From a84c2a20d6e3d271a23aa3959160a86607b0eb1b Mon Sep 17 00:00:00 2001
From: Aslam Doctor <aslam.doctor@gmail.com>
Date: Wed, 25 Feb 2026 07:21:06 +0530
Subject: [PATCH 1/4] Move inline JavaScript to external script files

Extract 6 inline script blocks from 4 PHP files into 5 new external JS
files under providers/js/, improving CSP compatibility and enabling
proper WordPress script dependency management.

New files:
- totp-admin-qrcode.js: QR code generation for TOTP setup
- totp-admin.js: TOTP setup form, checkbox focus, reset key
- backup-codes-admin.js: Backup code generation, copy, download
- two-factor-login.js: Shared login page authcode clear/focus
- two-factor-login-authcode.js: Numeric-only enforcement, auto-submit

The customizer messenger one-liner uses wp_add_inline_script() instead
of a raw <script> tag.

Fixes #812
---
 class-two-factor-core.php                   |  71 +++++-----
 providers/class-two-factor-backup-codes.php |  78 ++++-------
 providers/class-two-factor-email.php        |  11 +-
 providers/class-two-factor-totp.php         | 142 ++++++--------------
 providers/js/backup-codes-admin.js          |  49 +++++++
 providers/js/totp-admin-qrcode.js           |  35 +++++
 providers/js/totp-admin.js                  |  61 +++++++++
 providers/js/two-factor-login-authcode.js   |  34 +++++
 providers/js/two-factor-login.js            |  11 ++
 9 files changed, 292 insertions(+), 200 deletions(-)
 create mode 100644 providers/js/backup-codes-admin.js
 create mode 100644 providers/js/totp-admin-qrcode.js
 create mode 100644 providers/js/totp-admin.js
 create mode 100644 providers/js/two-factor-login-authcode.js
 create mode 100644 providers/js/two-factor-login.js

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index a1c47558..f36fa904 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -126,6 +126,7 @@ public static function add_hooks( $compat ) {
 
 		add_filter( 'attach_session_information', array( __CLASS__, 'filter_session_information' ), 10, 2 );
 
+		add_action( 'login_enqueue_scripts', array( __CLASS__, 'login_enqueue_scripts' ), 5 );
 		add_action( 'admin_init', array( __CLASS__, 'trigger_user_settings_action' ) );
 		add_filter( 'two_factor_providers', array( __CLASS__, 'enable_dummy_method_for_debug' ) );
 
@@ -135,6 +136,33 @@ public static function add_hooks( $compat ) {
 		$compat->init();
 	}
 
+	/**
+	 * Register login page scripts.
+	 *
+	 * @since 0.10.0
+	 *
+	 * @codeCoverageIgnore
+	 */
+	public static function login_enqueue_scripts() {
+		$environment_prefix = file_exists( TWO_FACTOR_DIR . '/dist' ) ? '/dist' : '';
+
+		wp_register_script(
+			'two-factor-login',
+			plugins_url( $environment_prefix . '/providers/js/two-factor-login.js', __FILE__ ),
+			array(),
+			TWO_FACTOR_VERSION,
+			true
+		);
+
+		wp_register_script(
+			'two-factor-login-authcode',
+			plugins_url( $environment_prefix . '/providers/js/two-factor-login-authcode.js', __FILE__ ),
+			array(),
+			TWO_FACTOR_VERSION,
+			true
+		);
+	}
+
 	/**
 	 * Delete all plugin data on uninstall.
 	 *
@@ -1127,41 +1155,7 @@ public static function login_html( $user, $login_nonce, $redirect_to, $error_msg
 				opacity: 0.5;
 			}
 		</style>
-		<script>
-			(function() {
-				// Enforce numeric-only input for numeric inputmode elements.
-				const form = document.querySelector( '#loginform' ),
-					inputEl = document.querySelector( 'input.authcode[inputmode="numeric"]' ),
-					expectedLength = inputEl?.dataset.digits || 0;
-
-				if ( inputEl ) {
-					let spaceInserted = false;
-					inputEl.addEventListener(
-						'input',
-						function() {
-							let value = this.value.replace( /[^0-9 ]/g, '' ).trimStart();
-
-							if ( ! spaceInserted && expectedLength && value.length === Math.floor( expectedLength / 2 ) ) {
-								value += ' ';
-								spaceInserted = true;
-							} else if ( spaceInserted && ! this.value ) {
-								spaceInserted = false;
-							}
-
-							this.value = value;
-
-							// Auto-submit if it's the expected length.
-							if ( expectedLength && value.replace( / /g, '' ).length == expectedLength ) {
-								if ( undefined !== form.requestSubmit ) {
-									form.requestSubmit();
-									form.submit.disabled = "disabled";
-								}
-							}
-						}
-					);
-				}
-			})();
-		</script>
+		<?php wp_enqueue_script( 'two-factor-login-authcode' ); ?>
 		<?php
 		if ( ! function_exists( 'login_footer' ) ) {
 			require_once TWO_FACTOR_DIR . 'includes/function.login-footer.php';
@@ -1592,7 +1586,12 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider =
 			do_action( 'login_footer' ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound -- Core WordPress action.
 			?>
 			<?php if ( $customize_login ) : ?>
-				<script>setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo esc_url( wp_customize_url() ); ?>', channel: 'login' }).send('login') }, 1000 );</script>
+				<?php
+				wp_add_inline_script(
+					'customize-base',
+					'setTimeout( function(){ new wp.customize.Messenger({ url: ' . wp_json_encode( esc_url( wp_customize_url() ) ) . ', channel: \'login\' }).send(\'login\') }, 1000 );'
+				);
+				?>
 			<?php endif; ?>
 			</body></html>
 			<?php
diff --git a/providers/class-two-factor-backup-codes.php b/providers/class-two-factor-backup-codes.php
index 5a8f2139..61210f8c 100644
--- a/providers/class-two-factor-backup-codes.php
+++ b/providers/class-two-factor-backup-codes.php
@@ -39,10 +39,29 @@ protected function __construct() {
 		add_action( 'rest_api_init', array( $this, 'register_rest_routes' ) );
 		add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
 		add_action( 'admin_notices', array( $this, 'admin_notices' ) );
+		add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_assets' ) );
+		add_action( 'wp_enqueue_scripts', array( $this, 'enqueue_assets' ) );
 
 		parent::__construct();
 	}
 
+	/**
+	 * Enqueue scripts for backup codes.
+	 *
+	 * @since 0.10.0
+	 *
+	 * @codeCoverageIgnore
+	 */
+	public function enqueue_assets() {
+		wp_register_script(
+			'two-factor-backup-codes-admin',
+			plugins_url( 'js/backup-codes-admin.js', __FILE__ ),
+			array( 'jquery', 'wp-api-request' ),
+			TWO_FACTOR_VERSION,
+			true
+		);
+	}
+
 	/**
 	 * Register the rest-api endpoints required for this provider.
 	 *
@@ -156,8 +175,15 @@ public function is_available_for_user( $user ) {
 	 * @param WP_User $user WP_User object of the logged-in user.
 	 */
 	public function user_options( $user ) {
-		wp_enqueue_script( 'wp-api-request' );
-		wp_enqueue_script( 'jquery' );
+		wp_localize_script(
+			'two-factor-backup-codes-admin',
+			'twoFactorBackupCodes',
+			array(
+				'restPath' => Two_Factor_Core::REST_NAMESPACE . '/generate-backup-codes',
+				'userId'   => $user->ID,
+			)
+		);
+		wp_enqueue_script( 'two-factor-backup-codes-admin' );
 
 		$count = self::codes_remaining_for_user( $user );
 		?>
@@ -191,54 +217,6 @@ public function user_options( $user ) {
 				<a class="button button-two-factor-backup-codes-download button-secondary hide-if-no-js" href="javascript:void(0);" id="two-factor-backup-codes-download-link" download="two-factor-backup-codes.txt"><?php esc_html_e( 'Download Codes', 'two-factor' ); ?></a>
 			</p>
 		</div>
-		<script>
-			( function( $ ) {
-				$( '.button-two-factor-backup-codes-copy' ).click( function() {
-					var csvCodes = $( '.two-factor-backup-codes-wrapper' ).data( 'codesCsv' );
-
-					if ( ! csvCodes ) {
-						return;
-					}
-
-					if ( navigator.clipboard && navigator.clipboard.writeText ) {
-						navigator.clipboard.writeText( csvCodes );
-						return;
-					}
-
-					var $temp = $( '<textarea>' ).val( csvCodes ).css( { position: 'absolute', left: '-9999px' } );
-					$( 'body' ).append( $temp );
-					$temp[0].select();
-					document.execCommand( 'copy' );
-					$temp.remove();
-				} );
-
-				$( '.button-two-factor-backup-codes-generate' ).click( function() {
-					wp.apiRequest( {
-						method: 'POST',
-						path: <?php echo wp_json_encode( Two_Factor_Core::REST_NAMESPACE . '/generate-backup-codes' ); ?>,
-						data: {
-							user_id: <?php echo wp_json_encode( $user->ID ); ?>
-						}
-					} ).then( function( response ) {
-						var $codesList = $( '.two-factor-backup-codes-unused-codes' );
-
-						$( '.two-factor-backup-codes-wrapper' ).show();
-						$codesList.html( '' );
-						$codesList.css( { 'column-count': 2, 'column-gap': '80px', 'max-width': '420px' } );
-						$( '.two-factor-backup-codes-wrapper' ).data( 'codesCsv', response.codes.join( ',' ) );
-
-						// Append the codes.
-						for ( var i = 0; i < response.codes.length; i++ ) {
-							$codesList.append( '<li class="two-factor-backup-codes-token">' + response.codes[ i ] + '</li>' );
-						}
-
-						// Update counter.
-						$( '.two-factor-backup-codes-count' ).html( response.i18n.count );
-						$( '#two-factor-backup-codes-download-link' ).attr( 'href', response.download_link );
-					} );
-				} );
-			} )( jQuery );
-		</script>
 		<?php
 	}
 
diff --git a/providers/class-two-factor-email.php b/providers/class-two-factor-email.php
index e94635d1..fb3d6e6a 100644
--- a/providers/class-two-factor-email.php
+++ b/providers/class-two-factor-email.php
@@ -356,16 +356,7 @@ public function authentication_page( $user ) {
 		<p class="two-factor-email-resend">
 			<input type="submit" class="button" name="<?php echo esc_attr( self::INPUT_NAME_RESEND_CODE ); ?>" value="<?php esc_attr_e( 'Resend Code', 'two-factor' ); ?>" />
 		</p>
-		<script>
-			setTimeout( function(){
-				var d;
-				try{
-					d = document.getElementById('authcode');
-					d.value = '';
-					d.focus();
-				} catch(e){}
-			}, 200);
-		</script>
+		<?php wp_enqueue_script( 'two-factor-login' ); ?>
 		<?php
 	}
 
diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
index 14ac085d..05ce32fb 100644
--- a/providers/class-two-factor-totp.php
+++ b/providers/class-two-factor-totp.php
@@ -177,6 +177,22 @@ public function enqueue_assets( $hook_suffix ) {
 			TWO_FACTOR_VERSION,
 			true
 		);
+
+		wp_register_script(
+			'two-factor-totp-qrcode',
+			plugins_url( 'js/totp-admin-qrcode.js', __FILE__ ),
+			array( 'two-factor-qr-code-generator' ),
+			TWO_FACTOR_VERSION,
+			true
+		);
+
+		wp_register_script(
+			'two-factor-totp-admin',
+			plugins_url( 'js/totp-admin.js', __FILE__ ),
+			array( 'jquery', 'wp-api-request' ),
+			TWO_FACTOR_VERSION,
+			true
+		);
 	}
 
 	/**
@@ -323,9 +339,15 @@ public function user_two_factor_options( $user ) {
 
 		$key = $this->get_user_totp_key( $user->ID );
 
-		wp_enqueue_script( 'two-factor-qr-code-generator' );
-		wp_enqueue_script( 'wp-api-request' );
-		wp_enqueue_script( 'jquery' );
+		wp_localize_script(
+			'two-factor-totp-admin',
+			'twoFactorTotpAdmin',
+			array(
+				'restPath' => Two_Factor_Core::REST_NAMESPACE . '/totp',
+				'userId'   => $user->ID,
+			)
+		);
+		wp_enqueue_script( 'two-factor-totp-admin' );
 
 		?>
 		<div id="two-factor-totp-options">
@@ -391,80 +413,17 @@ public function user_two_factor_options( $user ) {
 					</p>
 				</li>
 			</ol>
-			<script>
-				(function(){
-					var qr_generator = function() {
-						/*
-						* 0 = Automatically select the version, to avoid going over the limit of URL
-						*     length.
-						* L = Least amount of error correction, because it's not needed when scanning
-						*     on a monitor, and it lowers the image size.
-						*/
-						var qr = qrcode( 0, 'L' );
-
-						qr.addData( <?php echo wp_json_encode( $totp_url ); ?> );
-						qr.make();
-
-						document.querySelector( '#two-factor-qr-code a' ).innerHTML = qr.createSvgTag( 5 );
-
-						// For accessibility, markup the SVG with a title and role.
-						var svg = document.querySelector( '#two-factor-qr-code a svg' ),
-							title = document.createElement( 'title' );
-
-						svg.role = 'image';
-						svg.ariaLabel = <?php echo wp_json_encode( __( 'Authenticator App QR Code', 'two-factor' ) ); ?>;
-						title.innerText = svg.ariaLabel;
-						svg.appendChild( title );
-					};
-
-					// Run now if the document is loaded, otherwise on DOMContentLoaded.
-					if ( document.readyState === 'complete' ) {
-						qr_generator();
-					} else {
-						window.addEventListener( 'DOMContentLoaded', qr_generator );
-					}
-				})();
-				(function($){
-					// Focus the auth code input when the checkbox is clicked.
-					document.getElementById('enabled-Two_Factor_Totp').addEventListener('click', function(e) {
-						if ( e.target.checked ) {
-							document.getElementById('two-factor-totp-authcode').focus();
-						}
-					});
-
-					$('.totp-submit').click( function( e ) {
-						e.preventDefault();
-						var key = $('#two-factor-totp-key').val(),
-							code = $('#two-factor-totp-authcode').val();
-
-						wp.apiRequest( {
-							method: 'POST',
-							path: <?php echo wp_json_encode( Two_Factor_Core::REST_NAMESPACE . '/totp' ); ?>,
-							data: {
-								user_id: <?php echo wp_json_encode( $user->ID ); ?>,
-								key: key,
-								code: code,
-								enable_provider: true,
-							}
-						} ).fail( function( response, status ) {
-							var errorMessage = response.responseJSON.message || status,
-								$error = $( '#totp-setup-error' );
-
-							if ( ! $error.length ) {
-								$error = $('<div class="error" id="totp-setup-error"><p></p></div>').insertAfter( $('.totp-submit') );
-							}
-
-							$error.find('p').text( errorMessage );
-
-							$( '#enabled-Two_Factor_Totp' ).prop( 'checked', false ).trigger('change');
-							$('#two-factor-totp-authcode').val('');
-						} ).then( function( response ) {
-							$( '#enabled-Two_Factor_Totp' ).prop( 'checked', true ).trigger('change');
-							$( '#two-factor-totp-options' ).html( response.html );
-						} );
-					} );
-				})(jQuery);
-			</script>
+			<?php
+			wp_localize_script(
+				'two-factor-totp-qrcode',
+				'twoFactorTotpQrcode',
+				array(
+					'totpUrl'    => $totp_url,
+					'qrCodeLabel' => __( 'Authenticator App QR Code', 'two-factor' ),
+				)
+			);
+			wp_enqueue_script( 'two-factor-totp-qrcode' );
+			?>
 		<?php else : ?>
 			<p class="success">
 				<?php esc_html_e( 'An authenticator app is currently configured. You will need to re-scan the QR code on all devices if reset.', 'two-factor' ); ?>
@@ -473,24 +432,6 @@ public function user_two_factor_options( $user ) {
 				<button type="button" class="button button-secondary reset-totp-key hide-if-no-js">
 					<?php esc_html_e( 'Reset authenticator app', 'two-factor' ); ?>
 				</button>
-				<script>
-					( function( $ ) {
-						$( '.button.reset-totp-key' ).click( function( e ) {
-							e.preventDefault();
-
-							wp.apiRequest( {
-								method: 'DELETE',
-								path: <?php echo wp_json_encode( Two_Factor_Core::REST_NAMESPACE . '/totp' ); ?>,
-								data: {
-									user_id: <?php echo wp_json_encode( $user->ID ); ?>,
-								}
-							} ).then( function( response ) {
-								$( '#enabled-Two_Factor_Totp' ).prop( 'checked', false );
-								$( '#two-factor-totp-options' ).html( response.html );
-							} );
-						} );
-					} )( jQuery );
-				</script>
 			</p>
 		<?php endif; ?>
 		</div>
@@ -833,16 +774,9 @@ public function authentication_page( $user ) {
 			<input type="text" inputmode="numeric" autocomplete="one-time-code" name="authcode" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="123 456" autocomplete="one-time-code" data-digits="<?php echo esc_attr( self::DEFAULT_DIGIT_COUNT ); ?>" />
 		</p>
 		<?php do_action( 'two_factor_after_authentication_input', $this ); ?>
-		<script>
-			setTimeout( function(){
-				var d;
-				try{
-					d = document.getElementById('authcode');
-					d.focus();
-				} catch(e){}
-			}, 200);
-		</script>
 		<?php
+		wp_enqueue_script( 'two-factor-login' );
+
 		submit_button( __( 'Verify', 'two-factor' ) );
 	}
 
diff --git a/providers/js/backup-codes-admin.js b/providers/js/backup-codes-admin.js
new file mode 100644
index 00000000..bdad4653
--- /dev/null
+++ b/providers/js/backup-codes-admin.js
@@ -0,0 +1,49 @@
+/* global twoFactorBackupCodes, wp, navigator, document, jQuery */
+( function( $ ) {
+	$( '.button-two-factor-backup-codes-copy' ).click( function() {
+		var csvCodes = $( '.two-factor-backup-codes-wrapper' ).data( 'codesCsv' ),
+			$temp;
+
+		if ( ! csvCodes ) {
+			return;
+		}
+
+		if ( navigator.clipboard && navigator.clipboard.writeText ) {
+			navigator.clipboard.writeText( csvCodes );
+			return;
+		}
+
+		$temp = $( '<textarea>' ).val( csvCodes ).css( { position: 'absolute', left: '-9999px' } );
+		$( 'body' ).append( $temp );
+		$temp[0].select();
+		document.execCommand( 'copy' );
+		$temp.remove();
+	} );
+
+	$( '.button-two-factor-backup-codes-generate' ).click( function() {
+		wp.apiRequest( {
+			method: 'POST',
+			path: twoFactorBackupCodes.restPath,
+			data: {
+				user_id: parseInt( twoFactorBackupCodes.userId, 10 )
+			}
+		} ).then( function( response ) {
+			var $codesList = $( '.two-factor-backup-codes-unused-codes' ),
+				i;
+
+			$( '.two-factor-backup-codes-wrapper' ).show();
+			$codesList.html( '' );
+			$codesList.css( { 'column-count': 2, 'column-gap': '80px', 'max-width': '420px' } );
+			$( '.two-factor-backup-codes-wrapper' ).data( 'codesCsv', response.codes.join( ',' ) );
+
+			// Append the codes.
+			for ( i = 0; i < response.codes.length; i++ ) {
+				$codesList.append( '<li class="two-factor-backup-codes-token">' + response.codes[ i ] + '</li>' );
+			}
+
+			// Update counter.
+			$( '.two-factor-backup-codes-count' ).html( response.i18n.count );
+			$( '#two-factor-backup-codes-download-link' ).attr( 'href', response.download_link );
+		} );
+	} );
+}( jQuery ) );
diff --git a/providers/js/totp-admin-qrcode.js b/providers/js/totp-admin-qrcode.js
new file mode 100644
index 00000000..ca370578
--- /dev/null
+++ b/providers/js/totp-admin-qrcode.js
@@ -0,0 +1,35 @@
+/* global twoFactorTotpQrcode, qrcode, document, window */
+( function() {
+	var qrGenerator = function() {
+		/*
+		 * 0 = Automatically select the version, to avoid going over the limit of URL
+		 *     length.
+		 * L = Least amount of error correction, because it's not needed when scanning
+		 *     on a monitor, and it lowers the image size.
+		 */
+		var qr = qrcode( 0, 'L' ),
+			svg,
+			title;
+
+		qr.addData( twoFactorTotpQrcode.totpUrl );
+		qr.make();
+
+		document.querySelector( '#two-factor-qr-code a' ).innerHTML = qr.createSvgTag( 5 );
+
+		// For accessibility, markup the SVG with a title and role.
+		svg = document.querySelector( '#two-factor-qr-code a svg' );
+		title = document.createElement( 'title' );
+
+		svg.role = 'image';
+		svg.ariaLabel = twoFactorTotpQrcode.qrCodeLabel;
+		title.innerText = svg.ariaLabel;
+		svg.appendChild( title );
+	};
+
+	// Run now if the document is loaded, otherwise on DOMContentLoaded.
+	if ( document.readyState === 'complete' ) {
+		qrGenerator();
+	} else {
+		window.addEventListener( 'DOMContentLoaded', qrGenerator );
+	}
+}() );
diff --git a/providers/js/totp-admin.js b/providers/js/totp-admin.js
new file mode 100644
index 00000000..e8d3b386
--- /dev/null
+++ b/providers/js/totp-admin.js
@@ -0,0 +1,61 @@
+/* global twoFactorTotpAdmin, wp, document, jQuery */
+( function( $ ) {
+	var checkbox = document.getElementById( 'enabled-Two_Factor_Totp' );
+
+	// Focus the auth code input when the checkbox is clicked.
+	if ( checkbox ) {
+		checkbox.addEventListener( 'click', function( e ) {
+			if ( e.target.checked ) {
+				document.getElementById( 'two-factor-totp-authcode' ).focus();
+			}
+		} );
+	}
+
+	$( '.totp-submit' ).click( function( e ) {
+		var key = $( '#two-factor-totp-key' ).val(),
+			code = $( '#two-factor-totp-authcode' ).val();
+
+		e.preventDefault();
+
+		wp.apiRequest( {
+			method: 'POST',
+			path: twoFactorTotpAdmin.restPath,
+			data: {
+				user_id: parseInt( twoFactorTotpAdmin.userId, 10 ),
+				key: key,
+				code: code,
+				enable_provider: true
+			}
+		} ).fail( function( response, status ) {
+			var errorMessage = response.responseJSON.message || status,
+				$error = $( '#totp-setup-error' );
+
+			if ( ! $error.length ) {
+				$error = $( '<div class="error" id="totp-setup-error"><p></p></div>' ).insertAfter( $( '.totp-submit' ) );
+			}
+
+			$error.find( 'p' ).text( errorMessage );
+
+			$( '#enabled-Two_Factor_Totp' ).prop( 'checked', false ).trigger( 'change' );
+			$( '#two-factor-totp-authcode' ).val( '' );
+		} ).then( function( response ) {
+			$( '#enabled-Two_Factor_Totp' ).prop( 'checked', true ).trigger( 'change' );
+			$( '#two-factor-totp-options' ).html( response.html );
+		} );
+	} );
+
+	$( '.button.reset-totp-key' ).click( function( e ) {
+		e.preventDefault();
+
+		wp.apiRequest( {
+			method: 'DELETE',
+			path: twoFactorTotpAdmin.restPath,
+			data: {
+				user_id: parseInt( twoFactorTotpAdmin.userId, 10 )
+			}
+		} ).then( function( response ) {
+			$( '#enabled-Two_Factor_Totp' ).prop( 'checked', false );
+			$( '#two-factor-totp-options' ).html( response.html );
+		} );
+	} );
+}( jQuery ) );
diff --git a/providers/js/two-factor-login-authcode.js b/providers/js/two-factor-login-authcode.js
new file mode 100644
index 00000000..7ea2e23c
--- /dev/null
+++ b/providers/js/two-factor-login-authcode.js
@@ -0,0 +1,34 @@
+/* global document */
+( function() {
+	// Enforce numeric-only input for numeric inputmode elements.
+	var form = document.querySelector( '#loginform' ),
+		inputEl = document.querySelector( 'input.authcode[inputmode="numeric"]' ),
+		expectedLength = ( inputEl && inputEl.dataset ) ? inputEl.dataset.digits : 0,
+		spaceInserted = false;
+
+	if ( inputEl ) {
+		inputEl.addEventListener(
+			'input',
+			function() {
+				var value = this.value.replace( /[^0-9 ]/g, '' ).trimStart();
+
+				if ( ! spaceInserted && expectedLength && value.length === Math.floor( expectedLength / 2 ) ) {
+					value += ' ';
+					spaceInserted = true;
+				} else if ( spaceInserted && ! this.value ) {
+					spaceInserted = false;
+				}
+
+				this.value = value;
+
+				// Auto-submit if it's the expected length.
+				if ( expectedLength && value.replace( / /g, '' ).length === parseInt( expectedLength, 10 ) ) {
+					if ( undefined !== form.requestSubmit ) {
+						form.requestSubmit();
+						form.submit.disabled = 'disabled';
+					}
+				}
+			}
+		);
+	}
+}() );
diff --git a/providers/js/two-factor-login.js b/providers/js/two-factor-login.js
new file mode 100644
index 00000000..6526581f
--- /dev/null
+++ b/providers/js/two-factor-login.js
@@ -0,0 +1,11 @@
+/* global document, setTimeout */
+( function() {
+	setTimeout( function() {
+		var d;
+		try {
+			d = document.getElementById( 'authcode' );
+			d.value = '';
+			d.focus();
+		} catch ( e ) {}
+	}, 200 );
+}() );

From 070d21a5d5d224ec4452a3f98d7d45d6b329433d Mon Sep 17 00:00:00 2001
From: Aslam Doctor <aslam.doctor@gmail.com>
Date: Thu, 26 Feb 2026 06:40:38 +0530
Subject: [PATCH 2/4] Fix QR code not rendering after resetting authenticator
 app

The "Reset authenticator app" button's AJAX response injects HTML with a
QR code placeholder, but the QR code generator script only runs on page
load and never re-triggers. Additionally, the qrcode library wasn't
loaded when TOTP was already configured.

Add qr-code-generator as a dependency of totp-admin script and generate
the QR code in JavaScript after the reset response HTML is inserted.
---
 providers/class-two-factor-totp.php |  2 +-
 providers/js/totp-admin.js          | 31 ++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
index 05ce32fb..8677a765 100644
--- a/providers/class-two-factor-totp.php
+++ b/providers/class-two-factor-totp.php
@@ -189,7 +189,7 @@ public function enqueue_assets( $hook_suffix ) {
 		wp_register_script(
 			'two-factor-totp-admin',
 			plugins_url( 'js/totp-admin.js', __FILE__ ),
-			array( 'jquery', 'wp-api-request' ),
+			array( 'jquery', 'wp-api-request', 'two-factor-qr-code-generator' ),
 			TWO_FACTOR_VERSION,
 			true
 		);
diff --git a/providers/js/totp-admin.js b/providers/js/totp-admin.js
index e8d3b386..7ffe2d7f 100644
--- a/providers/js/totp-admin.js
+++ b/providers/js/totp-admin.js
@@ -1,5 +1,29 @@
-/* global twoFactorTotpAdmin, wp, document, jQuery */
+/* global twoFactorTotpAdmin, qrcode, wp, document, jQuery */
 ( function( $ ) {
+	var generateQrCode = function( totpUrl ) {
+		var $qrLink = $( '#two-factor-qr-code a' );
+		if ( ! $qrLink.length || typeof qrcode === 'undefined' ) {
+			return;
+		}
+
+		var qr = qrcode( 0, 'L' ),
+			svg,
+			title;
+
+		qr.addData( totpUrl );
+		qr.make();
+		$qrLink.html( qr.createSvgTag( 5 ) );
+
+		svg = $qrLink.find( 'svg' )[ 0 ];
+		if ( svg ) {
+			title = document.createElement( 'title' );
+			svg.role = 'image';
+			svg.ariaLabel = 'Authenticator App QR Code';
+			title.innerText = svg.ariaLabel;
+			svg.appendChild( title );
+		}
+	};
+
 	var checkbox = document.getElementById( 'enabled-Two_Factor_Totp' );
 
 	// Focus the auth code input when the checkbox is clicked.
@@ -56,6 +80,11 @@
 		} ).then( function( response ) {
 			$( '#enabled-Two_Factor_Totp' ).prop( 'checked', false );
 			$( '#two-factor-totp-options' ).html( response.html );
+
+			var totpUrl = $( '#two-factor-qr-code a' ).attr( 'href' );
+			if ( totpUrl ) {
+				generateQrCode( totpUrl );
+			}
 		} );
 	} );
 }( jQuery ) );

From 8bca6e7d1a4a231c84189a64a451553439b884ba Mon Sep 17 00:00:00 2001
From: Aslam Doctor <aslam.doctor@gmail.com>
Date: Thu, 26 Feb 2026 06:43:36 +0530
Subject: [PATCH 3/4] Fix vars-on-top lint errors in totp-admin.js

Move all var declarations to the top of their respective function scopes.
---
 providers/js/totp-admin.js | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/providers/js/totp-admin.js b/providers/js/totp-admin.js
index 7ffe2d7f..e56ec816 100644
--- a/providers/js/totp-admin.js
+++ b/providers/js/totp-admin.js
@@ -1,14 +1,16 @@
 /* global twoFactorTotpAdmin, qrcode, wp, document, jQuery */
 ( function( $ ) {
 	var generateQrCode = function( totpUrl ) {
-		var $qrLink = $( '#two-factor-qr-code a' );
+		var $qrLink = $( '#two-factor-qr-code a' ),
+			qr,
+			svg,
+			title;
+
 		if ( ! $qrLink.length || typeof qrcode === 'undefined' ) {
 			return;
 		}
 
-		var qr = qrcode( 0, 'L' ),
-			svg,
-			title;
+		qr = qrcode( 0, 'L' );
 
 		qr.addData( totpUrl );
 		qr.make();
@@ -78,10 +80,12 @@
 				user_id: parseInt( twoFactorTotpAdmin.userId, 10 )
 			}
 		} ).then( function( response ) {
+			var totpUrl;
+
 			$( '#enabled-Two_Factor_Totp' ).prop( 'checked', false );
 			$( '#two-factor-totp-options' ).html( response.html );
 
-			var totpUrl = $( '#two-factor-qr-code a' ).attr( 'href' );
+			totpUrl = $( '#two-factor-qr-code a' ).attr( 'href' );
 			if ( totpUrl ) {
 				generateQrCode( totpUrl );
 			}

From 283df92f8be66c0f6d7ee314e5cc4da0f1d841be Mon Sep 17 00:00:00 2001
From: Aslam Doctor <aslam.doctor@gmail.com>
Date: Tue, 3 Mar 2026 20:25:00 +0530
Subject: [PATCH 4/4] Fix issues from Copilot review on external JS migration

- Add $hook_suffix parameter to backup codes enqueue_assets() for PHP 8+
- Replace trimStart() with ES5-compatible regex in login authcode
- Fix submit button disable using querySelector instead of form.submit
- Guard responseJSON access in TOTP admin fail handler
- Fix SVG ARIA: use setAttribute with role="img" instead of DOM properties
- Localize QR code aria-label string for translation
- Move wp_add_inline_script before login_footer action
---
 class-two-factor-core.php                   | 12 ++++--------
 providers/class-two-factor-backup-codes.php |  4 +++-
 providers/class-two-factor-totp.php         |  5 +++--
 providers/js/totp-admin-qrcode.js           |  6 +++---
 providers/js/totp-admin.js                  |  9 +++++----
 providers/js/two-factor-login-authcode.js   | 10 +++++++---
 6 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index f36fa904..ec814c1c 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1575,6 +1575,10 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider =
 			$customize_login = isset( $_REQUEST['customize-login'] );
 			if ( $customize_login ) {
 				wp_enqueue_script( 'customize-base' );
+				wp_add_inline_script(
+					'customize-base',
+					'setTimeout( function(){ new wp.customize.Messenger({ url: ' . wp_json_encode( esc_url( wp_customize_url() ) ) . ', channel: \'login\' }).send(\'login\') }, 1000 );'
+				);
 			}
 			$message       = '<p class="message">' . __( 'You have logged in successfully.', 'two-factor' ) . '</p>';
 			$interim_login = 'success'; // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
@@ -1585,14 +1589,6 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider =
 			/** This action is documented in wp-login.php */
 			do_action( 'login_footer' ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound -- Core WordPress action.
 			?>
-			<?php if ( $customize_login ) : ?>
-				<?php
-				wp_add_inline_script(
-					'customize-base',
-					'setTimeout( function(){ new wp.customize.Messenger({ url: ' . wp_json_encode( esc_url( wp_customize_url() ) ) . ', channel: \'login\' }).send(\'login\') }, 1000 );'
-				);
-				?>
-			<?php endif; ?>
 			</body></html>
 			<?php
 			return;
diff --git a/providers/class-two-factor-backup-codes.php b/providers/class-two-factor-backup-codes.php
index 61210f8c..c3a8e1af 100644
--- a/providers/class-two-factor-backup-codes.php
+++ b/providers/class-two-factor-backup-codes.php
@@ -51,8 +51,10 @@ protected function __construct() {
 	 * @since 0.10.0
 	 *
 	 * @codeCoverageIgnore
+	 *
+	 * @param string $hook_suffix Optional. The current admin page hook suffix.
 	 */
-	public function enqueue_assets() {
+	public function enqueue_assets( $hook_suffix = '' ) {
 		wp_register_script(
 			'two-factor-backup-codes-admin',
 			plugins_url( 'js/backup-codes-admin.js', __FILE__ ),
diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
index 8677a765..38cecf11 100644
--- a/providers/class-two-factor-totp.php
+++ b/providers/class-two-factor-totp.php
@@ -343,8 +343,9 @@ public function user_two_factor_options( $user ) {
 			'two-factor-totp-admin',
 			'twoFactorTotpAdmin',
 			array(
-				'restPath' => Two_Factor_Core::REST_NAMESPACE . '/totp',
-				'userId'   => $user->ID,
+				'restPath'        => Two_Factor_Core::REST_NAMESPACE . '/totp',
+				'userId'          => $user->ID,
+				'qrCodeAriaLabel' => __( 'Authenticator App QR Code', 'two-factor' ),
 			)
 		);
 		wp_enqueue_script( 'two-factor-totp-admin' );
diff --git a/providers/js/totp-admin-qrcode.js b/providers/js/totp-admin-qrcode.js
index ca370578..bb2cf4ef 100644
--- a/providers/js/totp-admin-qrcode.js
+++ b/providers/js/totp-admin-qrcode.js
@@ -20,9 +20,9 @@
 		svg = document.querySelector( '#two-factor-qr-code a svg' );
 		title = document.createElement( 'title' );
 
-		svg.role = 'image';
-		svg.ariaLabel = twoFactorTotpQrcode.qrCodeLabel;
-		title.innerText = svg.ariaLabel;
+		svg.setAttribute( 'role', 'img' );
+		svg.setAttribute( 'aria-label', twoFactorTotpQrcode.qrCodeLabel );
+		title.innerText = twoFactorTotpQrcode.qrCodeLabel;
 		svg.appendChild( title );
 	};
 
diff --git a/providers/js/totp-admin.js b/providers/js/totp-admin.js
index e56ec816..4d59e800 100644
--- a/providers/js/totp-admin.js
+++ b/providers/js/totp-admin.js
@@ -18,10 +18,11 @@
 
 		svg = $qrLink.find( 'svg' )[ 0 ];
 		if ( svg ) {
+			var ariaLabel = ( typeof twoFactorTotpAdmin !== 'undefined' && twoFactorTotpAdmin && twoFactorTotpAdmin.qrCodeAriaLabel ) ? twoFactorTotpAdmin.qrCodeAriaLabel : 'Authenticator App QR Code';
 			title = document.createElement( 'title' );
-			svg.role = 'image';
-			svg.ariaLabel = 'Authenticator App QR Code';
-			title.innerText = svg.ariaLabel;
+			svg.setAttribute( 'role', 'img' );
+			svg.setAttribute( 'aria-label', ariaLabel );
+			title.innerText = ariaLabel;
 			svg.appendChild( title );
 		}
 	};
@@ -53,7 +54,7 @@
 				enable_provider: true
 			}
 		} ).fail( function( response, status ) {
-			var errorMessage = response.responseJSON.message || status,
+			var errorMessage = ( response && response.responseJSON && response.responseJSON.message ) || ( response && response.statusText ) || status || '',
 				$error = $( '#totp-setup-error' );
 
 			if ( ! $error.length ) {
diff --git a/providers/js/two-factor-login-authcode.js b/providers/js/two-factor-login-authcode.js
index 7ea2e23c..f7e6e7aa 100644
--- a/providers/js/two-factor-login-authcode.js
+++ b/providers/js/two-factor-login-authcode.js
@@ -10,7 +10,8 @@
 		inputEl.addEventListener(
 			'input',
 			function() {
-				var value = this.value.replace( /[^0-9 ]/g, '' ).trimStart();
+				var value = this.value.replace( /[^0-9 ]/g, '' ).replace( /^\s+/, '' ),
+					submitControl;
 
 				if ( ! spaceInserted && expectedLength && value.length === Math.floor( expectedLength / 2 ) ) {
 					value += ' ';
@@ -23,9 +24,12 @@
 
 				// Auto-submit if it's the expected length.
 				if ( expectedLength && value.replace( / /g, '' ).length === parseInt( expectedLength, 10 ) ) {
-					if ( undefined !== form.requestSubmit ) {
+					if ( form && typeof form.requestSubmit === 'function' ) {
 						form.requestSubmit();
-						form.submit.disabled = 'disabled';
+						submitControl = form.querySelector( '[type="submit"]' );
+						if ( submitControl ) {
+							submitControl.disabled = true;
+						}
 					}
 				}
 			}