=== Riverbox Passwordless Login ===
Contributors: riverbox
Tags: passwordless, login, otp, passkeys, authentication
Requires at least: 6.4
Tested up to: 7.0
Requires PHP: 8.1
Stable tag: 1.1.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Passwordless login for WordPress — one-time codes, magic links, passkeys, and phone login.

== Description ==

Riverbox replaces passwords with modern, frictionless login. Users sign in with a one-time code, a magic link, a passkey, or their phone number — and new visitors can get an account automatically.

**Login methods**

* **Email one-time codes** — type your address, get a short code, you're in.
* **Magic links** — one-click login links by email; single-use and expiring.
* **Passkeys (WebAuthn)** — sign in with a fingerprint, face, or security key. Includes an account page (`[riverbox-account]`) where users manage their devices. No external services; the WebAuthn ceremony is verified on your own server.
* **Phone one-time codes** — SMS login through your own HTTP SMS gateway ({{to}}/{{message}} placeholder templates).
* **Password** — classic login can stay available alongside the passwordless methods.

**Security**

* Codes stored only as hashes, with expiry, attempt caps, and resend cooldowns.
* Per-IP and per-identifier rate limiting; responses never reveal whether an account exists.
* Magic links are single-use and blocked for accounts that require multi-factor login.
* A delivery log records every code dispatch with the raw gateway response.

**Developer friendly**

* REST API under `riverbox/v1` (`/begin`, `/verify`, passkey endpoints) built on an extensible authentication-factor architecture — every method is a "factor", and login flows are factor chains.
* Documented hooks: `riverbox_register_factors`, `riverbox_login_chain`, `riverbox_otp_sent`, `riverbox_logged_in`, `riverbox_login_redirect`, `riverbox_user_created`, plus settings extension points.

**Riverbox Pro** (sold separately at [dontworry2much.com](https://dontworry2much.com/riverbox)) adds Twilio and WhatsApp Cloud API gateways, social login (Google, Microsoft, Facebook, GitHub, LinkedIn, Discord), and role-based 2FA/3FA login flows.

**Privacy**

The free plugin does not connect to any external service. Emails go through your site's own mail system, SMS goes through the gateway you configure, and all data stays in your WordPress database.

== Installation ==

1. Install and activate the plugin.
2. Add `[riverbox-login]` to any page; optionally add `[riverbox-account]` to a members page for passkey management.
3. Configure methods, codes, signup behavior, and gateways under **Settings → Riverbox**.

== Frequently Asked Questions ==

= Does this replace my normal WordPress login? =

No. Riverbox adds passwordless login wherever you place the shortcode. The standard wp-login.php form keeps working, so you can never lock yourself out.

= Can new visitors register through the form? =

Yes — enable automatic account creation in settings and choose the role new users receive. Signup works with email and phone codes.

= Do passkeys need a third-party service? =

No. Registration and verification happen entirely on your server using the WebAuthn standard. Passkeys require HTTPS in production (browsers allow localhost for testing).

= How does phone login send SMS? =

The free plugin includes a generic HTTP gateway you can point at any SMS provider's API. Riverbox Pro adds ready-made Twilio and WhatsApp Cloud API integrations.

= The code email doesn't arrive — what do I check? =

Email delivery depends on your site's mail configuration. Check the Riverbox delivery log and consider an SMTP plugin if your host's default mail is unreliable.

== Screenshots ==

1. The login form with every method enabled: one-time codes (email or phone), magic links, password, passkeys, and social login (Pro).
2. The one-time code verification step after a code has been sent.

== Changelog ==

= 1.1.1 =
* Security: rate limiting is now atomic (single-statement counter on a dedicated table), so concurrent requests can no longer race past the limit.
* Security: a code's expiry is fixed at issue time — failed verification attempts can no longer extend its lifetime.

= 1.1.0 =
* New: magic link login (single-use, expiring, blocked for MFA accounts).
* New: passkey (WebAuthn) login and registration with an account security page.
* New: phone one-time-code login via a configurable HTTP SMS gateway.
* New: password as an optional method alongside passwordless login.
* New: multi-step login chains (foundation for role-based 2FA/3FA in Pro).
* New: extension hooks for gateways, factors, and settings.

= 1.0.0 =
* Initial release: email one-time-code login and signup, `[riverbox-login]` shortcode, REST API, delivery log, rate limiting.

== Upgrade Notice ==

= 1.1.0 =
Adds magic links, passkeys, phone login, and multi-step login flows.
