From 23c1e08f6e5733c4429cbdab2303d7bee71e49b1 Mon Sep 17 00:00:00 2001
From: Dan Knauss <dan@newlocalmedia.com>
Date: Sat, 28 Mar 2026 16:43:30 -0600
Subject: [PATCH] Move rate-limit check before provider pre-processing and
 invalidate tokens
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Moves the rate-limit gate in process_provider() ahead of
pre_process_authentication() so all providers — not just email —
are blocked from resending or rotating state while rate-limited.

Also invalidates provider tokens (e.g. email OTP) when the rate
limit fires, preventing a captured token from remaining valid for
its full TTL after brute-force detection.

Closes #847

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 class-two-factor-core.php       | 27 ++++++++++--------
 tests/class-two-factor-core.php | 50 +++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 11 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index bcd89301..ec128aef 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1688,18 +1688,13 @@ public static function process_provider( $provider, $user, $is_post_request ) {
 			);
 		}
 
-		// Allow the provider to re-send codes, etc.
-		if ( true === $provider->pre_process_authentication( $user ) ) {
-			return false;
-		}
-
-		// If it's not a POST request, there's no processing to perform.
-		if ( ! $is_post_request ) {
-			return false;
-		}
-
-		// Rate limit two factor authentication attempts.
+		// Rate limit two factor authentication attempts, including pre-processing (e.g. resend).
 		if ( true === self::is_user_rate_limited( $user ) ) {
+			// Invalidate any provider token to prevent reuse after rate limiting.
+			if ( method_exists( $provider, 'delete_token' ) ) {
+				$provider->delete_token( $user->ID );
+			}
+
 			$time_delay = self::get_user_time_delay( $user );
 			$last_login = get_user_meta( $user->ID, self::USER_RATE_LIMIT_KEY, true );
 
@@ -1713,6 +1708,16 @@ public static function process_provider( $provider, $user, $is_post_request ) {
 			);
 		}
 
+		// Allow the provider to re-send codes, etc.
+		if ( true === $provider->pre_process_authentication( $user ) ) {
+			return false;
+		}
+
+		// If it's not a POST request, there's no processing to perform.
+		if ( ! $is_post_request ) {
+			return false;
+		}
+
 		// Ask the provider to verify the second factor.
 		if ( true !== $provider->validate_authentication( $user ) ) {
 			// Store the last time a failed login occurred.
diff --git a/tests/class-two-factor-core.php b/tests/class-two-factor-core.php
index a540628b..63713c02 100644
--- a/tests/class-two-factor-core.php
+++ b/tests/class-two-factor-core.php
@@ -644,6 +644,56 @@ public function test_is_user_rate_limited() {
 		$this->assertFalse( Two_Factor_Core::is_user_rate_limited( $user ) );
 	}
 
+	/**
+	 * Test that email resend requests are blocked while rate limited.
+	 *
+	 * @covers Two_Factor_Core::process_provider()
+	 */
+	public function test_process_provider_blocks_email_resend_while_rate_limited() {
+		$user     = $this->get_dummy_user( array( 'Two_Factor_Email' => 'Two_Factor_Email' ) );
+		$provider = Two_Factor_Email::get_instance();
+
+		$provider->generate_token( $user->ID );
+		$original_token = $provider->get_user_token( $user->ID );
+
+		update_user_meta( $user->ID, Two_Factor_Core::USER_FAILED_LOGIN_ATTEMPTS_KEY, 1 );
+		update_user_meta( $user->ID, Two_Factor_Core::USER_RATE_LIMIT_KEY, time() );
+
+		$_REQUEST[ Two_Factor_Email::INPUT_NAME_RESEND_CODE ] = 1;
+
+		$result = Two_Factor_Core::process_provider( $provider, $user, true );
+
+		unset( $_REQUEST[ Two_Factor_Email::INPUT_NAME_RESEND_CODE ] );
+
+		$this->assertWPError( $result );
+		$this->assertSame( 'two_factor_too_fast', $result->get_error_code() );
+		$this->assertFalse( $provider->get_user_token( $user->ID ), 'Token is invalidated when rate limited' );
+	}
+
+	/**
+	 * Test that rate limiting invalidates the email token on validation attempts.
+	 *
+	 * @covers Two_Factor_Core::process_provider()
+	 */
+	public function test_process_provider_invalidates_email_token_when_rate_limited() {
+		$user     = $this->get_dummy_user( array( 'Two_Factor_Email' => 'Two_Factor_Email' ) );
+		$provider = Two_Factor_Email::get_instance();
+
+		$provider->generate_token( $user->ID );
+
+		$this->assertTrue( $provider->user_has_token( $user->ID ), 'Token exists before rate limiting' );
+
+		// Simulate a rate-limited state.
+		update_user_meta( $user->ID, Two_Factor_Core::USER_FAILED_LOGIN_ATTEMPTS_KEY, 3 );
+		update_user_meta( $user->ID, Two_Factor_Core::USER_RATE_LIMIT_KEY, time() );
+
+		$result = Two_Factor_Core::process_provider( $provider, $user, true );
+
+		$this->assertWPError( $result );
+		$this->assertSame( 'two_factor_too_fast', $result->get_error_code() );
+		$this->assertFalse( $provider->user_has_token( $user->ID ), 'Token is invalidated when rate limited' );
+	}
+
 	/**
 	 * Test that the "invalid login attempts have occurred" login notice works as expected.
 	 *