WordPress · sam-ash-cy · Sep 4, 2024 · Sep 4, 2024 · Sep 9, 2024 · Feb 19, 2025
diff --git a/class-two-factor-core.php b/class-two-factor-core.php
@@ -94,7 +94,10 @@ class Two_Factor_Core {
 	 */
 	public static function add_hooks( $compat ) {
 		add_action( 'init', array( __CLASS__, 'get_providers' ) ); // @phpstan-ignore return.void
+
+		// Check to see if its a headless login
 		add_action( 'wp_login', array( __CLASS__, 'wp_login' ), 10, 2 );
+
 		add_filter( 'wp_login_errors', array( __CLASS__, 'maybe_show_reset_password_notice' ) );
 		add_action( 'after_password_reset', array( __CLASS__, 'clear_password_reset_notice' ) );
 		add_action( 'login_form_validate_2fa', array( __CLASS__, 'login_form_validate_2fa' ) );
@@ -658,16 +661,34 @@ public static function is_user_using_two_factor( $user = null ) {
 	 * @param WP_User $user WP_User object of the logged-in user.
 	 */
 	public static function wp_login( $user_login, $user ) {
-		if ( ! self::is_user_using_two_factor( $user->ID ) ) {
-			return;
+		// get request 
+
+		$current_origin = get_http_origin();
+
+		if ( empty( $current_origin ) ) {
+			$current_origin = ! empty( $_SERVER['HTTP_REFERER'] ) ? sanitize_text_field( $_SERVER['HTTP_REFERER'] ) : null;
 		}
 
+		// get frontend url
+		$faustwp_settings = get_option('faustwp_settings');
+
+		$frontend_uri = ($faustwp_settings['frontend_uri']);
+
+		// this is returning "https:\/\/localhost:3000"
+		// we need it in the format https://localhost:3000
+		$frontend_uri = str_replace('\\', '', $frontend_uri);
+		$frontend_uri = str_replace('"', '', $frontend_uri);
+
+		if ( ! self::is_user_using_two_factor( $user->ID ) || $current_origin === $frontend_uri ) {
+			return;
+		}
+
 		// Invalidate the current login session to prevent from being re-used.
 		self::destroy_current_session_for_user( $user );
-
+	
 		// Also clear the cookies which are no longer valid.
 		wp_clear_auth_cookie();
-
+	
 		self::show_two_factor_login( $user );
 		exit;
 	}

diff --git a/providers/class-two-factor-email.php b/providers/class-two-factor-email.php
@@ -40,7 +40,7 @@ class Two_Factor_Email extends Two_Factor_Provider {
 	 *
 	 * @since 0.1-dev
 	 */
-	protected function __construct() {
+	public function __construct() {
 		add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
 		parent::__construct();
 	}

diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
@@ -42,7 +42,7 @@ class Two_Factor_Totp extends Two_Factor_Provider {
 	 *
 	 * @codeCoverageIgnore
 	 */
-	protected function __construct() {
+	public function __construct() {
 		add_action( 'rest_api_init', array( $this, 'register_rest_routes' ) );
 		add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_assets' ) );
 		add_action( 'wp_enqueue_scripts', array( $this, 'enqueue_assets' ) );