added filter to control whether authcode autosubmits

class-two-factor-core.php

@@ -1142,7 +1142,7 @@ function() {
 
 							this.value = value;
 
-							// Auto-submit if it's the expected length.
+							// Auto-submit if auto-submit is enabled and entered value is the expected length.
 							if ( expectedLength && value.replace( / /g, '' ).length == expectedLength ) {
 								if ( undefined !== form.requestSubmit ) {
 									form.requestSubmit();

providers/class-two-factor-backup-codes.php

@@ -384,6 +384,7 @@ public static function codes_remaining_for_user( $user ) {
 	public function authentication_page( $user ) {
 		require_once ABSPATH . '/wp-admin/includes/template.php';
 
+		$auto_submit_authcode = $this->is_authcode_auto_submit_enabled();
 		$code_length      = $this->get_backup_code_length( $user );
 		$code_placeholder = str_repeat( 'X', $code_length );
 
@@ -411,7 +412,7 @@ public function authentication_page( $user ) {
 		?>
 		<p>
 			<label for="authcode"><?php esc_html_e( 'Recovery Code:', 'two-factor' ); ?></label>
-			<input type="text" inputmode="numeric" name="two-factor-backup-code" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="<?php echo esc_attr( $code_placeholder ); ?>" data-digits="<?php echo esc_attr( $code_length ); ?>" />
+			<input type="text" inputmode="numeric" name="two-factor-backup-code" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="<?php echo esc_attr( $code_placeholder ); ?>" data-digits="<?php echo $auto_submit_authcode ? esc_attr( $code_length ) : 'false'; ?>" />
 		</p>
 		<?php
 		/**

providers/class-two-factor-email.php

@@ -346,6 +346,7 @@ public function authentication_page( $user ) {
 			$this->generate_and_email_token( $user );
 		}
 
+		$auto_submit_authcode = $this->is_authcode_auto_submit_enabled();
 		$token_length      = $this->get_token_length();
 		$token_placeholder = str_repeat( 'X', $token_length );
 
@@ -362,7 +363,7 @@ public function authentication_page( $user ) {
 		?>
 		<p>
 			<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
-			<input type="text" inputmode="numeric" name="two-factor-email-code" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" autocomplete="one-time-code" placeholder="<?php echo esc_attr( $token_placeholder ); ?>" data-digits="<?php echo esc_attr( $token_length ); ?>" />
+			<input type="text" inputmode="numeric" name="two-factor-email-code" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" autocomplete="one-time-code" placeholder="<?php echo esc_attr( $token_placeholder ); ?>" data-digits="<?php echo $auto_submit_authcode ? esc_attr( $token_length ) : 'false'; ?>" />
 		</p>
 		<?php
 		/** This action is documented in providers/class-two-factor-backup-codes.php */

providers/class-two-factor-provider.php

@@ -209,4 +209,28 @@ public static function uninstall_user_meta_keys() {
 	public static function uninstall_options() {
 		return array();
 	}
+
+	/**
+	 * Returns whether the authentication code field should auto-submit when the last digit is entered.
+	 *
+	 * @since 0.16.0
+	 *
+	 * @return bool
+	 */
+	protected function is_authcode_auto_submit_enabled() {
+		/**
+		 * Filters whether the authentication code field should auto‑submit when the last digit is entered.
+		 *
+		 * This allows providers or site owners to disable (or enable) auto‑submission behavior
+		 * of the TOTP/verification code input, e.g., for accessibility, UX, or device‑specific reasons.
+		 *
+		 * @since 0.16.0
+		 *
+		 * @param bool   $auto_submit  Whether to auto‑submit the auth code. Default true.
+		 * @param string $provider_key The current two‑factor provider key.
+		 * @return bool  Filtered value of $auto_submit.
+		 */
+
+		return (bool) apply_filters( 'two_factor_auto_submit_authcode', true, $this->get_key() );
+	}
 }

providers/class-two-factor-totp.php

@@ -833,6 +833,7 @@ public function is_available_for_user( $user ) {
 	 */
 	public function authentication_page( $user ) {
 		require_once ABSPATH . '/wp-admin/includes/template.php';
+		$auto_submit_authcode = $this->is_authcode_auto_submit_enabled();
 		?>
 		<?php
 		/** This action is documented in providers/class-two-factor-backup-codes.php */
@@ -847,7 +848,7 @@ public function authentication_page( $user ) {
 		?>
 		<p>
 			<label for="authcode"><?php esc_html_e( 'Authentication Code:', 'two-factor' ); ?></label>
-			<input type="text" inputmode="numeric" name="authcode" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="123 456" autocomplete="one-time-code" data-digits="<?php echo esc_attr( self::DEFAULT_DIGIT_COUNT ); ?>" />
+			<input type="text" inputmode="numeric" name="authcode" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="123 456" autocomplete="one-time-code" data-digits="<?php echo $auto_submit_authcode ? esc_attr( self::DEFAULT_DIGIT_COUNT ) : 'false'; ?>" />
 		</p>
 		<?php
 		/** This action is documented in providers/class-two-factor-backup-codes.php */

readme.txt

@@ -98,6 +98,7 @@ Here is a list of action and filter hooks provided by the plugin:
 - `two_factor_email_token_length` filter overrides the default 8 character count for email tokens.
 - `two_factor_backup_code_length` filter overrides the default 8 character count for backup codes. Provides the `WP_User` of the associated user as the second argument.
 - `two_factor_rest_api_can_edit_user` filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current `$can_edit` boolean, the second argument is the user ID.
+- `two_factor_auto_submit_authcode` filter overrides whether the authentication form auto-submits when a code is entered.
 - `two_factor_before_authentication_prompt` action which receives the provider object and fires prior to the prompt shown on the authentication input form.
 - `two_factor_after_authentication_prompt` action which receives the provider object and fires after the prompt shown on the authentication input form.
 - `two_factor_after_authentication_input`action which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after `two_factor_after_authentication_prompt`).