Is it possible to check if password is correct in wp_authenticate_user?

I'm really trying to implement Google's Captcha V3 on the wp-login page. I've seen this snippet referenced a few times in different places. The thing is, nobody seems to reference how to check the section that says "// FIXME: This one fires if your password is incorrect... Check if password was incorrect before returning this error..."

Is it possible to have an ajax check if the user's password is correct?

This would be a huge asset to WP development. 

  /**
    * These Functions Add and Verify the Invisible Google reCAPTCHA on Login
    */

    add_action('login_enqueue_scripts', 'login_recaptcha_script');

    function login_recaptcha_script() {

    wp_register_script('recaptcha_login', 'https://www.google.com/recaptcha/api.js');

    wp_enqueue_script('recaptcha_login')

    }



    add_action( 'login_form', 'display_recaptcha_on_login' );

    function display_recaptcha_on_login() {

    echo "script
    function onSubmit(token) {
    document.getElementById('loginform').submit();
    }
    /script
    button class='g-recaptcha' data-sitekey='YOUR_PUBLIC_KEY' data-callback='onSubmit' data-size='invisible' style='display:none;'Submit/button";

    }



    add_filter('wp_authenticate_user', 'verify_recaptcha_on_login', 10, 2);

    function verify_recaptcha_on_login($user, $password) {

    if (isset($_POST['g-recaptcha-response'])) {

    $response = wp_remote_get( 'https://www.google.com/recaptcha/api/siteverify?secret=YOUR_SECRET_KEYresponse=' . $_POST['g-recaptcha-response'] );

    $response = json_decode($response['body'], true);

    if (true == $response['success']) {

    return $user;

    } else {

    // FIXME: This one fires if your password is incorrect... Check if password was incorrect before returning this error...

    // return new WP_Error( 'Captcha Invalid', __('strongERROR/strong: You are a bot') );

    }

    } else {

    return new WP_Error( 'Captcha Invalid', __('strongERROR/strong: You are a bot. If not then enable JavaScript.') );

    }

    }

Topic wp-login-form captcha Wordpress

Category Web

1
answered at

I don't think it necessary to do the password checking inside wp_authenticate_user filter as that check is done as the next step inside wp_authenticate_email_password(), where the filter is defined. You can see this in wp-includes/user.php#L168.

The filter parameter $user is either WP_User or WP_Error depending on if the user can be found with the username used when logging in. After the filter there is a if ( is_wp_error( $user ) ) check, which, if passed, is followed by a if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) check. If this check fails, the password is wrong for that username, otherwise given username and password are good.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.