Be more tollerant of user input, allowing for authentication apps whi…

…ch show the authcode as '123 456'.

providers/class-two-factor-backup-codes.php

@@ -333,7 +333,7 @@ public function authentication_page( $user ) {
 		<p><?php esc_html_e( 'Enter a backup verification code.', 'two-factor' ); ?></p><br/>
 		<p>
 			<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
-			<input type="tel" name="two-factor-backup-code" id="authcode" class="input" value="" size="20" pattern="[0-9]*" placeholder="<?php echo esc_attr( $placeholder ); ?>" />
+			<input type="tel" name="two-factor-backup-code" id="authcode" class="input" value="" size="20" pattern="[0-9 ]*" placeholder="<?php echo esc_attr( $placeholder ); ?>" />
 		</p>
 		<?php
 		submit_button( __( 'Submit', 'two-factor' ) );
@@ -350,7 +350,12 @@ public function authentication_page( $user ) {
 	 * @return boolean
 	 */
 	public function validate_authentication( $user ) {
-		$backup_code = isset( $_POST['two-factor-backup-code'] ) ? sanitize_text_field( wp_unslash( $_POST['two-factor-backup-code'] ) ) : '';
+		if ( empty( $_REQUEST['two-factor-backup-code'] ) ) {
+			return false;
+		}
+
+		$backup_code = trim( str_replace( ' ', '', sanitize_text_field( wp_unslash( $_REQUEST['two-factor-backup-code'] ) ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already.
+
 		return $this->validate_code( $user, $backup_code );
 	}
 

providers/class-two-factor-email.php

@@ -272,7 +272,7 @@ public function authentication_page( $user ) {
 		<p><?php esc_html_e( 'A verification code has been sent to the email address associated with your account.', 'two-factor' ); ?></p>
 		<p>
 			<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
-			<input type="tel" name="two-factor-email-code" id="authcode" class="input" value="" size="20" pattern="[0-9]*" placeholder="<?php echo esc_attr( $placeholder ); ?>" />
+			<input type="tel" name="two-factor-email-code" id="authcode" class="input" value="" size="20" pattern="[0-9 ]*" placeholder="<?php echo esc_attr( $placeholder ); ?>" />
 			<?php submit_button( __( 'Log In', 'two-factor' ) ); ?>
 		</p>
 		<p class="two-factor-email-resend">
@@ -321,7 +321,7 @@ public function validate_authentication( $user ) {
 		}
 
 		// Ensure there are no spaces or line breaks around the code.
-		$code = trim( sanitize_text_field( $_REQUEST['two-factor-email-code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already.
+		$code = trim( str_replace( ' ', '', sanitize_text_field( wp_unslash( $_REQUEST['two-factor-email-code'] ) ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already.
 
 		return $this->validate_token( $user->ID, $code );
 	}

providers/class-two-factor-totp.php

@@ -448,10 +448,9 @@ public function validate_authentication( $user ) {
 			return false;
 		}
 
-		return $this->validate_code_for_user(
-			$user,
-			sanitize_text_field( $_REQUEST['authcode'] )
-		);
+		$code = trim( str_replace( ' ', '', sanitize_text_field( wp_unslash( $_REQUEST['authcode'] ) ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already.
+
+		return $this->validate_code_for_user( $user, $code );
 	}
 
 	/**
@@ -646,7 +645,7 @@ public function authentication_page( $user ) {
 		</p>
 		<p>
 			<label for="authcode"><?php esc_html_e( 'Authentication Code:', 'two-factor' ); ?></label>
-			<input type="tel" autocomplete="one-time-code" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*" placeholder="<?php echo esc_attr( $placeholder ); ?>"  />
+			<input type="tel" autocomplete="one-time-code" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9 ]*" placeholder="<?php echo esc_attr( $placeholder ); ?>"  />
 		</p>
 		<script type="text/javascript">
 			setTimeout( function(){