Skip to content

Add "Didn't expect this?" message#728

Merged
kasparsd merged 2 commits intoWordPress:masterfrom
todeveni:unexpected-email
Dec 11, 2025
Merged

Add "Didn't expect this?" message#728
kasparsd merged 2 commits intoWordPress:masterfrom
todeveni:unexpected-email

Conversation

@todeveni
Copy link
Contributor

@todeveni todeveni commented Dec 9, 2025

What?

Add's "Didn't expect this?" message, as suggested by @dd32 in #726 (comment)

Why?

If your credentials have been compromised and someone's been able to log in to your account with email 2FA active, you might be wondering why your site is sending you 2FA codes, when you haven't been logging in.

How?

Adds additional information to the sent email.

Changelog Entry

Changed - Added additional information to outgoing 2FA email message.

Not sure if we should use PHP_EOL, since WordPress codebase doesn't seem to use that either and if we should add the message as whole instead of concating it line by line. Enter %s to log in has already been translated to many languages, so that should stay separate?

@jeffpaul jeffpaul requested a review from kasparsd December 9, 2025 21:18
kasparsd
kasparsd approved these changes Dec 10, 2025
View reviewed changes
Copy link
Collaborator

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution! This is great.

Left a couple of optional suggestions inline the pull request.

providers/class-two-factor-email.php
public function generate_and_email_token( $user ) {
$token = $this->generate_token( $user->ID );
$token = $this->generate_token( $user->ID );
$remote_ip = preg_replace( '/[^0-9a-fA-F:., ]/', '', $_SERVER['REMOTE_ADDR'] );
Copy link
Collaborator

@kasparsd kasparsd Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is filter_var() with FILTER_VALIDATE_IP that should be able to handle this correctly for all IP types.

Secondly, this might return invalid IP if the site is behind a proxy. Unfortunately WP core doesn't have a helper function to retrieve this data consistently. The closest implementation is this https://developer.wordpress.org/reference/classes/wp_community_events/get_unsafe_client_ip/ but as explained in this article, we should probably stick to $_SERVER['REMOTE_ADDR'] and possibly add a filter to adjust as needed.

Copy link
Contributor Author

@todeveni todeveni Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FILTER_VALIDATE_IP only validates, doesn't sanitize.

That preg_replace() is lifted off from https://github.com/WordPress/wordpress-develop/blob/63b3a8f6c874c8dd7cec0400edf3135ad98f649d/src/wp-includes/class-wp-xmlrpc-server.php#L7022

kasparsd
kasparsd reviewed Dec 11, 2025
View reviewed changes
Copy link
Collaborator

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This great! Let’s ship it!

Thanks again!

@kasparsd kasparsd merged commit 331d12e into WordPress:master Dec 11, 2025
3 of 27 checks passed
@jeffpaul jeffpaul modified the milestones: 0.16.0, 0.15.0 Dec 11, 2025
@kasparsd kasparsd mentioned this pull request Dec 22, 2025
Merged
@alexclst alexclst mentioned this pull request Feb 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kasparsd kasparsd kasparsd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.15.0

Development

Successfully merging this pull request may close these issues.

3 participants

@todeveni @kasparsd @jeffpaul