=== oOMF! Access ===
Contributors: oomf
Tags: login, authentication, branding, redirects, security
Requires at least: 6.2
Tested up to: 6.9
Requires PHP: 8.1
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Craft a secure, branded login experience with magic links, social sign-in, smart redirects, and layered anti-abuse tools.

== Description ==

oOMF! Access delivers a polished WordPress login experience with guided flows for login, registration, lost password, and password reset. Offer passwordless magic links, social sign-in, and smart redirect control while layering in hide-admin, CAPTCHA, honeypot, and soft throttling safeguards — all without writing custom code.

Key features
- Branded login page rendered via the `[oomf_access_form]` shortcode, with activation creating a dedicated page stored in `oomf_access_page_id`—and the `/oomf-access/` route continues to load the bundled template even if that page is removed.
- Smart and safe post-login redirects with `Redirects::validate_safe_redirect()` and pluggable filters.
- Passwordless magic link login plus social providers (Google, Apple, GitHub, Microsoft, Facebook) with admin previews.
- Multiple CAPTCHA providers (reCAPTCHA v2 checkbox, v2 invisible, v3, and hCaptcha) and honeypot/throttle helpers to slow abuse.
- Hide Admin / secret login path support to obscure `/wp-login.php` and `/wp-admin` from anonymous users while keeping emergency bypasses available.
- Minimal asset footprint: frontend/admin JS & CSS load only where needed and are versioned with `filemtime()`.
- Developer hooks and filters to customize redirects, captcha behavior, allowed hosts, provider scopes, and more.

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/` or install via Plugins → Add New by uploading the zip.
2. Activate the plugin. Activation creates the public "Login" page and stores its ID in `oomf_access_page_id`.
3. Configure via Settings → oOMF! Access (branding, redirects, magic links, social providers, CAPTCHA, hide-admin slug, etc.).

== Frequently Asked Questions ==

= Where is the login page? =
On activation the plugin creates a page (option `oomf_access_page_id`) that contains `[oomf_access_form]`. You can edit or move that page, and even if it is deleted the `/oomf-access/` route will still render the branded experience.

= Does it replace my theme template? =
The shortcode inherits your active theme when embedded elsewhere. The dedicated login page generated by the plugin automatically uses the bundled minimal template at `templates/oomf-access-page-template.php` to keep the experience consistent.

= How do redirects work? =
If `redirect_to` is supplied and validates as safe, it is used. Otherwise we fall back to the configured post-login destination, then to the default WP admin. Use the `oomf-access/allowed_redirect_hosts` filter to permit specific off-site domains and `oomf_access_redirect_destination` to override the final destination.

= What captcha providers are supported? =
reCAPTCHA v2 (checkbox & invisible), reCAPTCHA v3, and hCaptcha. Provider scripts are enqueued only on login pages; validation happens server-side via `includes/Security/Captcha/` providers. Use `oomf_access_captcha_is_required` or `oomf_access_captcha_validate_result` to customize behavior.

= How does Hide Admin work? =
When enabled, the plugin rewrites or blocks direct access to `/wp-login.php` and `/wp-admin` for unauthenticated users and exposes a secret login slug (configurable). Emergency bypasses are available for specific flows and query flags.

= How do I set up Social login? =
Open Settings → oOMF! Access → Social. Each provider has setup instructions and a callback/redirect URL hint; create the corresponding OAuth app with that callback. Apple requires additional keys (Service ID, Team ID, Key ID, Private Key .p8) and server-side OpenSSL support.

== Privacy ==
oOMF! Access does not send data to oOMF! services. If you enable CAPTCHA or Social Login, your site sends authentication and verification requests to those third-party providers as described in the External services section below. Removing the plugin deletes its settings (and the generated login page if you opt in via the `oomf_access/delete_page_on_uninstall` filter).

== External services ==

oOMF! Access only connects to outside services when you enable the related feature and provide your own credentials. Each integration below explains what is sent and links to the provider policies:

= Google reCAPTCHA (v2/v3) =
- Purpose: spam/abuse protection for the login forms.
- Endpoints: loads scripts from https://www.google.com/recaptcha/api.js and validates tokens via https://www.google.com/recaptcha/api/siteverify.
- Data sent: your site key/secret, the visitor’s reCAPTCHA token, the page action name, and optionally the visitor IP if you enable the strict remote IP check.
- Terms: https://policies.google.com/terms — Privacy: https://policies.google.com/privacy

= hCaptcha =
- Purpose: CAPTCHA validation when you switch to the hCaptcha provider.
- Endpoints: loads scripts from https://js.hcaptcha.com and validates tokens via https://hcaptcha.com/siteverify.
- Data sent: your site key/secret, the response token, the page action, and optionally the visitor IP per hCaptcha requirements.
- Terms: https://www.hcaptcha.com/terms — Privacy: https://www.hcaptcha.com/privacy

= Google OAuth (Social Login) =
- Purpose: allow users to sign in with their Google account.
- Endpoints: Google Accounts OAuth screen at https://accounts.google.com/o/oauth2/v2/auth, token exchange at https://oauth2.googleapis.com/token, and profile data from https://openidconnect.googleapis.com/v1/userinfo.
- Data sent: OAuth authorization code, code verifier (for PKCE), redirect URI, and the scopes you configure. After exchanging the code we request the profile name, verified email, avatar, and locale.
- Terms: https://policies.google.com/terms — Privacy: https://policies.google.com/privacy

= Apple Sign In =
- Purpose: Sign in with Apple for Social Login.
- Endpoints: OAuth screen at https://appleid.apple.com/auth/authorize and token exchange at https://appleid.apple.com/auth/token.
- Data sent: OAuth authorization code, client ID, redirect URI, and signed JWT assertions generated from the private key you upload. Apple returns the user’s name and email (when available).
- Terms: https://www.apple.com/legal/internet-services/terms/site.html — Privacy: https://www.apple.com/legal/privacy/

= GitHub OAuth =
- Purpose: Social login via GitHub accounts.
- Endpoints: OAuth screen at https://github.com/login/oauth/authorize, token exchange at https://github.com/login/oauth/access_token, and profile APIs at https://api.github.com/user and https://api.github.com/user/emails.
- Data sent: OAuth authorization code, client ID/secret, redirect URI, and scope list. After exchanging the code GitHub returns the user’s numeric ID, primary email(s), display name, and avatar URL.
- Terms: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service — Privacy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement

= Microsoft (Azure AD / Entra ID) =
- Purpose: allow sign-in with Microsoft accounts.
- Endpoints: OAuth screen at https://login.microsoftonline.com/common/oauth2/v2.0/authorize and token exchange at https://login.microsoftonline.com/common/oauth2/v2.0/token. Profile data is requested from https://graph.microsoft.com/v1.0/me.
- Data sent: client ID, redirect URI, and selected scopes when the visitor starts Microsoft sign-in; then (on callback) the returned OAuth authorization code plus the configured client secret for token exchange. Microsoft returns the profile ID, email, name, and locale when available.
- Terms: https://www.microsoft.com/licensing/terms/productoffering/MicrosoftOnlineServices/MOSPT — Privacy: https://privacy.microsoft.com/privacystatement

= Facebook Login =
- Purpose: Social login via Facebook accounts.
- Endpoints: OAuth screen at https://www.facebook.com/v18.0/dialog/oauth and token/profile APIs at https://graph.facebook.com/v18.0/oauth/access_token and https://graph.facebook.com/v18.0/me.
- Data sent: OAuth authorization code, app ID/secret, redirect URI, and scopes. Facebook returns the user ID, email (if available), and profile name/avatar.
- Terms: https://www.facebook.com/legal/terms — Privacy: https://www.facebook.com/policy.php

== Hooks & Extension Points ==

Notable filters/actions you can rely on when extending oOMF! Access:
- `oomf_access_redirect_destination` — override the final destination after login.
- `oomf-access/allowed_redirect_hosts` — allow specific external redirect hosts.
- `oomf-access/captcha/allow_external` — control whether provider network calls are allowed on privacy-restricted sites.
- `oomf_access_captcha_is_required` — decide if captcha is required for a particular request.
- `oomf_access_captcha_validate_result` — customize captcha validation results.
- `oomf-access/inline_css` — inject extra CSS into admin preview and frontend styles.

For developer notes on autoloading, templates, and class layout, see the repo `README.md`.

== Screenshots ==
1. Login card with accent color, form labels, remember-me toggle, and links.
2. Admin settings screen with live preview and content, behavior, and security controls.

== Changelog ==

= 1.0.0 - 2026-03-24 =
- Fixed: Magic link nonce verification now derives the nonce action from validated token data to prevent user-controlled input from influencing verification.
- Fixed: Documented emergency bypass parameters as intentionally nonce-free for break-glass use.
- Fixed: Settings AJAX handler now reads serialized form data with a sanitizing filter up front.
- Added: Captcha provider integrations (reCAPTCHA v2/v3 and hCaptcha) with admin preview and server-side validation.
- Added: Hide Admin feature with configurable secret login slug and graceful bypass flows.
- Improved: Social login — full Sign in with Apple implementation; admin preview for Microsoft/Facebook; ordering and provider preview improvements.
- Improved: Asset loading and versioning via `filemtime()`, reduced unnecessary DOM injection for sticky nav fallbacks.
- Developer: New filters and clearer extension points for redirects and captcha.

== Upgrade Notice ==

= 1.0.0 =
Major feature release with captcha providers, Hide Admin, and social login improvements. Review new security settings after updating to tailor them to your site.
