=== OneCode Login ===
Contributors: oaron
Tags: passwordless, login, authentication, email, otp
Requires at least: 5.8
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: trunk
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Simple and secure passwordless login using email verification codes. No passwords to remember, just enter your email and verify with a 6-digit code.

== Description ==

OneCode Login provides a modern, passwordless authentication experience for your WordPress site. Instead of traditional passwords, users receive a secure 6-digit verification code via email.

= Key Features =

* **Passwordless Authentication** - Users log in with just their email address
* **6-Digit Verification Codes** - Secure, time-limited codes sent via email
* **Rate Limiting** - Built-in protection against brute force attacks
* **Request ID Binding** - Each code is bound to a specific login session for enhanced security
* **Neutral Feedback** - Prevents user enumeration attacks by not revealing if an email exists
* **Customizable** - Configure expiry times, cooldowns, and email templates
* **Accessible** - Full keyboard navigation and screen reader support
* **Gutenberg Block** - Easy to add login forms to any page
* **Shortcode Support** - Use [onecode_login] anywhere
* **wp-login.php Integration** - Optionally replace the default WordPress login

= Security Features =

* Cryptographically secure code generation
* Configurable code expiry (default: 10 minutes)
* Resend cooldown to prevent spam
* IP-based and email-based rate limiting
* Automatic lockout after failed attempts
* Codes are single-use and invalidated after successful login

= Use Cases =

* Membership sites where password fatigue is an issue
* Customer portals requiring simple authentication
* Internal tools where security without complexity is needed
* Any site wanting to improve user experience

== Installation ==

1. Upload the `onecode-login` folder to `/wp-content/plugins/`
2. Activate the plugin through the Plugins menu in WordPress
3. Go to Settings > OneCode Login to configure options
4. Add the login form using the [onecode_login] shortcode or Gutenberg block

= Shortcode Options =

* `redirect_to` - URL to redirect after successful login
* `button_text` - Custom text for the send code button
* `verify_text` - Custom text for the verify button

Example: `[onecode_login redirect_to="/dashboard" button_text="Get Code"]`

== Frequently Asked Questions ==

= Does this replace password login completely? =

By default, no. OneCode Login works alongside traditional password login. However, you can enable the "Replace wp-login.php" option to use OneCode Login as the primary login method.

= What happens if the email does not arrive? =

Users can request a new code after the cooldown period (default: 60 seconds). Check your server email configuration if emails consistently fail to deliver.

= Is this secure? =

Yes. The plugin uses cryptographically secure random number generation, time-limited codes, rate limiting, and request binding to prevent various attack vectors.

= Can I customize the email template? =

Yes. Go to Settings > OneCode Login > Email tab to customize the subject and body of verification emails. You can use placeholders like {code}, {expires}, {site_name}, and {user_email}.

= Does it work with multisite? =

The plugin is designed for single-site installations. Multisite compatibility may be added in future versions.

= What if a user does not have an account? =

The plugin only allows existing users to log in. For security reasons, it does not reveal whether an email address has an account - users always see the same "check your email" message.

== Screenshots ==

1. Admin settings page with all configuration options
2. Email input form for passwordless login
3. 6-digit verification code entry screen

== Changelog ==

= 1.0.1 =
* Small bug fixes
= 1.0.0 =
* Initial release
* Passwordless login with 6-digit verification codes
* Rate limiting and brute force protection
* Customizable email templates
* Gutenberg block and shortcode support
* wp-login.php integration option
* Full accessibility support
