Add email verification before activation

[faisalahammad]

Description

This PR implements a verification step for the Email provider in the Two-Factor plugin.

Previously, users could enable Email 2FA without confirming ownership of the email address, which posed a risk of account lockout if the email was incorrect or inaccessible. This change aligns the Email provider's activation flow with the TOTP provider by requiring successful code verification before the provider can be enabled.

Changes

• User Options UI:
  • The "Email" provider section now displays a "Verify your e-mail address" button for unverified users.
  • Clicking this button initiates an AJAX request to send a verification code.
  • A new input field allows the user to enter the received code.
  • Upon successful verification, the provider is enabled, and the UI updates to show the standard "Enabled" checkbox state.
• REST API:
  • Added POST /two-factor/1.0/email: Handles sending verification codes and validating them.
  • Added DELETE /two-factor/1.0/email: Handles resetting the verification status (if needed).
• Verification Logic:
  • Two_Factor_Email::is_available_for_user() now returns true only if the user has verified their email (checked via _two_factor_email_verified user meta).
• Backwards Compatibility:
  • Users who already have the Email provider enabled are considered "legacy verified" and can continue using it without re-verification.
• Data Integrity:
  • Added a pre_user_options_update hook to prevent the Email provider from being enabled via the standard profile form save unless the user is verified.

How to Test

New User (Fresh Setup)

1. Navigate to Users > Profile.
2. Scroll to the Two-Factor Options section.
3. Ensure the "Email" option is not enabled.
4. Click the "Verify your e-mail address" button.
5. Check your email for a verification code.
6. Enter the code in the input field and click "Verify".
7. Observe that the page updates, and the "Email" checkbox is now checked and enabled.

Legacy User (Existing Setup)

1. Log in as a user who already has Email 2FA enabled.
2. Navigate to Users > Profile.
3. Confirm that the "Email" checkbox remains checked and functional.
4. Verify that no re-verification prompt is shown.

Screenshot

Technical Details

• Class: Two_Factor_Email
• New Methods:
  • register_rest_routes()
  • rest_setup_email()
  • rest_delete_email()
  • pre_user_options_update()
• Modified Methods:
  • user_options(): updated to render the verification UI.
  • is_available_for_user(): added verification check (with legacy fallback).
  • generate_and_email_token(): updated to accept an $action argument ('login' vs 'verification_setup') to send context-appropriate emails.
• New Constants:
  • VERIFIED_META_KEY: _two_factor_email_verified

Checklist

• Code follows the WordPress Coding Standards.
• Unit tests have been added/updated.
• Verified manual testing of the new flow.
• Verified backwards compatibility for existing users.

Fixes #778

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: faisalahammad <faisalahammad@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.