Move inline JS to external script files

[aslamdoctor]

Summary

• Extract 6 inline <script> blocks from 4 PHP files into 5 new external JS files under providers/js/, improving CSP compatibility and enabling proper WordPress script dependency management (fixes issues like Missing script dependency: Uncaught TypeError: wp.apiRequest is not a function #558 where wp.apiRequest was unavailable)
• New files: totp-admin-qrcode.js, totp-admin.js, backup-codes-admin.js, two-factor-login.js, two-factor-login-authcode.js
• Convert customizer messenger one-liner to wp_add_inline_script() instead of raw <script> tag
• All new JS files pass npm run lint:js (WordPress ES5 rules)

Test plan

• Admin profile — TOTP setup: QR code renders, setup form submits, checkbox focuses input, invalid code shows error
• Admin profile — TOTP reset: "Reset authenticator app" button works, re-renders setup form with QR code
• Admin profile — Backup codes: Generate, copy, download all work; code count updates
• Login page — TOTP: Authcode field focused, numeric-only enforcement, auto-submit at expected length
• Login page — Email: Authcode field cleared + focused, numeric enforcement, auto-submit
• Login page — Backup codes: Focus + numeric enforcement
• Network tab: External JS files load with correct dependencies (jquery, wp-api-request, qrcode.js)
• Browser console: No JS errors on any page
• Customizer interim login: Messenger script fires correctly

Fixes #812

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: aslamdoctor <aslamdoctor@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: georgestephanis <georgestephanis@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[masteradhoc]

Thanks for the fast fix regarding my comment about the QR-Code not rendering after resetting the TOTP. Checked it now and looks good from my side.

[georgestephanis]

For big migrations like this, I've found that copilot is really good at catching stuff my eyes gloss over. Just wanna make sure it doesn't surface anything significant.

[Copilot]

Pull request overview

This PR extracts previously inline JavaScript from provider PHP templates into external script files under providers/js/, enabling better CSP compatibility and allowing WordPress dependency management (notably ensuring wp-api-request is properly enqueued when needed).

Changes:

• Added 5 new external JS files for login behaviors and provider admin UIs (TOTP + backup codes).
• Updated provider PHP to register/enqueue these scripts and pass dynamic values via wp_localize_script().
• Replaced a raw customizer <script> snippet with wp_add_inline_script().

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
providers/js/two-factor-login.js	New login helper script (focus/clear authcode).
providers/js/two-factor-login-authcode.js	New login authcode input enforcement + autosubmit logic.
providers/js/totp-admin.js	New admin/profile TOTP setup/reset interactions via REST calls.
providers/js/totp-admin-qrcode.js	New TOTP QR-code rendering script using qrcode generator.
providers/js/backup-codes-admin.js	New backup codes UI (generate/copy/download) via REST calls.
providers/class-two-factor-totp.php	Registers/enqueues new TOTP scripts and localizes REST params.
providers/class-two-factor-email.php	Enqueues shared login script instead of inline <script>.
providers/class-two-factor-backup-codes.php	Registers/enqueues new backup codes script and localizes REST params.
class-two-factor-core.php	Registers login scripts and switches customizer snippet to wp_add_inline_script().

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

admin_enqueue_scripts passes the $hook_suffix argument, but enqueue_assets() is declared with no parameters. On PHP 8+, WordPress will call this with 1 arg and trigger an ArgumentCountError, breaking admin pages. Make enqueue_assets( $hook_suffix = '' ) accept the parameter (or register the action with accepted_args = 0) so the callback signature matches the hook.

Suggested change

	*/
	public function enqueue_assets() {
	*
	* @param string $hook_suffix Optional. The current admin page hook suffix.
	*/
	public function enqueue_assets( $hook_suffix = '' ) {

[Copilot]

form.submit.disabled = 'disabled' won't reliably disable the submit button (most login forms don't have a control named submit, and form.submit is typically the form method). This means auto-submit can still be triggered multiple times. Disable the actual submit control (e.g., #wp-submit or form.querySelector('[type="submit"]')) and guard form being null before calling requestSubmit().

Suggested change

	if ( undefined !== form.requestSubmit ) {
	form.requestSubmit();
	form.submit.disabled = 'disabled';
	if ( form && typeof form.requestSubmit === 'function' ) {
	form.requestSubmit();
	var submitControl = form.querySelector( '[type="submit"]' );
	if ( submitControl ) {
	submitControl.disabled = true;
	}

[Copilot]

trimStart() is not available in ES5 and can break in environments without that newer String API. Since these scripts are intended to follow WordPress' ES5 rules, avoid trimStart() here (e.g., strip leading whitespace via a regex) to keep compatibility consistent.

Suggested change

	var value = this.value.replace( /[^0-9 ]/g, '' ).trimStart();
	var value = this.value.replace( /[^0-9 ]/g, '' ).replace( /^\s+/, '' );

[Copilot]

In the fail handler, response.responseJSON can be undefined (e.g., non-JSON error responses), which would throw when accessing .message and prevent the error UI from rendering. Guard the lookup (check response.responseJSON && response.responseJSON.message) and fall back to a safer string (like response.statusText or status).

Suggested change

	var errorMessage = response.responseJSON.message || status,
	var errorMessage = ( response && response.responseJSON && response.responseJSON.message ) || ( response && response.statusText ) || status || '',

[Copilot]

The SVG accessibility attributes are set using svg.role = 'image' and svg.ariaLabel = .... image is not a valid ARIA role value (use img), and setting ARIA via DOM properties is not consistently supported for SVG; prefer setAttribute('role', 'img') and setAttribute('aria-label', ...). Also, the label is hard-coded in English here; pass a localized label via twoFactorTotpAdmin (as done in twoFactorTotpQrcode) so it can be translated.

Suggested change

	svg.role = 'image';
	svg.ariaLabel = 'Authenticator App QR Code';
	title.innerText = svg.ariaLabel;
	var ariaLabel = ( typeof twoFactorTotpAdmin !== 'undefined' && twoFactorTotpAdmin && twoFactorTotpAdmin.qrCodeAriaLabel ) ? twoFactorTotpAdmin.qrCodeAriaLabel : 'Authenticator App QR Code';
	svg.setAttribute( 'role', 'img' );
	svg.setAttribute( 'aria-label', ariaLabel );
	title.innerText = ariaLabel;

[Copilot]

The SVG is annotated via svg.role = 'image' and svg.ariaLabel = .... image is not a valid ARIA role value (use img), and ARIA should be applied via attributes for SVG (setAttribute('role', 'img'), setAttribute('aria-label', ...)) for consistent accessibility support.

Suggested change

	svg.role = 'image';
	svg.ariaLabel = twoFactorTotpQrcode.qrCodeLabel;
	title.innerText = svg.ariaLabel;
	svg.setAttribute( 'role', 'img' );
	svg.setAttribute( 'aria-label', twoFactorTotpQrcode.qrCodeLabel );
	title.innerText = twoFactorTotpQrcode.qrCodeLabel;

[Copilot]

wp_add_inline_script() is called after do_action( 'login_footer' ). On this flow, login_footer is where core prints footer scripts (including customize-base), so adding the inline script afterwards means it likely never gets output and the messenger won't fire. Move the wp_add_inline_script( 'customize-base', ... ) call to before do_action( 'login_footer' ) (after wp_enqueue_script( 'customize-base' )) so it prints with the customize-base script tag.

[georgestephanis]

Also previously:

#562