wp-login.php 47.6 KB
Newer Older
godog's avatar
godog committed
1 2 3 4 5 6 7 8 9 10 11
<?php
/**
 * WordPress User Page
 *
 * Handles authentication, registering, resetting passwords, forgot password,
 * and other user handling.
 *
 * @package WordPress
 */

/** Make sure that the WordPress bootstrap has run before continuing. */
agata's avatar
agata committed
12
require __DIR__ . '/wp-load.php';
godog's avatar
godog committed
13

samba's avatar
samba committed
14
// Redirect to HTTPS login if forced to use SSL.
lechuck's avatar
lechuck committed
15
if ( force_ssl_admin() && ! is_ssl() ) {
samba's avatar
samba committed
16
	if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
kiki's avatar
kiki committed
17
		wp_safe_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
agata's avatar
agata committed
18
		exit;
godog's avatar
godog committed
19
	} else {
kiki's avatar
kiki committed
20
		wp_safe_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
agata's avatar
agata committed
21
		exit;
godog's avatar
godog committed
22 23 24 25
	}
}

/**
lucha's avatar
lucha committed
26
 * Output the login page header.
godog's avatar
godog committed
27
 *
samba's avatar
samba committed
28 29
 * @since 2.1.0
 *
agata's avatar
agata committed
30 31 32 33 34 35
 * @global string      $error         Login error message set by deprecated pluggable wp_login() function
 *                                    or plugins replacing it.
 * @global bool|string $interim_login Whether interim login modal is being displayed. String 'success'
 *                                    upon successful login.
 * @global string      $action        The action that brought the visitor to the login page.
 *
lechuck's avatar
lechuck committed
36 37
 * @param string   $title    Optional. WordPress login Page title to display in the `<title>` element.
 *                           Default 'Log In'.
lucha's avatar
lucha committed
38
 * @param string   $message  Optional. Message to display in header. Default empty.
lucha's avatar
lucha committed
39
 * @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance.
godog's avatar
godog committed
40
 */
lucha's avatar
lucha committed
41
function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
lucha's avatar
lucha committed
42
	global $error, $interim_login, $action;
godog's avatar
godog committed
43

agata's avatar
agata committed
44
	// Don't index any of these forms.
lucha's avatar
lucha committed
45
	add_action( 'login_head', 'wp_sensitive_page_meta' );
godog's avatar
godog committed
46

lucha's avatar
lucha committed
47
	add_action( 'login_head', 'wp_login_viewport_meta' );
lucha's avatar
lucha committed
48

lucha's avatar
lucha committed
49
	if ( ! is_wp_error( $wp_error ) ) {
godog's avatar
godog committed
50
		$wp_error = new WP_Error();
lucha's avatar
lucha committed
51
	}
godog's avatar
godog committed
52 53

	// Shake it!
agata's avatar
agata committed
54
	$shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password', 'retrieve_password_email_failure' );
lucha's avatar
lucha committed
55
	/**
lucha's avatar
lucha committed
56
	 * Filters the error codes array for shaking the login form.
lucha's avatar
lucha committed
57 58 59 60 61
	 *
	 * @since 3.0.0
	 *
	 * @param array $shake_error_codes Error codes that shake the login form.
	 */
godog's avatar
godog committed
62 63
	$shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );

agata's avatar
agata committed
64
	if ( $shake_error_codes && $wp_error->has_errors() && in_array( $wp_error->get_error_code(), $shake_error_codes, true ) ) {
agata's avatar
agata committed
65
		add_action( 'login_footer', 'wp_shake_js', 12 );
samba's avatar
samba committed
66
	}
godog's avatar
godog committed
67

lucha's avatar
lucha committed
68 69
	$login_title = get_bloginfo( 'name', 'display' );

agata's avatar
agata committed
70
	/* translators: Login screen title. 1: Login screen name, 2: Network or site name. */
lucha's avatar
lucha committed
71 72
	$login_title = sprintf( __( '%1$s &lsaquo; %2$s &#8212; WordPress' ), $title, $login_title );

agata's avatar
agata committed
73 74 75 76 77
	if ( wp_is_recovery_mode() ) {
		/* translators: %s: Login screen title. */
		$login_title = sprintf( __( 'Recovery Mode &#8212; %s' ), $login_title );
	}

lucha's avatar
lucha committed
78 79 80 81 82 83 84 85 86
	/**
	 * Filters the title tag content for login page.
	 *
	 * @since 4.9.0
	 *
	 * @param string $login_title The page title, with extra context added.
	 * @param string $title       The original page title.
	 */
	$login_title = apply_filters( 'login_title', $login_title, $title );
lechuck's avatar
lechuck committed
87

lechuck's avatar
lechuck committed
88
	?><!DOCTYPE html>
agata's avatar
agata committed
89
	<html <?php language_attributes(); ?>>
lechuck's avatar
lechuck committed
90
	<head>
samba's avatar
samba committed
91
	<meta http-equiv="Content-Type" content="<?php bloginfo( 'html_type' ); ?>; charset=<?php bloginfo( 'charset' ); ?>" />
lucha's avatar
lucha committed
92
	<title><?php echo $login_title; ?></title>
lechuck's avatar
lechuck committed
93 94
	<?php

lechuck's avatar
lechuck committed
95
	wp_enqueue_style( 'login' );
godog's avatar
godog committed
96

lucha's avatar
lucha committed
97 98 99
	/*
	 * Remove all stored post data on logging out.
	 * This could be added by add_action('login_head'...) like wp_shake_js(),
samba's avatar
samba committed
100
	 * but maybe better if it's not removable by plugins.
lucha's avatar
lucha committed
101
	 */
agata's avatar
agata committed
102
	if ( 'loggedout' === $wp_error->get_error_code() ) {
lechuck's avatar
lechuck committed
103 104 105
		?>
		<script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script>
		<?php
godog's avatar
godog committed
106 107
	}

lucha's avatar
lucha committed
108 109 110 111 112
	/**
	 * Enqueue scripts and styles for the login page.
	 *
	 * @since 3.1.0
	 */
root's avatar
root committed
113
	do_action( 'login_enqueue_scripts' );
lechuck's avatar
lechuck committed
114

lucha's avatar
lucha committed
115 116 117 118 119
	/**
	 * Fires in the login page header after scripts are enqueued.
	 *
	 * @since 2.1.0
	 */
lechuck's avatar
lechuck committed
120 121
	do_action( 'login_head' );

agata's avatar
agata committed
122
	$login_header_url = __( 'https://wordpress.org/' );
lechuck's avatar
lechuck committed
123

lucha's avatar
lucha committed
124
	/**
lucha's avatar
lucha committed
125
	 * Filters link URL of the header logo above login form.
lucha's avatar
lucha committed
126 127 128 129 130 131
	 *
	 * @since 2.1.0
	 *
	 * @param string $login_header_url Login header logo URL.
	 */
	$login_header_url = apply_filters( 'login_headerurl', $login_header_url );
lucha's avatar
lucha committed
132

agata's avatar
agata committed
133 134
	$login_header_title = '';

lucha's avatar
lucha committed
135
	/**
lucha's avatar
lucha committed
136
	 * Filters the title attribute of the header logo above login form.
lucha's avatar
lucha committed
137 138
	 *
	 * @since 2.1.0
agata's avatar
agata committed
139
	 * @deprecated 5.2.0 Use {@see 'login_headertext'} instead.
lucha's avatar
lucha committed
140 141 142
	 *
	 * @param string $login_header_title Login header logo title attribute.
	 */
agata's avatar
agata committed
143 144 145 146 147 148 149
	$login_header_title = apply_filters_deprecated(
		'login_headertitle',
		array( $login_header_title ),
		'5.2.0',
		'login_headertext',
		__( 'Usage of the title attribute on the login logo is not recommended for accessibility reasons. Use the link text instead.' )
	);
lechuck's avatar
lechuck committed
150

agata's avatar
agata committed
151 152 153 154 155 156 157 158
	$login_header_text = empty( $login_header_title ) ? __( 'Powered by WordPress' ) : $login_header_title;

	/**
	 * Filters the link text of the header logo above the login form.
	 *
	 * @since 5.2.0
	 *
	 * @param string $login_header_text The login header logo link text.
lucha's avatar
lucha committed
159
	 */
agata's avatar
agata committed
160
	$login_header_text = apply_filters( 'login_headertext', $login_header_text );
lucha's avatar
lucha committed
161

lechuck's avatar
lechuck committed
162
	$classes = array( 'login-action-' . $action, 'wp-core-ui' );
agata's avatar
agata committed
163

samba's avatar
samba committed
164
	if ( is_rtl() ) {
lechuck's avatar
lechuck committed
165
		$classes[] = 'rtl';
samba's avatar
samba committed
166
	}
agata's avatar
agata committed
167

lechuck's avatar
lechuck committed
168 169
	if ( $interim_login ) {
		$classes[] = 'interim-login';
agata's avatar
agata committed
170

lechuck's avatar
lechuck committed
171 172 173 174
		?>
		<style type="text/css">html{background-color: transparent;}</style>
		<?php

samba's avatar
samba committed
175
		if ( 'success' === $interim_login ) {
lechuck's avatar
lechuck committed
176
			$classes[] = 'interim-login-success';
samba's avatar
samba committed
177
		}
lechuck's avatar
lechuck committed
178
	}
agata's avatar
agata committed
179

samba's avatar
samba committed
180
	$classes[] = ' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
lechuck's avatar
lechuck committed
181

lucha's avatar
lucha committed
182
	/**
lucha's avatar
lucha committed
183
	 * Filters the login page body classes.
lucha's avatar
lucha committed
184 185 186 187 188 189
	 *
	 * @since 3.5.0
	 *
	 * @param array  $classes An array of body classes.
	 * @param string $action  The action that brought the visitor to the login page.
	 */
lechuck's avatar
lechuck committed
190
	$classes = apply_filters( 'login_body_class', $classes, $action );
lechuck's avatar
lechuck committed
191

lechuck's avatar
lechuck committed
192 193
	?>
	</head>
agata's avatar
agata committed
194 195 196 197
	<body class="login no-js <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
	<script type="text/javascript">
		document.body.className = document.body.className.replace('no-js','js');
	</script>
lucha's avatar
lucha committed
198 199 200 201 202 203 204
	<?php
	/**
	 * Fires in the login page header after the body tag is opened.
	 *
	 * @since 4.6.0
	 */
	do_action( 'login_header' );
agata's avatar
agata committed
205

lucha's avatar
lucha committed
206
	?>
lechuck's avatar
lechuck committed
207
	<div id="login">
agata's avatar
agata committed
208
		<h1><a href="<?php echo esc_url( $login_header_url ); ?>"><?php echo $login_header_text; ?></a></h1>
lechuck's avatar
lechuck committed
209
	<?php
lucha's avatar
lucha committed
210
	/**
lucha's avatar
lucha committed
211
	 * Filters the message to display above the login form.
lucha's avatar
lucha committed
212 213 214 215 216 217
	 *
	 * @since 2.1.0
	 *
	 * @param string $message Login message text.
	 */
	$message = apply_filters( 'login_message', $message );
agata's avatar
agata committed
218

samba's avatar
samba committed
219
	if ( ! empty( $message ) ) {
lechuck's avatar
lechuck committed
220
		echo $message . "\n";
samba's avatar
samba committed
221
	}
godog's avatar
godog committed
222

samba's avatar
samba committed
223 224 225 226
	// In case a plugin uses $error rather than the $wp_errors object.
	if ( ! empty( $error ) ) {
		$wp_error->add( 'error', $error );
		unset( $error );
godog's avatar
godog committed
227 228
	}

samba's avatar
samba committed
229 230
	if ( $wp_error->has_errors() ) {
		$errors   = '';
godog's avatar
godog committed
231
		$messages = '';
agata's avatar
agata committed
232

godog's avatar
godog committed
233
		foreach ( $wp_error->get_error_codes() as $code ) {
lucha's avatar
lucha committed
234 235
			$severity = $wp_error->get_error_data( $code );
			foreach ( $wp_error->get_error_messages( $code ) as $error_message ) {
agata's avatar
agata committed
236
				if ( 'message' === $severity ) {
lucha's avatar
lucha committed
237
					$messages .= '	' . $error_message . "<br />\n";
samba's avatar
samba committed
238
				} else {
lucha's avatar
lucha committed
239
					$errors .= '	' . $error_message . "<br />\n";
samba's avatar
samba committed
240
				}
godog's avatar
godog committed
241 242
			}
		}
agata's avatar
agata committed
243

lucha's avatar
lucha committed
244 245
		if ( ! empty( $errors ) ) {
			/**
lucha's avatar
lucha committed
246
			 * Filters the error messages displayed above the login form.
lucha's avatar
lucha committed
247 248 249 250 251 252 253
			 *
			 * @since 2.1.0
			 *
			 * @param string $errors Login error message.
			 */
			echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n";
		}
agata's avatar
agata committed
254

lucha's avatar
lucha committed
255 256
		if ( ! empty( $messages ) ) {
			/**
lucha's avatar
lucha committed
257
			 * Filters instructional messages displayed above the login form.
lucha's avatar
lucha committed
258 259 260 261 262 263 264
			 *
			 * @since 2.5.0
			 *
			 * @param string $messages Login messages.
			 */
			echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
		}
godog's avatar
godog committed
265
	}
agata's avatar
agata committed
266
} // End of login_header().
root's avatar
root committed
267 268 269 270

/**
 * Outputs the footer for the login page.
 *
samba's avatar
samba committed
271 272
 * @since 3.1.0
 *
agata's avatar
agata committed
273 274 275
 * @global bool|string $interim_login Whether interim login modal is being displayed. String 'success'
 *                                    upon successful login.
 *
samba's avatar
samba committed
276
 * @param string $input_id Which input to auto-focus.
root's avatar
root committed
277
 */
samba's avatar
samba committed
278
function login_footer( $input_id = '' ) {
lechuck's avatar
lechuck committed
279 280 281
	global $interim_login;

	// Don't allow interim logins to navigate away from the page.
agata's avatar
agata committed
282
	if ( ! $interim_login ) {
samba's avatar
samba committed
283
		?>
agata's avatar
agata committed
284
		<p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>">
samba's avatar
samba committed
285
		<?php
agata's avatar
agata committed
286 287

		/* translators: %s: Site title. */
lucha's avatar
lucha committed
288
		printf( _x( '&larr; Back to %s', 'site' ), get_bloginfo( 'title', 'display' ) );
agata's avatar
agata committed
289

samba's avatar
samba committed
290
		?>
agata's avatar
agata committed
291 292
		</a></p>
		<?php
root's avatar
root committed
293

agata's avatar
agata committed
294 295
		the_privacy_policy_link( '<div class="privacy-policy-page-link">', '</div>' );
	}
shammash's avatar
shammash committed
296

agata's avatar
agata committed
297
	?>
agata's avatar
agata committed
298
	</div><?php // End of <div id="login">. ?>
lechuck's avatar
lechuck committed
299

lucha's avatar
lucha committed
300
	<?php
agata's avatar
agata committed
301 302 303 304 305 306 307 308 309 310

	if ( ! empty( $input_id ) ) {
		?>
		<script type="text/javascript">
		try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){}
		if(typeof wpOnload=='function')wpOnload();
		</script>
		<?php
	}

lucha's avatar
lucha committed
311 312 313 314 315
	/**
	 * Fires in the login page footer.
	 *
	 * @since 3.1.0
	 */
samba's avatar
samba committed
316
	do_action( 'login_footer' );
agata's avatar
agata committed
317

samba's avatar
samba committed
318
	?>
lechuck's avatar
lechuck committed
319 320 321 322
	<div class="clear"></div>
	</body>
	</html>
	<?php
root's avatar
root committed
323 324
}

lechuck's avatar
lechuck committed
325
/**
samba's avatar
samba committed
326 327
 * Outputs the Javascript to handle the form shaking.
 *
lechuck's avatar
lechuck committed
328 329
 * @since 3.0.0
 */
godog's avatar
godog committed
330
function wp_shake_js() {
samba's avatar
samba committed
331
	?>
agata's avatar
agata committed
332
	<script type="text/javascript">
agata's avatar
agata committed
333
	document.querySelector('form').classList.add('shake');
agata's avatar
agata committed
334
	</script>
samba's avatar
samba committed
335
	<?php
godog's avatar
godog committed
336 337
}

lechuck's avatar
lechuck committed
338
/**
samba's avatar
samba committed
339 340
 * Outputs the viewport meta tag.
 *
lechuck's avatar
lechuck committed
341 342
 * @since 3.7.0
 */
lucha's avatar
lucha committed
343 344 345 346 347 348
function wp_login_viewport_meta() {
	?>
	<meta name="viewport" content="width=device-width" />
	<?php
}

godog's avatar
godog committed
349 350 351
/**
 * Handles sending password retrieval email to user.
 *
samba's avatar
samba committed
352 353
 * @since 2.5.0
 *
godog's avatar
godog committed
354 355 356
 * @return bool|WP_Error True: when finish. WP_Error on error
 */
function retrieve_password() {
agata's avatar
agata committed
357 358
	$errors    = new WP_Error();
	$user_data = false;
godog's avatar
godog committed
359

lucha's avatar
lucha committed
360
	if ( empty( $_POST['user_login'] ) || ! is_string( $_POST['user_login'] ) ) {
agata's avatar
agata committed
361
		$errors->add( 'empty_username', __( '<strong>Error</strong>: Please enter a username or email address.' ) );
ale's avatar
ale committed
362
	} elseif ( strpos( $_POST['user_login'], '@' ) ) {
lucha's avatar
lucha committed
363
		$user_data = get_user_by( 'email', trim( wp_unslash( $_POST['user_login'] ) ) );
samba's avatar
samba committed
364
		if ( empty( $user_data ) ) {
agata's avatar
agata committed
365
			$errors->add( 'invalid_email', __( '<strong>Error</strong>: There is no account with that username or email address.' ) );
samba's avatar
samba committed
366
		}
godog's avatar
godog committed
367
	} else {
agata's avatar
agata committed
368
		$login     = trim( wp_unslash( $_POST['user_login'] ) );
samba's avatar
samba committed
369
		$user_data = get_user_by( 'login', $login );
godog's avatar
godog committed
370 371
	}

lucha's avatar
lucha committed
372 373 374 375
	/**
	 * Fires before errors are returned from a password reset request.
	 *
	 * @since 2.1.0
lechuck's avatar
lechuck committed
376
	 * @since 4.4.0 Added the `$errors` parameter.
agata's avatar
agata committed
377
	 * @since 5.4.0 Added the `$user_data` parameter.
lechuck's avatar
lechuck committed
378
	 *
agata's avatar
agata committed
379 380 381
	 * @param WP_Error      $errors    A WP_Error object containing any errors generated
	 *                                 by using invalid credentials.
	 * @param WP_User|false $user_data WP_User object if found, false if the user does not exist.
lucha's avatar
lucha committed
382
	 */
agata's avatar
agata committed
383
	do_action( 'lostpassword_post', $errors, $user_data );
godog's avatar
godog committed
384

agata's avatar
agata committed
385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401
	/**
	 * Filters the errors encountered on a password reset request.
	 *
	 * The filtered WP_Error object may, for example, contain errors for an invalid
	 * username or email address. A WP_Error object should always be returned,
	 * but may or may not contain errors.
	 *
	 * If any errors are present in $errors, this will abort the password reset request.
	 *
	 * @since 5.5.0
	 *
	 * @param WP_Error      $errors    A WP_Error object containing any errors generated
	 *                                 by using invalid credentials.
	 * @param WP_User|false $user_data WP_User object if found, false if the user does not exist.
	 */
	$errors = apply_filters( 'lostpassword_errors', $errors, $user_data );

samba's avatar
samba committed
402
	if ( $errors->has_errors() ) {
godog's avatar
godog committed
403
		return $errors;
samba's avatar
samba committed
404
	}
godog's avatar
godog committed
405

samba's avatar
samba committed
406
	if ( ! $user_data ) {
agata's avatar
agata committed
407
		$errors->add( 'invalidcombo', __( '<strong>Error</strong>: There is no account with that username or email address.' ) );
godog's avatar
godog committed
408 409 410
		return $errors;
	}

lucha's avatar
lucha committed
411
	// Redefining user_login ensures we return the right case in the email.
godog's avatar
godog committed
412 413
	$user_login = $user_data->user_login;
	$user_email = $user_data->user_email;
samba's avatar
samba committed
414
	$key        = get_password_reset_key( $user_data );
godog's avatar
godog committed
415

lechuck's avatar
lechuck committed
416 417
	if ( is_wp_error( $key ) ) {
		return $key;
ale's avatar
ale committed
418
	}
godog's avatar
godog committed
419

lucha's avatar
lucha committed
420
	if ( is_multisite() ) {
lucha's avatar
lucha committed
421
		$site_name = get_network()->site_name;
lucha's avatar
lucha committed
422
	} else {
lucha's avatar
lucha committed
423 424 425 426
		/*
		 * The blogname option is escaped with esc_html on the way into the database
		 * in sanitize_option we want to reverse this for the plain text arena of emails.
		 */
lucha's avatar
lucha committed
427
		$site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
lucha's avatar
lucha committed
428
	}
godog's avatar
godog committed
429

lucha's avatar
lucha committed
430
	$message = __( 'Someone has requested a password reset for the following account:' ) . "\r\n\r\n";
agata's avatar
agata committed
431
	/* translators: %s: Site name. */
samba's avatar
samba committed
432
	$message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n";
agata's avatar
agata committed
433
	/* translators: %s: User login. */
samba's avatar
samba committed
434
	$message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
lucha's avatar
lucha committed
435 436
	$message .= __( 'If this was a mistake, just ignore this email and nothing will happen.' ) . "\r\n\r\n";
	$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
agata's avatar
agata committed
437
	$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . "\r\n";
lucha's avatar
lucha committed
438

agata's avatar
agata committed
439
	/* translators: Password reset notification email subject. %s: Site title. */
lucha's avatar
lucha committed
440
	$title = sprintf( __( '[%s] Password Reset' ), $site_name );
godog's avatar
godog committed
441

lucha's avatar
lucha committed
442
	/**
lucha's avatar
lucha committed
443
	 * Filters the subject of the password reset email.
lucha's avatar
lucha committed
444 445
	 *
	 * @since 2.8.0
lechuck's avatar
lechuck committed
446
	 * @since 4.4.0 Added the `$user_login` and `$user_data` parameters.
lucha's avatar
lucha committed
447
	 *
lechuck's avatar
lechuck committed
448 449 450
	 * @param string  $title      Default email title.
	 * @param string  $user_login The username for the user.
	 * @param WP_User $user_data  WP_User object.
lucha's avatar
lucha committed
451
	 */
lechuck's avatar
lechuck committed
452
	$title = apply_filters( 'retrieve_password_title', $title, $user_login, $user_data );
lechuck's avatar
lechuck committed
453

lucha's avatar
lucha committed
454
	/**
lucha's avatar
lucha committed
455
	 * Filters the message body of the password reset mail.
lucha's avatar
lucha committed
456
	 *
lucha's avatar
lucha committed
457 458
	 * If the filtered message is empty, the password reset email will not be sent.
	 *
lucha's avatar
lucha committed
459
	 * @since 2.8.0
lechuck's avatar
lechuck committed
460
	 * @since 4.1.0 Added `$user_login` and `$user_data` parameters.
lucha's avatar
lucha committed
461
	 *
lechuck's avatar
lechuck committed
462 463 464 465
	 * @param string  $message    Default mail message.
	 * @param string  $key        The activation key.
	 * @param string  $user_login The username for the user.
	 * @param WP_User $user_data  WP_User object.
lucha's avatar
lucha committed
466
	 */
lechuck's avatar
lechuck committed
467
	$message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data );
godog's avatar
godog committed
468

samba's avatar
samba committed
469
	if ( $message && ! wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) ) {
agata's avatar
agata committed
470 471 472 473
		$errors->add(
			'retrieve_password_email_failure',
			sprintf(
				/* translators: %s: Documentation URL. */
agata's avatar
agata committed
474
				__( '<strong>Error</strong>: The email could not be sent. Your site may not be correctly configured to send emails. <a href="%s">Get support for resetting your password</a>.' ),
agata's avatar
agata committed
475 476 477 478
				esc_url( __( 'https://wordpress.org/support/article/resetting-your-password/' ) )
			)
		);
		return $errors;
samba's avatar
samba committed
479
	}
godog's avatar
godog committed
480 481 482 483 484

	return true;
}

//
samba's avatar
samba committed
485
// Main.
godog's avatar
godog committed
486 487
//

samba's avatar
samba committed
488
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'login';
godog's avatar
godog committed
489 490
$errors = new WP_Error();

samba's avatar
samba committed
491
if ( isset( $_GET['key'] ) ) {
godog's avatar
godog committed
492
	$action = 'resetpass';
samba's avatar
samba committed
493
}
godog's avatar
godog committed
494

agata's avatar
agata committed
495 496 497 498
if ( isset( $_GET['checkemail'] ) ) {
	$action = 'checkemail';
}

agata's avatar
agata committed
499 500 501 502 503 504 505 506 507
$default_actions = array(
	'confirm_admin_email',
	'postpass',
	'logout',
	'lostpassword',
	'retrievepassword',
	'resetpass',
	'rp',
	'register',
agata's avatar
agata committed
508
	'checkemail',
agata's avatar
agata committed
509
	'confirmaction',
agata's avatar
agata committed
510
	'login',
agata's avatar
agata committed
511 512 513
	WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED,
);

samba's avatar
samba committed
514
// Validate action so as to default to the login screen.
agata's avatar
agata committed
515
if ( ! in_array( $action, $default_actions, true ) && false === has_filter( 'login_form_' . $action ) ) {
godog's avatar
godog committed
516
	$action = 'login';
samba's avatar
samba committed
517
}
godog's avatar
godog committed
518 519 520

nocache_headers();

samba's avatar
samba committed
521
header( 'Content-Type: ' . get_bloginfo( 'html_type' ) . '; charset=' . get_bloginfo( 'charset' ) );
godog's avatar
godog committed
522

agata's avatar
agata committed
523
if ( defined( 'RELOCATE' ) && RELOCATE ) { // Move flag is set.
agata's avatar
agata committed
524
	if ( isset( $_SERVER['PATH_INFO'] ) && ( $_SERVER['PATH_INFO'] !== $_SERVER['PHP_SELF'] ) ) {
godog's avatar
godog committed
525
		$_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] );
samba's avatar
samba committed
526
	}
godog's avatar
godog committed
527

samba's avatar
samba committed
528
	$url = dirname( set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] ) );
agata's avatar
agata committed
529

agata's avatar
agata committed
530
	if ( get_option( 'siteurl' ) !== $url ) {
lechuck's avatar
lechuck committed
531
		update_option( 'siteurl', $url );
samba's avatar
samba committed
532
	}
godog's avatar
godog committed
533 534
}

agata's avatar
agata committed
535
// Set a cookie now to see if they are supported by the browser.
lechuck's avatar
lechuck committed
536
$secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
lucha's avatar
lucha committed
537
setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure );
agata's avatar
agata committed
538

agata's avatar
agata committed
539
if ( SITECOOKIEPATH !== COOKIEPATH ) {
lucha's avatar
lucha committed
540
	setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
samba's avatar
samba committed
541
}
godog's avatar
godog committed
542

lucha's avatar
lucha committed
543 544 545 546 547
/**
 * Fires when the login form is initialized.
 *
 * @since 3.2.0
 */
shammash's avatar
shammash committed
548
do_action( 'login_init' );
lucha's avatar
lucha committed
549

lucha's avatar
lucha committed
550 551 552
/**
 * Fires before a specified login form action.
 *
lechuck's avatar
lechuck committed
553
 * The dynamic portion of the hook name, `$action`, refers to the action
lucha's avatar
lucha committed
554 555 556 557 558
 * that brought the visitor to the login form. Actions include 'postpass',
 * 'logout', 'lostpassword', etc.
 *
 * @since 2.8.0
 */
lucha's avatar
lucha committed
559
do_action( "login_form_{$action}" );
godog's avatar
godog committed
560

agata's avatar
agata committed
561
$http_post     = ( 'POST' === $_SERVER['REQUEST_METHOD'] );
samba's avatar
samba committed
562
$interim_login = isset( $_REQUEST['interim-login'] );
lechuck's avatar
lechuck committed
563

lucha's avatar
lucha committed
564 565 566 567 568 569 570 571 572
/**
 * Filters the separator used between login form navigation links.
 *
 * @since 4.9.0
 *
 * @param string $login_link_separator The separator used between login form navigation links.
 */
$login_link_separator = apply_filters( 'login_link_separator', ' | ' );

samba's avatar
samba committed
573
switch ( $action ) {
lechuck's avatar
lechuck committed
574

agata's avatar
agata committed
575
	case 'confirm_admin_email':
agata's avatar
agata committed
576 577 578 579 580
		/*
		 * Note that `is_user_logged_in()` will return false immediately after logging in
		 * as the current user is not set, see wp-includes/pluggable.php.
		 * However this action runs on a redirect after logging in.
		 */
agata's avatar
agata committed
581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619
		if ( ! is_user_logged_in() ) {
			wp_safe_redirect( wp_login_url() );
			exit;
		}

		if ( ! empty( $_REQUEST['redirect_to'] ) ) {
			$redirect_to = $_REQUEST['redirect_to'];
		} else {
			$redirect_to = admin_url();
		}

		if ( current_user_can( 'manage_options' ) ) {
			$admin_email = get_option( 'admin_email' );
		} else {
			wp_safe_redirect( $redirect_to );
			exit;
		}

		/**
		 * Filters the interval for dismissing the admin email confirmation screen.
		 *
		 * If `0` (zero) is returned, the "Remind me later" link will not be displayed.
		 *
		 * @since 5.3.1
		 *
		 * @param int $interval Interval time (in seconds). Default is 3 days.
		 */
		$remind_interval = (int) apply_filters( 'admin_email_remind_interval', 3 * DAY_IN_SECONDS );

		if ( ! empty( $_GET['remind_me_later'] ) ) {
			if ( ! wp_verify_nonce( $_GET['remind_me_later'], 'remind_me_later_nonce' ) ) {
				wp_safe_redirect( wp_login_url() );
				exit;
			}

			if ( $remind_interval > 0 ) {
				update_option( 'admin_email_lifespan', time() + $remind_interval );
			}

agata's avatar
agata committed
620
			$redirect_to = add_query_arg( 'admin_email_remind_later', 1, $redirect_to );
agata's avatar
agata committed
621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750
			wp_safe_redirect( $redirect_to );
			exit;
		}

		if ( ! empty( $_POST['correct-admin-email'] ) ) {
			if ( ! check_admin_referer( 'confirm_admin_email', 'confirm_admin_email_nonce' ) ) {
				wp_safe_redirect( wp_login_url() );
				exit;
			}

			/**
			 * Filters the interval for redirecting the user to the admin email confirmation screen.
			 *
			 * If `0` (zero) is returned, the user will not be redirected.
			 *
			 * @since 5.3.0
			 *
			 * @param int $interval Interval time (in seconds). Default is 6 months.
			 */
			$admin_email_check_interval = (int) apply_filters( 'admin_email_check_interval', 6 * MONTH_IN_SECONDS );

			if ( $admin_email_check_interval > 0 ) {
				update_option( 'admin_email_lifespan', time() + $admin_email_check_interval );
			}

			wp_safe_redirect( $redirect_to );
			exit;
		}

		login_header( __( 'Confirm your administration email' ), '', $errors );

		/**
		 * Fires before the admin email confirm form.
		 *
		 * @since 5.3.0
		 *
		 * @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid
		 *                         credentials. Note that the error object may not contain any errors.
		 */
		do_action( 'admin_email_confirm', $errors );

		?>

		<form class="admin-email-confirm-form" name="admin-email-confirm-form" action="<?php echo esc_url( site_url( 'wp-login.php?action=confirm_admin_email', 'login_post' ) ); ?>" method="post">
			<?php
			/**
			 * Fires inside the admin-email-confirm-form form tags, before the hidden fields.
			 *
			 * @since 5.3.0
			 */
			do_action( 'admin_email_confirm_form' );

			wp_nonce_field( 'confirm_admin_email', 'confirm_admin_email_nonce' );

			?>
			<input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />

			<h1 class="admin-email__heading">
				<?php _e( 'Administration email verification' ); ?>
			</h1>
			<p class="admin-email__details">
				<?php _e( 'Please verify that the <strong>administration email</strong> for this website is still correct.' ); ?>
				<?php

				/* translators: URL to the WordPress help section about admin email. */
				$admin_email_help_url = __( 'https://wordpress.org/support/article/settings-general-screen/#email-address' );

				/* translators: accessibility text */
				$accessibility_text = sprintf( '<span class="screen-reader-text"> %s</span>', __( '(opens in a new tab)' ) );

				printf(
					'<a href="%s" rel="noopener noreferrer" target="_blank">%s%s</a>',
					esc_url( $admin_email_help_url ),
					__( 'Why is this important?' ),
					$accessibility_text
				);

				?>
			</p>
			<p class="admin-email__details">
				<?php

				printf(
					/* translators: %s: Admin email address. */
					__( 'Current administration email: %s' ),
					'<strong>' . esc_html( $admin_email ) . '</strong>'
				);

				?>
			</p>
			<p class="admin-email__details">
				<?php _e( 'This email may be different from your personal email address.' ); ?>
			</p>

			<div class="admin-email__actions">
				<div class="admin-email__actions-primary">
					<?php

					$change_link = admin_url( 'options-general.php' );
					$change_link = add_query_arg( 'highlight', 'confirm_admin_email', $change_link );

					?>
					<a class="button button-large" href="<?php echo esc_url( $change_link ); ?>"><?php _e( 'Update' ); ?></a>
					<input type="submit" name="correct-admin-email" id="correct-admin-email" class="button button-primary button-large" value="<?php esc_attr_e( 'The email is correct' ); ?>" />
				</div>
				<?php if ( $remind_interval > 0 ) : ?>
					<div class="admin-email__actions-secondary">
						<?php

						$remind_me_link = wp_login_url( $redirect_to );
						$remind_me_link = add_query_arg(
							array(
								'action'          => 'confirm_admin_email',
								'remind_me_later' => wp_create_nonce( 'remind_me_later_nonce' ),
							),
							$remind_me_link
						);

						?>
						<a href="<?php echo esc_url( $remind_me_link ); ?>"><?php _e( 'Remind me later' ); ?></a>
					</div>
				<?php endif; ?>
			</div>
		</form>

		<?php

		login_footer();
		break;

samba's avatar
samba committed
751 752 753
	case 'postpass':
		if ( ! array_key_exists( 'post_password', $_POST ) ) {
			wp_safe_redirect( wp_get_referer() );
agata's avatar
agata committed
754
			exit;
samba's avatar
samba committed
755
		}
lechuck's avatar
lechuck committed
756

samba's avatar
samba committed
757 758
		require_once ABSPATH . WPINC . '/class-phpass.php';
		$hasher = new PasswordHash( 8, true );
lechuck's avatar
lechuck committed
759

samba's avatar
samba committed
760 761 762 763 764 765 766 767 768 769 770 771
		/**
		 * Filters the life span of the post password cookie.
		 *
		 * By default, the cookie expires 10 days from creation. To turn this
		 * into a session cookie, return 0.
		 *
		 * @since 3.7.0
		 *
		 * @param int $expires The expiry time, as passed to setcookie().
		 */
		$expire  = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
		$referer = wp_get_referer();
agata's avatar
agata committed
772

samba's avatar
samba committed
773 774 775 776 777
		if ( $referer ) {
			$secure = ( 'https' === parse_url( $referer, PHP_URL_SCHEME ) );
		} else {
			$secure = false;
		}
agata's avatar
agata committed
778

samba's avatar
samba committed
779
		setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
lechuck's avatar
lechuck committed
780

samba's avatar
samba committed
781
		wp_safe_redirect( wp_get_referer() );
agata's avatar
agata committed
782
		exit;
ale's avatar
ale committed
783

samba's avatar
samba committed
784 785
	case 'logout':
		check_admin_referer( 'log-out' );
ale's avatar
ale committed
786

samba's avatar
samba committed
787
		$user = wp_get_current_user();
godog's avatar
godog committed
788

samba's avatar
samba committed
789
		wp_logout();
ale's avatar
ale committed
790

samba's avatar
samba committed
791
		if ( ! empty( $_REQUEST['redirect_to'] ) ) {
agata's avatar
agata committed
792 793
			$redirect_to           = $_REQUEST['redirect_to'];
			$requested_redirect_to = $redirect_to;
samba's avatar
samba committed
794
		} else {
agata's avatar
agata committed
795 796 797 798 799 800 801 802
			$redirect_to = add_query_arg(
				array(
					'loggedout' => 'true',
					'wp_lang'   => get_user_locale( $user ),
				),
				wp_login_url()
			);

samba's avatar
samba committed
803 804
			$requested_redirect_to = '';
		}
godog's avatar
godog committed
805

samba's avatar
samba committed
806 807 808 809 810 811 812 813 814 815
		/**
		 * Filters the log out redirect URL.
		 *
		 * @since 4.2.0
		 *
		 * @param string  $redirect_to           The redirect destination URL.
		 * @param string  $requested_redirect_to The requested redirect destination URL passed as a parameter.
		 * @param WP_User $user                  The WP_User object for the user that's logging out.
		 */
		$redirect_to = apply_filters( 'logout_redirect', $redirect_to, $requested_redirect_to, $user );
agata's avatar
agata committed
816

samba's avatar
samba committed
817
		wp_safe_redirect( $redirect_to );
agata's avatar
agata committed
818
		exit;
root's avatar
root committed
819

samba's avatar
samba committed
820 821 822 823
	case 'lostpassword':
	case 'retrievepassword':
		if ( $http_post ) {
			$errors = retrieve_password();
agata's avatar
agata committed
824

samba's avatar
samba committed
825 826 827
			if ( ! is_wp_error( $errors ) ) {
				$redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm';
				wp_safe_redirect( $redirect_to );
agata's avatar
agata committed
828
				exit;
samba's avatar
samba committed
829
			}
godog's avatar
godog committed
830 831
		}

samba's avatar
samba committed
832
		if ( isset( $_GET['error'] ) ) {
agata's avatar
agata committed
833
			if ( 'invalidkey' === $_GET['error'] ) {
samba's avatar
samba committed
834
				$errors->add( 'invalidkey', __( 'Your password reset link appears to be invalid. Please request a new link below.' ) );
agata's avatar
agata committed
835
			} elseif ( 'expiredkey' === $_GET['error'] ) {
samba's avatar
samba committed
836 837
				$errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) );
			}
lechuck's avatar
lechuck committed
838
		}
lucha's avatar
lucha committed
839

samba's avatar
samba committed
840 841 842 843 844 845 846 847 848
		$lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
		/**
		 * Filters the URL redirected to after submitting the lostpassword/retrievepassword form.
		 *
		 * @since 3.0.0
		 *
		 * @param string $lostpassword_redirect The redirect destination URL.
		 */
		$redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect );
lucha's avatar
lucha committed
849

samba's avatar
samba committed
850 851 852 853 854 855 856 857 858 859
		/**
		 * Fires before the lost password form.
		 *
		 * @since 1.5.1
		 * @since 5.1.0 Added the `$errors` parameter.
		 *
		 * @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid
		 *                         credentials. Note that the error object may not contain any errors.
		 */
		do_action( 'lost_password', $errors );
godog's avatar
godog committed
860

agata's avatar
agata committed
861
		login_header( __( 'Lost Password' ), '<p class="message">' . __( 'Please enter your username or email address. You will receive an email message with instructions on how to reset your password.' ) . '</p>', $errors );
godog's avatar
godog committed
862

samba's avatar
samba committed
863
		$user_login = '';
lucha's avatar
lucha committed
864

samba's avatar
samba committed
865 866 867
		if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
			$user_login = wp_unslash( $_POST['user_login'] );
		}
godog's avatar
godog committed
868

samba's avatar
samba committed
869
		?>
godog's avatar
godog committed
870

agata's avatar
agata committed
871 872 873 874 875 876
		<form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post">
			<p>
				<label for="user_login"><?php _e( 'Username or Email Address' ); ?></label>
				<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" />
			</p>
			<?php
lucha's avatar
lucha committed
877

agata's avatar
agata committed
878 879 880 881 882 883
			/**
			 * Fires inside the lostpassword form tags, before the hidden fields.
			 *
			 * @since 2.1.0
			 */
			do_action( 'lostpassword_form' );
lucha's avatar
lucha committed
884

agata's avatar
agata committed
885 886 887 888 889 890 891 892 893 894
			?>
			<input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
			<p class="submit">
				<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Get New Password' ); ?>" />
			</p>
		</form>

		<p id="nav">
			<a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
			<?php
agata's avatar
agata committed
895

agata's avatar
agata committed
896 897 898 899 900 901 902 903
			if ( get_option( 'users_can_register' ) ) {
				$registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );

				echo esc_html( $login_link_separator );

				/** This filter is documented in wp-includes/general-template.php */
				echo apply_filters( 'register', $registration_url );
			}
godog's avatar
godog committed
904

agata's avatar
agata committed
905 906
			?>
		</p>
samba's avatar
samba committed
907
		<?php
agata's avatar
agata committed
908

agata's avatar
agata committed
909
		login_footer( 'user_login' );
samba's avatar
samba committed
910 911 912 913 914 915
		break;

	case 'resetpass':
	case 'rp':
		list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
		$rp_cookie       = 'wp-resetpass-' . COOKIEHASH;
agata's avatar
agata committed
916

samba's avatar
samba committed
917 918 919
		if ( isset( $_GET['key'] ) ) {
			$value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
			setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
agata's avatar
agata committed
920

samba's avatar
samba committed
921 922 923
			wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
			exit;
		}
lechuck's avatar
lechuck committed
924

samba's avatar
samba committed
925 926
		if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
			list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
agata's avatar
agata committed
927 928 929

			$user = check_password_reset_key( $rp_key, $rp_login );

samba's avatar
samba committed
930 931 932 933
			if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) {
				$user = false;
			}
		} else {
lechuck's avatar
lechuck committed
934 935
			$user = false;
		}
godog's avatar
godog committed
936

samba's avatar
samba committed
937 938
		if ( ! $user || is_wp_error( $user ) ) {
			setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
agata's avatar
agata committed
939

samba's avatar
samba committed
940 941 942 943 944
			if ( $user && $user->get_error_code() === 'expired_key' ) {
				wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
			} else {
				wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
			}
agata's avatar
agata committed
945

samba's avatar
samba committed
946 947
			exit;
		}
lechuck's avatar
lechuck committed
948

samba's avatar
samba committed
949
		$errors = new WP_Error();
lechuck's avatar
lechuck committed
950

agata's avatar
agata committed
951
		if ( isset( $_POST['pass1'] ) && $_POST['pass1'] !== $_POST['pass2'] ) {
samba's avatar
samba committed
952 953
			$errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) );
		}
root's avatar
root committed
954

samba's avatar
samba committed
955 956 957 958 959
		/**
		 * Fires before the password reset procedure is validated.
		 *
		 * @since 3.5.0
		 *
agata's avatar
agata committed
960
		 * @param WP_Error         $errors WP Error object.
samba's avatar
samba committed
961 962 963 964 965 966 967 968 969 970 971
		 * @param WP_User|WP_Error $user   WP_User object if the login and reset key match. WP_Error object otherwise.
		 */
		do_action( 'validate_password_reset', $errors, $user );

		if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) {
			reset_password( $user, $_POST['pass1'] );
			setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
			login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
			login_footer();
			exit;
		}
godog's avatar
godog committed
972

samba's avatar
samba committed
973 974
		wp_enqueue_script( 'utils' );
		wp_enqueue_script( 'user-profile' );
root's avatar
root committed
975

samba's avatar
samba committed
976
		login_header( __( 'Reset Password' ), '<p class="message reset-pass">' . __( 'Enter your new password below.' ) . '</p>', $errors );
root's avatar
root committed
977

samba's avatar
samba committed
978
		?>
agata's avatar
agata committed
979 980
		<form name="resetpassform" id="resetpassform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off">
			<input type="hidden" id="user_login" value="<?php echo esc_attr( $rp_login ); ?>" autocomplete="off" />
lechuck's avatar
lechuck committed
981

agata's avatar
agata committed
982 983 984 985 986 987 988
			<div class="user-pass1-wrap">
				<p>
					<label for="pass1"><?php _e( 'New password' ); ?></label>
				</p>

				<div class="wp-pwd">
					<input type="password" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="off" aria-describedby="pass-strength-result" />