Fix magic login: URL generation, admin redirect, Wordfence reCAPTCHA#82
Open
ManniGH wants to merge 1 commit into
Open
Fix magic login: URL generation, admin redirect, Wordfence reCAPTCHA#82ManniGH wants to merge 1 commit into
ManniGH wants to merge 1 commit into
Conversation
…eCAPTCHA compatibility
Three fixes to MagicLoginHandler.php:
1. Fix magic login URL base path (getMagicLoginUrl)
- Changed site_url('index.php') to site_url('/')
- Eliminates unnecessary 301 redirect caused by server-level
rewrite rules stripping index.php, which was preventing
makeLogin() from processing the token correctly.
2. Fix wp-admin redirect for non-admin users (handleMagicLoginAjax)
- Added check to ignore redirect_to=/wp-admin/ destinations
for users without manage_options capability
- Falls back to home_url('/') for non-admin users
- Prevents non-admin users being bounced to wp-login.php?reauth=1
3. Fix Wordfence reCAPTCHA compatibility (register)
- Added wordfence_ls_require_captcha filter to bypass reCAPTCHA
check when processing fls_al magic login requests
- Magic login never loads the login page normally so reCAPTCHA
JS never runs, causing Wordfence to treat it as a bot
- Filter degrades gracefully when Wordfence is not installed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three fixes to MagicLoginHandler.php:
Fix magic login URL base path (getMagicLoginUrl)
Fix wp-admin redirect for non-admin users (handleMagicLoginAjax)
Fix Wordfence reCAPTCHA compatibility (register)
Infrastructure note:
The site_url('index.php') bug was particularly damaging on hosts running
Cloudflare, where the resulting 301 redirect caused Set-Cookie headers to
be stripped before reaching the browser, silently voiding the auth cookie.
Removing the 301 entirely by using site_url('/') resolves this. Users on
Cloudflare-backed hosts (e.g. Rocket.net) may also need to ensure
Set-Cookie headers are preserved on 302 redirect responses for URLs
matching /?fls_al=* — this is a host-level configuration, not a plugin fix.