From 7a9054bb3f033c98067b3196378311dae54c5fbf Mon Sep 17 00:00:00 2001
From: Jake Vanderwerf <get@jakevanderwerf.ca>
Date: Tue, 20 Jan 2026 01:31:53 +0000
Subject: [PATCH] =OperationQueue refactor to the JVBase/managers/queue namespace
---
inc/rest/routes/LoginRoutes.php | 44 ++++++++++++++++----------------------------
1 files changed, 16 insertions(+), 28 deletions(-)
diff --git a/inc/rest/routes/LoginRoutes.php b/inc/rest/routes/LoginRoutes.php
index 8c663c9..9762e9f 100644
--- a/inc/rest/routes/LoginRoutes.php
+++ b/inc/rest/routes/LoginRoutes.php
@@ -31,23 +31,7 @@
register_rest_route($this->namespace, '/auth/login', [
'methods' => 'POST',
'callback' => [$this, 'handleLogin'],
- 'permission_callback' => [$this, 'checkRateLimit'],
- 'args' => [
- 'user_email' => [
- 'required' => true,
- 'type' => 'string',
- 'sanitize_callback' => 'sanitize_email'
- ],
- 'user_password' => [
- 'required' => true,
- 'type' => 'string'
- ],
- 'remember_me' => [
- 'required' => false,
- 'type' => 'boolean',
- 'default' => false
- ]
- ]
+ 'permission_callback' => [$this, 'checkRateLimit']
]);
// Logout endpoint
@@ -125,7 +109,8 @@
public function handleLogin(WP_REST_Request $request): WP_REST_Response
{
- $data = $request->get_json_params();
+ $data = $request->get_params();
+ error_log('Data: '.print_r($data, true));
// Verify Turnstile
if (!$this->verifyTurnstile($data['cf-turnstile-response'] ?? '')) {
return $this->error('Security verification failed', 'turnstile_failed', 403);
@@ -152,10 +137,10 @@
// Attempt login
$user = wp_signon([
'user_login' => $username,
- 'user_email' => $username,
'user_password' => $password,
'remember' => $remember
- ], false);
+ ], is_ssl());
+
if (is_wp_error($user)) {
// Track failed attempt
@@ -167,13 +152,14 @@
401
) : false;
}
-
// Clear failed attempts on success
$this->clearFailedAttempts($username);
// Set auth cookie with remember me flag
wp_set_current_user($user->ID);
- wp_set_auth_cookie($user->ID, $remember);
+ wp_set_auth_cookie($user->ID, $remember, is_ssl());
+
+
// Store session fingerprint for hijacking protection
if ($request) {
@@ -267,13 +253,12 @@
*/
protected function getSessionId(int $user_id): string
{
- // Use WordPress session tokens
- $sessions = WP_Session_Tokens::get_instance($user_id);
$token = wp_get_session_token(); // Current session token
if (!$token) {
- // Fallback to user-specific hash that changes on password reset
- return md5($user_id . get_user_meta($user_id, 'session_tokens', true));
+ // Fallback to a hash based on user ID and current timestamp
+ // This will be replaced once the session token is available
+ return md5($user_id . time());
}
return md5($token);
@@ -370,6 +355,9 @@
wp_set_current_user($user->ID);
wp_set_auth_cookie($user->ID, true);
+ if (session_status() === PHP_SESSION_ACTIVE) {
+ session_regenerate_id(true);
+ }
// Store session fingerprint
$this->storeSessionFingerprint($user->ID, $request);
@@ -532,7 +520,7 @@
update_user_meta($user_id, BASE . $key, sanitize_text_field($value));
}
- $redirect = $this->getRedirect($user, $request->get_param('redirect_to'), 'register');
+ $redirect = $this->getRedirect($user, $request->get_param('redirect_to')??get_home_url(null,'/dash'), 'register');
// Handle token handlers
do_action('jvbUserRegistered', $user_id, $email, $data);
@@ -581,7 +569,7 @@
];
}
- protected function getRedirect(WP_User $user, string $url, string $context = 'login'):string
+ protected function getRedirect(WP_User $user, ?string $url=null, string $context = 'login'):string
{
if (!empty($url)) {
$url = sanitize_url($url);
--
Gitblit v1.10.0