Jetpack: Protect: issues with bbPress' login widget

Similar issue with the Login With Ajax plugin:
https://wordpress.org/plugins/login-with-ajax/

Reported here:
https://wordpress.org/support/topic/conflict-with-ajax-login/

It would not be so bad if that page with "Please solve this math problem to prove that you are not a bot..." does not redirect back to a login page but actually logs the user in. If the puzzle is solved of course.

We just ran into this on a site we're building out. Is there some sort of temporary fix or work around?

At least I've now learned that removing jetpack kills the issue, however now I've lost all my jetpack functionality.

Removing/switching from bbpress is not an option, really. Not at this point.

I hope someone finds a workaround... really stinks to launch a paid site and get over 2000 signups and then have my support desk get hit with this round robin captcha bs.

Please, someone fix this!? :(

Looking closer at the issue, trying to figure out what is going (wr)on(g), I conclude there are several issues at play here:

1. a custom login widget (using wp_login_form) will not does not trigger the action hooks like login_init and login_form (and others?) that Protect currently depends on. Instead, it uses the filters login_form_top, login_form_middle and login_form_bottom.
2. the generated math fallback page (after first login attempt) only submits a math puzzle answer and does (no the user id and password again) which inevitably leads to being redirected to the login.php page after submission.
3. the class method Jetpack_Protect_Math_Authenticate::process_generate_math_page() is not run after submission of the math fallback form which leads to no jpp_math_pass being set, which leads to another math puzzle being added to the login.php form...

To fix issue 1, a revisit of an older patch request #2474 might be considered. Or maybe a request to add the action hook login_form to https://core.trac.wordpress.org/browser/tags/4.5.3/src/wp-includes/general-template.php#L401 ?

Issue 2 is a question of flow logic. Is it not saner to remove this math form page completely and just redirect straight to wp-login.php (with optional added text to explain why that happened) if the user is going to end up there anyway, whatever he/she does (pass or fail the math test).

Issue 3 will no longer be relevant if the other two are addressed properly. On the other hand, it does seem to be a bug so I'll create a separate report for it...

Oh hang on... while testing a fix for #5646 (related to issue 3 above) by changing the add_action 'login_init' to 'init' on line 53 of protect.php I've seen the math field appear in the bbPress widget a few times now... Only when the transient 'brute_use_math' is set though but that seems logical.

Could anyone test this?

Simply modify jetpack/modules/protect.php line 53 to
add_action( 'init', array ( $this, 'check_use_math' ) );

Question for the devs: why was the switch from init (merged in #3686) to login_init made?

Turns out an additional change is needed. Change line 61 in protect.php from
add_action( 'login_head', array ( $this, 'check_login_ability' ) );
to
add_action( 'login_form', array ( $this, 'check_login_ability' ), 1 );

(note login_form but also the additional , 1 there at the end too!)

This will run Jetpack_Protect_Module::check_login_ability() whenever a bbPress Login Widget is initiated, which is needed to make 'check_use_math' function fully. It may be a bit expensive (when the widget is visible on every page) but it seems to work...

Fixed by #5647