From 3388d45423156b777bfadf2efbf0ac8a9dfa097c Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Thu, 25 May 2023 18:03:36 +1000
Subject: [PATCH 1/5] Disable U2F / FIDO interface unless the user has keys
 enabled.

---
 class-two-factor-core.php                     |  9 ++++++++-
 providers/class-two-factor-fido-u2f-admin.php | 10 ++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 420cb4e1..083de2b5 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1716,6 +1716,13 @@ public static function user_two_factor_options( $user ) {
 			$show_2fa_options ? '' : 'disabled="disabled"',
 		);
 
+		$providers = self::get_providers();
+
+		// Disable U2F unless already configured.
+		if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && ! $providers['Two_Factor_FIDO_U2F']->is_available_for_user( $user ) ) {
+			unset( $providers['Two_Factor_FIDO_U2F'] );
+		}
+
 		wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false );
 		?>
 		<input type="hidden" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php /* Dummy input so $_POST value is passed when no providers are enabled. */ ?>" />
@@ -1734,7 +1741,7 @@ public static function user_two_factor_options( $user ) {
 							</tr>
 						</thead>
 						<tbody>
-						<?php foreach ( self::get_providers() as $provider_key => $object ) : ?>
+						<?php foreach ( $providers as $provider_key => $object ) : ?>
 							<tr>
 								<th scope="row"><input id="enabled-<?php echo esc_attr( $provider_key ); ?>" type="checkbox" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php echo esc_attr( $provider_key ); ?>" <?php checked( in_array( $provider_key, $enabled_providers, true ) ); ?> /></th>
 								<th scope="row"><input type="radio" name="<?php echo esc_attr( self::PROVIDER_USER_META_KEY ); ?>" value="<?php echo esc_attr( $provider_key ); ?>" <?php checked( $provider_key, $primary_provider_key ); ?> /></th>
diff --git a/providers/class-two-factor-fido-u2f-admin.php b/providers/class-two-factor-fido-u2f-admin.php
index 65ffddc1..24034b8c 100644
--- a/providers/class-two-factor-fido-u2f-admin.php
+++ b/providers/class-two-factor-fido-u2f-admin.php
@@ -61,6 +61,11 @@ public static function enqueue_assets( $hook ) {
 
 		$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
 
+		// Disabled interface if there's no keys.
+		if ( ! $security_keys ) {
+			return;
+		}
+
 		// @todo Ensure that scripts don't fail because of missing u2fL10n.
 		try {
 			$data              = Two_Factor_FIDO_U2F::$u2f->getRegisterData( $security_keys );
@@ -164,6 +169,11 @@ protected static function asset_version() {
 	 * @param WP_User $user WP_User object of the logged-in user.
 	 */
 	public static function show_user_profile( $user ) {
+		// Don't display if the user cannot configure it.
+		if ( ! Two_Factor_FIDO_U2F::get_instance()->is_available_for_user( $user ) ) {
+			return;
+		}
+
 		wp_nonce_field( "user_security_keys-{$user->ID}", '_nonce_user_security_keys' );
 		$new_key = false;
 

From dbb400dcc8bd1a8689b76e5715b05bfe4723a17e Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Thu, 25 May 2023 18:04:59 +1000
Subject: [PATCH 2/5] Add a filter to allow turning it back on.

---
 class-two-factor-core.php                     | 2 +-
 providers/class-two-factor-fido-u2f-admin.php | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 083de2b5..e69fafb1 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1719,7 +1719,7 @@ public static function user_two_factor_options( $user ) {
 		$providers = self::get_providers();
 
 		// Disable U2F unless already configured.
-		if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && ! $providers['Two_Factor_FIDO_U2F']->is_available_for_user( $user ) ) {
+		if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && ! $providers['Two_Factor_FIDO_U2F']->is_available_for_user( $user ) && apply_filters( 'two_factor_u2f_disabled', true ) ) {
 			unset( $providers['Two_Factor_FIDO_U2F'] );
 		}
 
diff --git a/providers/class-two-factor-fido-u2f-admin.php b/providers/class-two-factor-fido-u2f-admin.php
index 24034b8c..8446c2e0 100644
--- a/providers/class-two-factor-fido-u2f-admin.php
+++ b/providers/class-two-factor-fido-u2f-admin.php
@@ -62,7 +62,7 @@ public static function enqueue_assets( $hook ) {
 		$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
 
 		// Disabled interface if there's no keys.
-		if ( ! $security_keys ) {
+		if ( ! $security_keys && apply_filters( 'two_factor_u2f_disabled', true ) ) {
 			return;
 		}
 
@@ -170,7 +170,7 @@ protected static function asset_version() {
 	 */
 	public static function show_user_profile( $user ) {
 		// Don't display if the user cannot configure it.
-		if ( ! Two_Factor_FIDO_U2F::get_instance()->is_available_for_user( $user ) ) {
+		if ( ! Two_Factor_FIDO_U2F::get_instance()->is_available_for_user( $user ) && apply_filters( 'two_factor_u2f_disabled', true ) ) {
 			return;
 		}
 

From 6fc25a7461c8c4335bc81a990f7ea02cca8c8bb7 Mon Sep 17 00:00:00 2001
From: Dion Hulse <contact@dd32.id.au>
Date: Thu, 25 May 2023 18:17:11 +1000
Subject: [PATCH 3/5] Remove U2F references from readme

---
 readme.txt | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/readme.txt b/readme.txt
index 272a7d12..7826ad1d 100644
--- a/readme.txt
+++ b/readme.txt
@@ -1,12 +1,12 @@
 === Two-Factor ===
 Contributors:      georgestephanis, valendesigns, stevenkword, extendwings, sgrant, aaroncampbell, johnbillion, stevegrunwell, netweb, kasparsd, alihusnainarshad, passoniate
-Tags:              two factor, two step, authentication, login, totp, fido u2f, u2f, email, backup codes, 2fa, yubikey
+Tags:              two factor, two step, authentication, login, totp email, backup codes, 2fa, yubikey
 Requires at least: 4.3
 Tested up to:      6.2
 Requires PHP:      5.6
 Stable tag:        0.8.1
 
-Enable Two-Factor Authentication using time-based one-time passwords (OTP, Google Authenticator), Universal 2nd Factor (FIDO U2F, YubiKey), email and backup verification codes.
+Enable Two-Factor Authentication using time-based one-time passwords (OTP, Google Authenticator), email and backup verification codes.
 
 == Description ==
 
@@ -14,7 +14,6 @@ Use the "Two-Factor Options" section under "Users" → "Your Profile" to enable
 
 - Email codes
 - Time Based One-Time Passwords (TOTP)
-- FIDO Universal 2nd Factor (U2F)
 - Backup Codes
 - Dummy Method (only for testing purposes)
 

From 36171c0c4b3689131b0ebd19fa9e4e36bd1920e4 Mon Sep 17 00:00:00 2001
From: Dion Hulse <dion@wordpress.org>
Date: Thu, 1 Jun 2023 15:02:19 +1000
Subject: [PATCH 4/5] Document the filter.

---
 class-two-factor-core.php | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index e69fafb1..771e71b8 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1719,8 +1719,22 @@ public static function user_two_factor_options( $user ) {
 		$providers = self::get_providers();
 
 		// Disable U2F unless already configured.
-		if ( isset( $providers['Two_Factor_FIDO_U2F'] ) && ! $providers['Two_Factor_FIDO_U2F']->is_available_for_user( $user ) && apply_filters( 'two_factor_u2f_disabled', true ) ) {
-			unset( $providers['Two_Factor_FIDO_U2F'] );
+		if ( isset( $providers['Two_Factor_FIDO_U2F'] ) ) {
+			$disabled = ! $providers['Two_Factor_FIDO_U2F']->is_available_for_user( $user );
+
+			/**
+			 * Filter whether the deprecated U2F provider is available.
+			 *
+			 * The U2F provider does not support modern browsers, and it being enabled causes confusion.
+			 *
+			 * @param bool    $disabled Whether the provider is disabled for this user.
+			 * @param WP_User $user     The user being displayed.
+			 */
+			$disabled = apply_filters( 'two_factor_u2f_disabled', $disabled, $user );
+
+			if ( $disabled ) {
+				unset( $providers['Two_Factor_FIDO_U2F'] );
+			}
 		}
 
 		wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false );

From 415d3056a3d874f2793113aa0f808fe7d01b6ff1 Mon Sep 17 00:00:00 2001
From: Dion Hulse <dion@wordpress.org>
Date: Thu, 1 Jun 2023 15:04:08 +1000
Subject: [PATCH 5/5] Document where the filter is documented.

---
 providers/class-two-factor-fido-u2f-admin.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/providers/class-two-factor-fido-u2f-admin.php b/providers/class-two-factor-fido-u2f-admin.php
index 8446c2e0..d5aaa014 100644
--- a/providers/class-two-factor-fido-u2f-admin.php
+++ b/providers/class-two-factor-fido-u2f-admin.php
@@ -62,7 +62,11 @@ public static function enqueue_assets( $hook ) {
 		$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
 
 		// Disabled interface if there's no keys.
-		if ( ! $security_keys && apply_filters( 'two_factor_u2f_disabled', true ) ) {
+		if (
+			! $security_keys &&
+			/** This filter is documented in class-two-factor-core.php */
+			apply_filters( 'two_factor_u2f_disabled', true )
+		) {
 			return;
 		}
 
@@ -170,7 +174,11 @@ protected static function asset_version() {
 	 */
 	public static function show_user_profile( $user ) {
 		// Don't display if the user cannot configure it.
-		if ( ! Two_Factor_FIDO_U2F::get_instance()->is_available_for_user( $user ) && apply_filters( 'two_factor_u2f_disabled', true ) ) {
+		if (
+			! Two_Factor_FIDO_U2F::get_instance()->is_available_for_user( $user ) &&
+			/** This filter is documented in class-two-factor-core.php */
+			apply_filters( 'two_factor_u2f_disabled', true )
+		) {
 			return;
 		}