added filter to control whether authcode autosubmits

[eric-michel]

What?

Adds a filter to allow a theme or plugin to turn off auto submission of authcodes

Why?

Plugins that enhance two-factor may want to turn off auto-submission to allow the user time to interact with other form elements on the page prior to submission. See #723.

How?

A filter is added and assigned to a variable. That variable is checked prior to the relevant JS being output (and prevents it from printing entirely if the value is false).

Testing Instructions

• Install the branch and activate plugin
• Verify normal auto-submission experience
• In theme's functions.php, add the following:

add_filter( 'two_factor_auto_submit_authcode', '__return_false' );

• Observe that the authcode form no longer auto-submits.

Changelog Entry

Added - Themes and plugins can now disable auto-submission of authcodes via the two_factor_auto_submit_authcode filter

[kasparsd]

This looks good! Had one optional suggestion for moving the PHP state into JS variable to help move these scripts into standalone JS eventually.

Could you please document the filter, add the docblock comment (similar to other filters)?

[kasparsd]

Could we use the variable state to generate a JS variable instead? That would allow us to eventually move this JS into an external file and pass that as data to the script.

Something like const autoSubmitEnabled = <?php echo json_encode( ... ); ?> and then use that here in pure JS if-check?

[eric-michel]

Happy to make this change! How/where would you like the JS variable to be output? I could output it as a data attribute on the form element (something like data-auto-submit) or could output it as a small <script> snippet in the <head> tag so it's a global variable that can be accessed. I kind of lean toward the data attribute to keep it scoped to the form itself.

[jeffpaul]

@kasparsd any thoughts on the question above on approach?

[eric-michel]

@kasparsd @jeffpaul I opted to add a data attribute on the form and check for that in the JS if statement. Seems pretty clean to me. Take a look and let me know what you think!

[georgestephanis]

I appreciate this running through a data attribute -- though as I'm looking at a bit of code from TOTP that adds a data-digits parameter in the provider's authentication_page()

two-factor/providers/class-two-factor-totp.php

Line 768 in 69706ea

<input type="text" inputmode="numeric" autocomplete="one-time-code" name="authcode" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="123 456" autocomplete="one-time-code" data-digits="<?php echo esc_attr( self::DEFAULT_DIGIT_COUNT ); ?>" />

that's what populates the expectedLength variable -- I'm wondering if instead it would be better to filter the data-digits property on the element? Maybe not include the attribute or something if it's filtered to null instead?

Also, kind of out-of-scope for this, but I'd like to see the autosubmit also work for codes that are alphanumeric or the like, so if it could maybe be elevated out of the "only numbers" conditional, but that's minor quibbles.

[masteradhoc]

Hey @eric-michel,

Could you take a moment to review the comments from @georgestephanis?
Your feedback would help us move forward and get this PR merged soon.

Thanks again for your contributions!

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: eric-michel <ytfeldrawkcab@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: kasparsd <kasparsd@git.wordpress.org>
Co-authored-by: jeffpaul <jeffpaul@git.wordpress.org>
Co-authored-by: georgestephanis <georgestephanis@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[eric-michel]

@masteradhoc @georgestephanis My apologies for being AWOL for a bit! Work got busy for a while.

@georgestephanis if I'm understanding correctly, you're suggesting instead of having a separate data attribute for whether autosubmit is active or not, instead utilize the preexisting data-digits attribute and assign it to null or similar in order to determine when autosubmit is turned off? If so, I can definitely experiment with that.

[georgestephanis]

Yup! Basically if it doesn't have a length set, it won't autosubmit?

[eric-michel]

@georgestephanis See if you're happy with this implementation.

[georgestephanis]

I'm gonna have to think on this a bit -- I wanna make sure we're passing stuff around and parsing it out of the dataset well. I'll do some tinkering and get back to you ideally this evening?