Tidy up and run it further downstream.

georgestephanis · kasparsd · georgestephanis · commit 66b43aee57ae · 2025-09-18T11:31:59.000-04:00
Props Kaspars for the suggestion to relocate to keep the function signatures.

Co-Authored-By: Kaspars Dambis &lt;hi@kaspars.net&gt;
diff --git a/class-two-factor-core.php b/class-two-factor-core.php
@@ -547,7 +547,7 @@ public static function get_enabled_providers_for_user( $user = null ) {
 	 * @see Two_Factor_Core::get_enabled_providers_for_user()
 	 *
 	 * @param int|WP_User $user Optional. User ID, or WP_User object of the the user. Defaults to current user.
-	 * @return array|WP_Error List of provider instances, or a WP_Error if all configured providers are unavailable.
+	 * @return array List of provider instances.
 	 */
 	public static function get_available_providers_for_user( $user = null ) {
 		$user = self::fetch_user( $user );
@@ -557,30 +557,26 @@ public static function get_available_providers_for_user( $user = null ) {
 
 		$providers            = self::get_supported_providers_for_user( $user ); // Returns full objects.
 		$enabled_providers    = self::get_enabled_providers_for_user( $user ); // Returns just the keys.
-		$configured_providers = array();
 		$user_providers_raw   = get_user_meta( $user->ID, self::ENABLED_PROVIDERS_USER_META_KEY, true );
+		$configured_providers = array();
 
 		/**
 		 * If the user had enabled providers, but none of them exist currently,
 		 * if emailed codes is available force it to be on, so that deprecated
 		 * or removed providers don't result in the two-factor requirement being
 		 * removed and 'failing open'.
-		 * 
+		 *
 		 * Possible enhancement: add a filter to change the fallback method?
 		 */
 		if ( empty( $enabled_providers ) && $user_providers_raw ) {
 			if ( isset( $providers['Two_Factor_Email'] ) ) {
 				// Force Emailed codes to 'on'.
 				$enabled_providers[] = 'Two_Factor_Email';
 			} else {
-				return new WP_Error(
-					'no_available_2fa_methods',
-					__( 'Error: You have Two Factor method(s) enabled, but the provider(s) no longer exist. Please contact a site administrator for assistance.', 'two-factor' ),
-					array(
-						'user_providers_raw'  => $user_providers_raw,
-						'available_providers' => array_keys( $providers ),
-					)
-				);
+				// Email isn't available?  Okay, then you get nothing.  Downstream should verify
+				// there aren't any that have gone away before allowing authentication when trying
+				// to login.
+				return $configured_providers;
 			}
 		}
 
@@ -621,7 +617,7 @@ public static function get_provider_for_user( $user = null, $preferred_provider
 
 		if ( is_string( $preferred_provider ) ) {
 			$providers = self::get_available_providers_for_user( $user );
-			if ( ! is_wp_error( $providers ) && isset( $providers[ $preferred_provider ] ) ) {
+			if ( is_array( $providers ) && isset( $providers[ $preferred_provider ] ) ) {
 				return $providers[ $preferred_provider ];
 			}
 		}
@@ -668,9 +664,6 @@ public static function get_primary_provider_for_user( $user = null ) {
 		// If there's only one available provider, force that to be the primary.
 		if ( empty( $available_providers ) ) {
 			return null;
-		} elseif ( is_wp_error( $available_providers ) ) {
-			// If it returned an error, the configured methods don't exist, and it couldn't swap in a replacement.
-			wp_die( $available_providers );
 		} elseif ( 1 === count( $available_providers ) ) {
 			$provider = key( $available_providers );
 		} else {
@@ -963,9 +956,30 @@ public static function login_html( $user, $login_nonce, $redirect_to, $error_msg
 
 		$rememberme = intval( self::rememberme() );
 
-		if ( is_wp_error( $available_providers ) ) {
-			// If it returned an error, the configured methods don't exist, and it couldn't swap in a replacement.
-			wp_die( $available_providers );
+		if ( empty( $available_providers ) ) {
+			$user_providers_raw = get_user_meta( $user->ID, self::ENABLED_PROVIDERS_USER_META_KEY, true );
+			if ( $user_providers_raw ) {
+				// The user has a provider configured according to usermeta, but none are currently available.
+				$error = new WP_Error(
+					'no_available_2fa_methods',
+					__( 'Error: You have Two Factor method(s) enabled, but the provider(s) no longer exist. Please contact a site administrator for assistance.', 'two-factor' ),
+					array(
+						'user_providers_raw'  => $user_providers_raw,
+						'available_providers' => array_keys( $available_providers ),
+					)
+				);
+
+				/**
+				 * Provide an opportunity for other code to change this fail-closed behavior, or listen for its events.
+				 *
+				 * @param WP_Error|mixed $error The WP_Error indicating there are no available 2FA Methods. To allow anyways, just return anything else.
+				 */
+				$error = apply_filters( 'two_factor_error_no_available_methods', $error );
+
+				if ( is_wp_error( $error ) ) {
+					wp_die( $error );
+				}
+			}
 		}
 
 		if ( ! function_exists( 'login_header' ) ) {
@@ -2164,15 +2178,15 @@ public static function user_two_factor_options_update( $user_id ) {
 						array(
 							'two-factor-provider' => '',
 							'two-factor-login'    => time(),
-						) 
+						)
 					);
 				} elseif ( $existing_providers && ! $enabled_providers ) {
 					// We've disabled two-factor, remove session metadata.
 					self::update_current_user_session(
 						array(
 							'two-factor-provider' => null,
 							'two-factor-login'    => null,
-						) 
+						)
 					);
 				}
 			}
