Issue-49: Add nonce to wp-login

[anubisthejackle]

Summary

This PR adds a nonce to wp-login.php as described in issue #49.

Notes for reviewers

Please consider the potential overhead to the login process and the requirement for the page to be uncached when reviewing the changes.

Changelog entries

Added

• Added nonce to wp-login.php to prevent CSRF attacks and mitigate brute-force attacks, as described in issue #49.

Changed

Deprecated

Removed

Fixed

Security

Summary by CodeRabbit

• New Features

  • Introduced a new security feature that adds nonce verification to the login process.

• Bug Fixes

  • Improved error handling and user validation during login.

• Tests

  • Added tests to ensure the login nonce feature works correctly and securely.

• Refactor

  • Adjusted the visibility of certain class constants for better encapsulation.

• Documentation

  • Updated documentation to reflect the addition of the login nonce feature and related methods.

[coderabbitai[bot]]

Walkthrough

The AlleyVate WordPress plugin has introduced a new Login_Nonce class to enhance security on the login form by adding a nonce field. This nonce implementation includes various methods for nonce initialization, validation, and error handling. The changes also include a new feature addition to the plugin's load process and corresponding tests to ensure the functionality works as expected. The nonce feature aims to mitigate CSRF and brute-force attacks, aligning with WordPress security best practices.

Changes

File Path	Change Summary
.../features/class-login-nonce.php	Added Login_Nonce class with methods for nonce handling in login forms.
.../load.php	Included new 'login_nonce' feature in the available_features function.
.../features/test-login-nonce.php	Created Test_Login_Nonce class for testing the nonce functionality in login forms.

Related issues

• alleyinteractive/wp-alleyvate#49: The changes in this PR seem to address the issue's objective by adding a nonce to the wp-login form, which is a security measure that the issue advocates for. The implementation of a proper nonce as described in the issue could be linked to the Login_Nonce class functionality.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on X ?

---

Tips

### Chat with CodeRabbit Bot (`@coderabbitai`) - You can reply to a *review comment* from CodeRabbit. - You can also chat with CodeRabbit bot directly around the specific lines of code or files in the PR by tagging `@coderabbitai` in a new comment. - You can tag `@coderabbitai` in a PR comment and ask questions about the PR and the codebase. ### CodeRabbit Commands (invoked as PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai help` to get help. Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. ### CodeRabbit Configration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - The JSON schema for the configuration file is available [here](https://coderabbit.ai/integrations/coderabbit-overrides.v2.json). - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json`

[kevinfodness]

@anubisthejackle this is pretty close - see my comment about the log in button name, and I like your suggestion about not making the nonce name random. Let me know when that's done and I'll re-review

[anubisthejackle]

@kevinfodness I've added those changes now.