WordPress · iandunn · Feb 10, 2023 · Feb 9, 2023
diff --git a/class-two-factor-core.php b/class-two-factor-core.php
@@ -512,7 +512,7 @@ public static function filter_authenticate_block_cookies( $user ) {
 
 		return $user;
 	}
-	
+
 	/**
 	 * If the current user can login via API requests such as XML-RPC and REST.
 	 *

diff --git a/providers/class-two-factor-backup-codes.php b/providers/class-two-factor-backup-codes.php
@@ -77,14 +77,6 @@ public function register_rest_routes() {
 						'required' => true,
 						'type'     => 'number',
 					),
-					'number' => array(
-						'type'    => 'number',
-						'default' => self::NUMBER_OF_CODES,
-					),
-					'append' => array(
-						'type'    => 'boolean',
-						'default' => false,
-					),
 					'enable_provider' => array(
 						'required' => false,
 						'type'     => 'boolean',
@@ -269,9 +261,10 @@ public function rest_generate_codes( $request ) {
 		$user_id = $request['user_id'];
 		$user    = get_user_by( 'id', $user_id );
 
+		// Hardcode these, the user shouldn't be able to choose them.
 		$args =  array(
-			'number' => $request['number'],
-			'method' => wp_validate_boolean( $request['append'] ) ? 'append' : 'replace',
+			'number' => self::NUMBER_OF_CODES,
+			'method' => 'replace',
 		);
 
 		// Setup the return data.

diff --git a/tests/providers/class-two-factor-backup-codes-rest-api.php b/tests/providers/class-two-factor-backup-codes-rest-api.php
@@ -56,7 +56,7 @@ public static function wpTearDownAfterClass() {
 	}
 
 	/**
-	 * Verify that the downloaded file contains the requested number of codes.
+	 * Verify that the downloaded file contains the default number of codes.
 	 *
 	 * @covers Two_Factor_Backup_Codes::rest_generate_codes
 	 */
@@ -67,7 +67,6 @@ public function test_generate_code_and_validate_in_download_file() {
 		$request->set_body_params(
 			array(
 				'user_id' => self::$admin_id,
-				'number'  => 5,
 			)
 		);
 
@@ -77,71 +76,11 @@ public function test_generate_code_and_validate_in_download_file() {
 		$this->assertEquals( 200, $response->get_status() );
 		$this->assertNotEmpty( $data['download_link'] );
 		$this->assertNotEmpty( $data['codes'] );
-		$this->assertCount( 5, $data['codes'] );
+		$this->assertCount( 10, $data['codes'] );
 		$this->assertTrue( self::$provider->validate_code( wp_get_current_user(), $data['codes'][0] ) );
 		$this->assertStringContainsString( $data['codes'][0], $data['download_link'] );
 	}
 
-	/**
-	 * Verify that overwriting, and appending works.
-	 *
-	 * @covers Two_Factor_Backup_Codes::rest_generate_codes
-	 */
-	public function test_generate_code_append() {
-		wp_set_current_user( self::$admin_id );
-
-		$request  = new WP_REST_Request( 'POST', '/' . Two_Factor_Core::REST_NAMESPACE . '/generate-backup-codes' );
-		$request->set_body_params(
-			array(
-				'user_id' => self::$admin_id,
-				'number'  => 5,
-			)
-		);
-
-		$response  = rest_do_request( $request );
-		$discarded = $response->get_data();
-
-		$this->assertEquals( 200, $response->get_status() );
-		$this->assertEquals( 5, $discarded['remaining'] );
-
-		$request = new WP_REST_Request( 'POST', '/' . Two_Factor_Core::REST_NAMESPACE . '/generate-backup-codes' );
-		$request->set_body_params(
-			array(
-				'user_id' => self::$admin_id,
-				'number'  => 5,
-			)
-		);
-
-		$response = rest_do_request( $request );
-		$first    = $response->get_data();
-
-		$this->assertEquals( 200, $response->get_status() );
-		$this->assertNotEmpty( $first['codes'] );
-		$this->assertEquals( 5, $first['remaining'] );
-
-		$request = new WP_REST_Request( 'POST', '/' . Two_Factor_Core::REST_NAMESPACE . '/generate-backup-codes' );
-		$request->set_body_params(
-			array(
-				'user_id' => self::$admin_id,
-				'number'  => 1,
-				'append'  => true,
-			)
-		);
-
-		$response = rest_do_request( $request );
-		$second   = $response->get_data();
-
-		$this->assertEquals( 200, $response->get_status() );
-		$this->assertNotEmpty( $second['codes'] );
-		$this->assertEquals( 6, $second['remaining'] );
-
-		$this->assertEquals( $second['remaining'], self::$provider->codes_remaining_for_user( wp_get_current_user() ) );
-
-		$this->assertFalse( self::$provider->validate_code( wp_get_current_user(), $discarded['codes'][0] ) );
-		$this->assertTrue( self::$provider->validate_code( wp_get_current_user(), $first['codes'][0] ) );
-		$this->assertTrue( self::$provider->validate_code( wp_get_current_user(), $second['codes'][0] ) );
-	}
-
 	/**
 	 * Verify that a user without edit_user capabilities cannot generate codes for another.
 	 *