Use site_url() for the FIDO U2F AppId

[onliniak]

Priority: Low, I use very rarely use option.

I propably find a error. I use TF 0.3, WP 5.0.3, Firefox 65, Yubikey 4 and Nginx.

When I select this same urls like example.com and example.com all works but if my site url is example.com and my blog url (WP admin and WP login) is abc.123.xyz I am not able to login. abc.123.xyz/wp-login show destroy session error and Firefox don't show fingerprint icon.

[kasparsd]

Is that with the U2F key? The U2F protocol relies on the AppId which we set to the home_url() here:

https://github.com/georgestephanis/two-factor/blob/f33778a5f72a08550cc7f25ab93f67bfd44c7c1d/providers/class.two-factor-fido-u2f.php#L90-L98

And per home_url() docs:

Retrieves the URL for the current site where the front end is accessible.

So site_url() would actually be more appropriate.

However, it has been like that for the past four years b5df9ba and it could introduce a regression if we change it right now.

Maybe add a filter to allow changing that?

[onliniak]

Yes, U2F key. By the way I find similar problem with OpenID plugin (I am stuck after login with message "put key" but without fingerprint icon).

I understand, anyway it's extremal situations. Closed.

[joshbetz]

However, it has been like that for the past four years b5df9ba and it could introduce a regression if we change it right now.

In most cases the home_url() and site_url() are probably the same. In cases where they're not, this is almost certainly broken right now. It seems unlikely that fixing this will cause more problems.

[kasparsd]

@joshbetz I agree! I know WP VIP has home_url() return the top-level domain and site_url() return the *.wordpress.com domain.

Let's get this fixed.

[onliniak]

So, by coincidence, I pointed to a possible problem with wordpress.com? Good to know ...

[iandunn]

U2F is deprecated and no longer works in Chrome, so the provider is being removed in #439 . Given that, there's probably no reason to keep this open anymore.