ryan.boder
Forum Replies Created
-
So it is integrated with login on the server side but only with standard WP cookie-based authentication. Correct?
It sounds like this new endpoint would only work with a normal WP site, not with a headless WP site (where the frontend is hosted on a different server/origin). A headless WP site would typically use some kind of token-based like authentication (oAuth or JWT) for cross-origin requests instead of cookie-based authentication.
I was hoping it would be applicable to headless WP sites.
I’m not asking for stack-specific, step-by-step guidance. I’m asking how to use the endpoint securely, in general, from the browser.
2FA typically works like 1) verify username & password, then 2) verify 2FA code. Let’s say we’re using a JWT authentication plugin that has a REST endpoint for verifying username & password and responds with a JWT access token. We request that endpoint from the browser and successfully verify username & password. Should the user be logged in at that point? No, because they haven’t verified the 2FA code yet. So they shouldn’t get an access token yet. They need to pass 2FA first.
But we can’t enforce the extra 2FA step in the browser. That would allow the user to just run some JS code to work around it. 2FA needs to be combined with the username/password verification and enforced in the server.
It seems to me like your 2FA plugin would need to be integrated with the JWT authentication in the server. Is that correct? If so, can you share a generic example (not code just a high level flow) how this new endpoint can be used to implement 2FA securely in a headless WP?
If we have to integrate WP 2FA with the JWT plugin ourselves in the server, are there functions and hooks available in WP 2FA for this? Can you share which ones?
- This reply was modified 9 months, 2 weeks ago by ryan.boder.
Thanks! I’m not sure I understand how to use it though. We’re building a headless WP/WC site and trying to figure out how to do 2FA at login. We’re assuming logging in from the frontend site will use a JWT plugin such as this or this.
I see that we can use your new endpoint to check whether a 2FA token is valid but if we do the 2FA test in the browser then it could easily be subverted. We would need the 2FA test to happen in the server and the JWT plugin to not provide an access token unless a valid 2FA token has been sent along with the username and password.
How could we incorporate WP 2FA into the login using this new endpoint?