Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use a webview for WP.com login #21414

Draft
wants to merge 2 commits into
base: trunk
Choose a base branch
from
Draft

Conversation

jkmassel
Copy link
Contributor

@jkmassel jkmassel commented Nov 4, 2024

Fixes a fairly common login issue reported in https://a8c.slack.com/archives/C02AVAR9B/p1728576885606729.


To Test:

  • Install both Jetpack and WordPress.
  • Try logging into WP.com
  • Note that it works

Regression Notes

  1. Potential unintended areas of impact
    Could be other issues around login – I tried very narrowly address the issue in this PR – nothing has been removed, so everything should work like it did before (for instance, use re-authentication).

  2. What I did to test those areas of impact (or what existing automated tests I relied on)
    n/a

  3. What automated tests I added (or what prevented me from doing so)
    There wouldn't be a lot of benefit to automated tests at this point.


PR Submission Checklist:

  • I have completed the Regression Notes.
  • I have considered adding accessibility improvements for my changes.
  • I have considered if this change warrants user-facing release notes and have added them to RELEASE-NOTES.txt if necessary.

Testing Checklist (strike-out the not-applying and unnecessary ones):

  • WordPress.com sites and self-hosted Jetpack sites.
  • Portrait and landscape orientations.
  • Light and dark modes.
  • Fonts: Larger, smaller and bold text.
  • High contrast.
  • Talkback.
  • Languages with large words or with letters/accents not frequently used in English.
  • Right-to-left languages. (Even if translation isn’t complete, formatting should still respect the right-to-left layout)
  • Large and small screen sizes. (Tablet and smaller phones)
  • Multi-tasking: Split screen and Pop-up view. (Android 10 or higher)

@dangermattic
Copy link
Collaborator

3 Errors
🚫 Please add tests for class WPcomLoginHelper (or add unit-tests-exemption label to ignore this).
🚫 Please add tests for class WPcomLoginClient (or add unit-tests-exemption label to ignore this).
🚫 Please add tests for class WPcomLoginError (or add unit-tests-exemption label to ignore this).
1 Message
📖 This PR is still a Draft: some checks will be skipped.

Generated by 🚫 Danger

@wpmobilebot
Copy link
Contributor

WordPress📲 You can test the changes from this Pull Request in WordPress by scanning the QR code below to install the corresponding build.
App NameWordPress WordPress
FlavorJalapeno
Build TypeDebug
Versionpr21414-20df6dc
Commit20df6dc
Direct Downloadwordpress-prototype-build-pr21414-20df6dc.apk
Note: Google Login is not supported on these builds.

@wpmobilebot
Copy link
Contributor

Jetpack📲 You can test the changes from this Pull Request in Jetpack by scanning the QR code below to install the corresponding build.
App NameJetpack Jetpack
FlavorJalapeno
Build TypeDebug
Versionpr21414-20df6dc
Commit20df6dc
Direct Downloadjetpack-prototype-build-pr21414-20df6dc.apk
Note: Google Login is not supported on these builds.


runBlocking {
val tokenResult = loginClient.exchangeAuthCodeForToken(code, BuildConfig.OAUTH_REDIRECT_URI)
accountStore.updateAccessToken(tokenResult.getOrThrow())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you'd want to check if the token belongs to the current user before saving it. Users can log in with any account from the login webpage.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be for first-time authentication only – I'm thinking we'll want a reauthenticate method that does what you say – forces login to a specific account

@nbradbury
Copy link
Contributor

nbradbury commented Nov 5, 2024

@jkmassel I'm running into some issues with this. When I try to login with a 2FA account, I see this screen and can't go any further:

passkey

If I try with a non-2FA account, after I login I'm not redirected to the app - instead I'm still in the browser. Is this intended? I also did not expect to be taken to the browser to login. Is it not possible to do this in a WebView within the app?

wplogin.mp4

@@ -113,7 +113,18 @@
<activity
android:name=".ui.accounts.LoginActivity"
android:theme="@style/LoginTheme.TransparentSystemBars"
android:windowSoftInputMode="adjustResize" />
android:windowSoftInputMode="adjustResize"
android:exported="true">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sonarcloud flags this as a security risk. Does it need to be exported?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that this was required in order to handle custom URL schemes, but I might be incorrect!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I suspect you're right about that. This Sonarcloud page mentions ways to fix this warning.

@jkmassel
Copy link
Contributor Author

jkmassel commented Nov 5, 2024

If I try with a non-2FA account, after I login I'm not redirected to the app - instead I'm still in the browser. Is this intended?

That's really odd – I wonder if maybe the app needs to be fully uninstalled? You're being redirected to http://android.a8c.com, which is the old behaviour 🤔

Is it not possible to do this in a WebView within the app

Good question! I had assumed that we'd want to use the default browser for password managers, etc – if we can do it in an in-app browser that would be nicer for sure.

@nbradbury
Copy link
Contributor

That's really odd – I wonder if maybe the app needs to be fully uninstalled? You're being redirected to http://android.a8c.com, which is the old behaviour

I tried again, this time using a new emulator instance (so no previous install), and I'm still seeing this behavior.

@wpmobilebot
Copy link
Contributor

Project dependencies changes

The following changes in project dependencies were detected (configuration wordpressVanillaReleaseRuntimeClasspath):

list

tree
+\--- androidx.browser:browser:1.5.0 -> 1.8.0 (*)

@jkmassel
Copy link
Contributor Author

@nbradbury – could you give this a try again? It now uses Chrome Tabs in-app, which should share all of password management goodness we need.

I tried it with a Google-synced passkey and it worked, and I tried with a Yubikey and that worked too (on my ancient Galaxy S9) so I'm hopeful it works for you too!

Copy link

sonarcloud bot commented Nov 18, 2024

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@nbradbury
Copy link
Contributor

could you give this a try again? It now uses Chrome Tabs in-app, which should share all of password management goodness we need.

@jkmassel Chrome Custom tabs is a much better solution, but I'm still seeing issues. With a non-2FA account, I end up being redirected to the Automattic home page.

redirect.mp4

With a 2FA account, I still get stuck in some sort of passkey loop which I don't understand.

passkey.mp4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants