(), 'All known authentication sessions have been destroyed' );
+
+		// Create another session, deactivate two-factor, verify sessions are still valid.
+		$session_manager->create( time() + DAY_IN_SECONDS  );
+		$this->assertCount( 2, $session_manager->get_all(), 'Failed to create another session' );
+
+		$_POST[ Two_Factor_Core::ENABLED_PROVIDERS_USER_META_KEY ] = array();
+
+		Two_Factor_Core::user_two_factor_options_update( $user->ID );
+
+		// Validate that Two-Factor is now disabled.
+		$this->assertCount( 0, Two_Factor_Core::get_available_providers_for_user( $user->ID ) );
+		$this->assertCount( 0, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ) );
+
+		$this->assertCount( 2, $session_manager->get_all(), 'All known authentication sessions have been destroyed' );
+	}
+
+	/**
+	 * Validate the current users sessions are not modified when modifying another user.
+	 *
+	 * @covers Two_Factor_Core::user_two_factor_options_update
+	 */
+	public function test_all_sessions_destroyed_when_enabling_2fa_by_admin() {
+		$admin_id = self::factory()->user->create(
+			array(
+				'role' => 'administrator'
+			)
+		);
+		wp_set_current_user( $admin_id );
+
+		// Create an admin session,.
+		$admin_session_manager = WP_Session_Tokens::get_instance( $admin_id );
+
+		$admin_session_manager->create( time() + DAY_IN_SECONDS  );
+		$this->assertCount( 1, $admin_session_manager->get_all(), 'No admin sessions are present first' );
+
+		// Create the target user.
+		$user_id = self::factory()->user->create(
+			array(
+				'user_login' => 'username',
+				'user_pass'  => 'password',
+			)
+		);
+
+		$session_manager = WP_Session_Tokens::get_instance( $user_id );
+
+		$this->assertCount( 0, $session_manager->get_all(), 'No user sessions are present first' );
+
+		// Generate multiple existing sessions.
+		$session_manager->create( time() + DAY_IN_SECONDS  );
+		$this->assertCount( 1, $session_manager->get_all(), 'Can fetch active sessions' );
+
+		$key              = '_nonce_user_two_factor_options';
+		$nonce            = wp_create_nonce( 'user_two_factor_options' );
+		$_POST[ $key ]    = $nonce;
+		$_REQUEST[ $key ] = $nonce;
+
+		$_POST[ Two_Factor_Core::ENABLED_PROVIDERS_USER_META_KEY ] = array( 'Two_Factor_Dummy' => 'Two_Factor_Dummy' );
+
+		Two_Factor_Core::user_two_factor_options_update( $user_id );
+
+		// Validate that Two-Factor is now enabled.
+		$this->assertCount( 1, Two_Factor_Core::get_available_providers_for_user( $user_id ) );
+		$this->assertCount( 1, Two_Factor_Core::get_enabled_providers_for_user( $user_id ) );
+
+		// Validate the User has no sessions.
+		$this->assertCount( 0, $session_manager->get_all(), 'All known authentication sessions have been destroyed' );
+
+		// Validate that the Admin still has a session.
+		$this->assertCount( 1, $admin_session_manager->get_all(), 'No admin sessions are present first' );
+	}
 }