2FA Compatibility Issue with Nextend Social Login

💪 Added

Issue Summary:
When using Security Ninja's 2FA feature in conjunction with the Nextend Social Login plugin, users are unable to complete the login process due to a nonce validation error. The issue arises during the "Skip for now" functionality in the 2FA form, where the nonce is generated for a logged-in user but fails verification after session invalidation.

Steps to Reproduce:

  1. Install and activate Security Ninja Premium (v5.222 or later).
  2. Enable 2FA in Security Ninja.
  3. Install and activate Nextend Social Login.
  4. Attempt to log in using a social login provider via Nextend Social Login.
  5. Observe that:
    • Users are redirected to the 2FA verification form.
    • Clicking "Skip for now" fails with the following REST API error:
           {
       "code": "rest_invalid_param",
       "message": "Invalid parameter(s): nonce",
       "data": {
         "status": 400,
         "params": { "nonce": "Invalid parameter." },
         "details": []
       }
     }

Technical Details Provided by Nextend Social Login:

  • The issue occurs because Security Ninja invalidates the session partially during 2FA setup using:

      self::destroy_current_session_for_user( $user );
  wp_clear_auth_cookie();

  • However, this does not fully clear the session or reset login-specific properties, which leads to the invalid nonce generation.

  • Suggested Fix:
    Modify the session invalidation logic by incorporating or replicating the

    wp_logout()

    function to ensure session-specific properties are properly reset.

Temporary Workaround:
Nextend Social Login has provided the following workaround to skip 2FA enforcement during their authentication process:

add_action('nsl_before_wp_login', function () {
    remove_action('wp_login', 'WPSecurityNinja\Plugin\Wf_Sn_2fa::wp_login', 10);
});

Expected Behavior:
Users should be able to log in seamlessly via Nextend Social Login without encountering nonce validation errors, and the "Skip for now" functionality should work as intended.

Additional Context:

  • Affected user site: https://welldoit.solutions
  • Security Ninja version: 5.222
  • Nextend Social Login version: Latest at the time of writing.
  • PHP version: 8.1

Action Items for Technician:

  1. Review the current session invalidation logic in

    class-wf-sn-2fa.php

    , specifically in the

    wp_login()

    method.
  2. Update the logic to fully reset the user session to avoid nonce mismatch errors.
  3. Test compatibility with Nextend Social Login to ensure the issue is resolved.
  4. Consider adding test cases for similar third-party login flows to proactively address future conflicts.

Priority: High – Affects core functionality for users relying on third-party social login systems.

WP Security Ninja

4 months ago

Activity
WP Security Ninja

Released in 5.224

0    4 months ago    Reply

Comment must be at least 20 characters.
Cancel

We love to listen to our customers.

WP Security Ninja changed status to 💪 Added

4 months ago

WP Security Ninja changed status to Todo

4 months ago

Made with ProductLift