Alternative to #741 - Autosubmit Tweak

[georgestephanis]

Alternative take on #741 // cc: @eric-michel -- this is a first draft, and the code should be reasonably intelligible, but I let Copilot generate the following summary:

This pull request introduces a more flexible and extensible approach to configuring authentication code lengths and auto-submit behavior across all two-factor authentication providers. It centralizes code length logic, adds new filters for customization, and ensures that UI elements reflect these dynamic settings.

Key changes include:

Core logic improvements

• Added a new static method get_code_length to Two_Factor_Provider, with a corresponding two_factor_code_length filter, allowing the default code length to be set for all providers in a consistent way.
• Updated the get_code method in Two_Factor_Provider to use the new get_code_length method when no length is specified, making code generation more flexible and consistent.

Provider-specific enhancements

• Modified backup codes and email providers to use get_code_length for determining code/token length, and updated their filters to use the new centralized logic. [1] [2]
• Introduced the two_factor_autosubmit_length filter to allow customization of the input length at which authentication forms auto-submit, and applied this filter in backup code, email, and TOTP provider authentication screens. [1] [2] [3]
• Ensured that the data-digits attribute in TOTP provider input fields accurately reflects the filtered code length, improving UI consistency.

User interface and documentation

• Improved the JavaScript handling of expected input length by parsing the data-digits attribute as an integer, ensuring correct behavior with dynamic code lengths.
• Updated readme.txt to document the new two_factor_code_length and two_factor_autosubmit_length filters for developers.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @Copilot.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Unlinked contributors: Copilot.

Co-authored-by: georgestephanis <georgestephanis@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[georgestephanis]

To be clear, I may be overcomplicating something that provides a simpler API in the prior PR. This take just makes more sense to my brain, for what little that's worth.

[Copilot]

Pull request overview

This PR introduces a more flexible and extensible approach to configuring authentication code lengths and auto-submit behavior. It adds a centralized get_code_length() method in Two_Factor_Provider that applies a new two_factor_code_length filter as the base default for all providers, and a new two_factor_autosubmit_length filter that controls the data-digits attribute used by the JavaScript to determine when to auto-submit the authentication form.

Changes:

• Added get_code_length() static method to Two_Factor_Provider with a two_factor_code_length filter, and updated get_code() to use it when no length is specified
• Added two_factor_autosubmit_length filter applied in backup codes, email, and TOTP authentication_page methods to independently control the auto-submit threshold; updated data-digits output accordingly
• Improved JS robustness by parsing data-digits as an integer with parseInt() in class-two-factor-core.php

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
providers/class-two-factor-provider.php	Adds get_code_length() method with two_factor_code_length filter; changes get_code() default length from 8 to null (resolves via get_code_length())
providers/class-two-factor-backup-codes.php	Uses get_code_length() as default for two_factor_backup_code_length; adds two_factor_autosubmit_length filter in authentication_page
providers/class-two-factor-email.php	Uses get_code_length() as default for two_factor_email_token_length; adds two_factor_autosubmit_length filter in authentication_page
providers/class-two-factor-totp.php	Adds two_factor_autosubmit_length filter in authentication_page; updates data-digits from hardcoded constant to filtered value; minor whitespace cleanup
class-two-factor-core.php	Parses data-digits dataset attribute with parseInt() for more reliable JS numeric comparison
readme.txt	Documents new two_factor_code_length and two_factor_autosubmit_length filter hooks

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@georgestephanis I've opened a new pull request, #821, to work on those changes. Once the pull request is ready, I'll request review from you.

[eric-michel]

I definitely support bringing some consistency to how the code lengths are retrieved for different providers. I noticed the same issue when I was working on my PR, but decided not to try and address that issue to keep the scope small (and because I don't have enough experience with this repo to know if there was a reason for the differences). So if there's support for bigger change I'm definitely all for it.

Having said that, I don't see the value in setting the number of digits for auto submission rather than a simple true/false value (and the corresponding hook names). Any value other than the code length or 0 will result in auto submission at the wrong time. Do you see other applications for altering the number other than simply turning auto submission off?

[masteradhoc]

@georgestephanis we have to update the version number of filters here

[masteradhoc]

Suggested change

	* @since 0.?.0
	* @since 0.16.0

[masteradhoc]

Suggested change

	* @since 0.?.0
	* @since 0.16.0

[masteradhoc]

Suggested change

	* @since 0.?.0
	* @since 0.16.0

[masteradhoc]

Suggested change

	<input type="text" inputmode="numeric" name="authcode" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="123 456" autocomplete="one-time-code" data-digits="<?php echo esc_attr( $code_length ); ?>" />
	<input type="text" inputmode="numeric" name="authcode" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="<?php echo esc_attr( substr( '1234567890', 0, $code_length ) ); ?>" autocomplete="one-time-code" data-digits="<?php echo esc_attr( $code_length ); ?>" />

I think we probably should work a bit on the placeholder as well. the space in between 3 and 4 doesnt make sense. additionally based on the code_length we could also generate this also dynamically.

BTW the spacing after entering the numbers manually i dont feel its a great UX - what do you think?:

two-factor/providers/js/two-factor-login-authcode.js

Lines 16 to 21 in cbc73d5

	if ( ! spaceInserted && expectedLength && value.length === Math.floor( expectedLength / 2 ) ) {
	value += ' ';
	spaceInserted = true;
	} else if ( spaceInserted && ! this.value ) {
	spaceInserted = false;
	}