Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use a webview for WP.com login #21414

Merged
merged 11 commits into from
Jan 24, 2025
Merged

Conversation

jkmassel
Copy link
Contributor

@jkmassel jkmassel commented Nov 4, 2024

Fixes a fairly common login issue reported in https://a8c.slack.com/archives/C02AVAR9B/p1728576885606729.


To Test:

  • Install both Jetpack and WordPress.
  • Try logging into WP.com
  • Note that it works

Regression Notes

  1. Potential unintended areas of impact
    Could be other issues around login – I tried very narrowly address the issue in this PR – nothing has been removed, so everything should work like it did before (for instance, use re-authentication).

  2. What I did to test those areas of impact (or what existing automated tests I relied on)
    n/a

  3. What automated tests I added (or what prevented me from doing so)
    There wouldn't be a lot of benefit to automated tests at this point.


PR Submission Checklist:

  • I have completed the Regression Notes.
  • I have considered adding accessibility improvements for my changes.
  • I have considered if this change warrants user-facing release notes and have added them to RELEASE-NOTES.txt if necessary.

Testing Checklist (strike-out the not-applying and unnecessary ones):

  • WordPress.com sites and self-hosted Jetpack sites.
  • Portrait and landscape orientations.
  • Light and dark modes.
  • Fonts: Larger, smaller and bold text.
  • High contrast.
  • Talkback.
  • Languages with large words or with letters/accents not frequently used in English.
  • Right-to-left languages. (Even if translation isn’t complete, formatting should still respect the right-to-left layout)
  • Large and small screen sizes. (Tablet and smaller phones)
  • Multi-tasking: Split screen and Pop-up view. (Android 10 or higher)

@dangermattic
Copy link
Collaborator

dangermattic commented Nov 4, 2024

5 Warnings
⚠️ Class WPcomLoginHelper is missing tests, but unit-tests-exemption label was set to ignore this.
⚠️ Class ServiceConnection is missing tests, but unit-tests-exemption label was set to ignore this.
⚠️ Class WPcomLoginClient is missing tests, but unit-tests-exemption label was set to ignore this.
⚠️ Class WPcomLoginError is missing tests, but unit-tests-exemption label was set to ignore this.
⚠️ This PR is assigned to the milestone 25.7. The due date for this milestone has already passed.
Please assign it to a milestone with a later deadline or check whether the release for this milestone has already been finished.

Generated by 🚫 Danger

@wpmobilebot
Copy link
Contributor

wpmobilebot commented Nov 4, 2024

WordPress📲 You can test the changes from this Pull Request in WordPress by scanning the QR code below to install the corresponding build.
App NameWordPress WordPress
FlavorJalapeno
Build TypeDebug
Versionpr21414-591ec79
Commit591ec79
Direct Downloadwordpress-prototype-build-pr21414-591ec79.apk
Note: Google Login is not supported on these builds.

@wpmobilebot
Copy link
Contributor

wpmobilebot commented Nov 4, 2024

Jetpack📲 You can test the changes from this Pull Request in Jetpack by scanning the QR code below to install the corresponding build.
App NameJetpack Jetpack
FlavorJalapeno
Build TypeDebug
Versionpr21414-591ec79
Commit591ec79
Direct Downloadjetpack-prototype-build-pr21414-591ec79.apk
Note: Google Login is not supported on these builds.


runBlocking {
val tokenResult = loginClient.exchangeAuthCodeForToken(code, BuildConfig.OAUTH_REDIRECT_URI)
accountStore.updateAccessToken(tokenResult.getOrThrow())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you'd want to check if the token belongs to the current user before saving it. Users can log in with any account from the login webpage.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be for first-time authentication only – I'm thinking we'll want a reauthenticate method that does what you say – forces login to a specific account

@nbradbury
Copy link
Contributor

nbradbury commented Nov 5, 2024

@jkmassel I'm running into some issues with this. When I try to login with a 2FA account, I see this screen and can't go any further:

passkey

If I try with a non-2FA account, after I login I'm not redirected to the app - instead I'm still in the browser. Is this intended? I also did not expect to be taken to the browser to login. Is it not possible to do this in a WebView within the app?

wplogin.mp4

@@ -113,7 +113,18 @@
<activity
android:name=".ui.accounts.LoginActivity"
android:theme="@style/LoginTheme.TransparentSystemBars"
android:windowSoftInputMode="adjustResize" />
android:windowSoftInputMode="adjustResize"
android:exported="true">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sonarcloud flags this as a security risk. Does it need to be exported?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that this was required in order to handle custom URL schemes, but I might be incorrect!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I suspect you're right about that. This Sonarcloud page mentions ways to fix this warning.

@jkmassel
Copy link
Contributor Author

jkmassel commented Nov 5, 2024

If I try with a non-2FA account, after I login I'm not redirected to the app - instead I'm still in the browser. Is this intended?

That's really odd – I wonder if maybe the app needs to be fully uninstalled? You're being redirected to http://android.a8c.com, which is the old behaviour 🤔

Is it not possible to do this in a WebView within the app

Good question! I had assumed that we'd want to use the default browser for password managers, etc – if we can do it in an in-app browser that would be nicer for sure.

@nbradbury
Copy link
Contributor

That's really odd – I wonder if maybe the app needs to be fully uninstalled? You're being redirected to http://android.a8c.com, which is the old behaviour

I tried again, this time using a new emulator instance (so no previous install), and I'm still seeing this behavior.

@wpmobilebot
Copy link
Contributor

Project dependencies changes

The following changes in project dependencies were detected (configuration wordpressVanillaReleaseRuntimeClasspath):

list

tree
+\--- androidx.browser:browser:1.5.0 -> 1.8.0 (*)

@jkmassel jkmassel force-pushed the use/webview-for-dotcom-login branch from eb5c5a5 to d93b1f8 Compare November 18, 2024 22:07
@jkmassel
Copy link
Contributor Author

@nbradbury – could you give this a try again? It now uses Chrome Tabs in-app, which should share all of password management goodness we need.

I tried it with a Google-synced passkey and it worked, and I tried with a Yubikey and that worked too (on my ancient Galaxy S9) so I'm hopeful it works for you too!

@jkmassel jkmassel requested a review from nbradbury November 18, 2024 22:08
@nbradbury
Copy link
Contributor

could you give this a try again? It now uses Chrome Tabs in-app, which should share all of password management goodness we need.

@jkmassel Chrome Custom tabs is a much better solution, but I'm still seeing issues. With a non-2FA account, I end up being redirected to the Automattic home page.

redirect.mp4

With a 2FA account, I still get stuck in some sort of passkey loop which I don't understand.

passkey.mp4

@@ -9,6 +9,7 @@ androidx-activity = '1.9.3'
androidx-annotation = '1.9.1'
androidx-appcompat = '1.7.0'
androidx-arch-core = '2.2.0'
androidx-browser = '1.5.0'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this is an outdated version of the library. The latest is 1.8.0.

public void showEmailLoginScreen(@NonNull Context context) {
CustomTabsIntent intent = new CustomTabsIntent.Builder()
.setShareState(CustomTabsIntent.SHARE_STATE_OFF)
.setStartAnimations(this, R.anim.activity_slide_up_from_bottom, R.anim.activity_slide_up_from_bottom)
Copy link
Contributor

@nbradbury nbradbury Nov 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency with the other login screens, WDYT about changing this to slide in from the right, slide out to the left?

@jkmassel jkmassel force-pushed the use/webview-for-dotcom-login branch from e8ffbf9 to bd142eb Compare November 27, 2024 23:35
@jkmassel jkmassel requested a review from nbradbury November 27, 2024 23:38
@jkmassel jkmassel marked this pull request as ready for review November 27, 2024 23:38
@jkmassel jkmassel added this to the 25.5 milestone Nov 27, 2024
@jkmassel jkmassel force-pushed the use/webview-for-dotcom-login branch 2 times, most recently from ebe5b84 to 0fbfecd Compare November 28, 2024 00:19
@wpmobilebot wpmobilebot modified the milestones: 25.5, 25.6 Dec 5, 2024
@wpmobilebot
Copy link
Contributor

Version 25.5 has now entered code-freeze, so the milestone of this PR has been updated to 25.6.

Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Copy link

codecov bot commented Dec 16, 2024

Codecov Report

Attention: Patch coverage is 2.35294% with 83 lines in your changes missing coverage. Please review.

Project coverage is 39.38%. Comparing base (8d43dbe) to head (591ec79).
Report is 1 commits behind head on release/25.6.

Files with missing lines Patch % Lines
...droid/fluxc/network/rest/wpapi/WPcomLoginClient.kt 0.00% 41 Missing ⚠️
...ress/android/ui/accounts/login/WPcomLoginHelper.kt 0.00% 29 Missing ⚠️
...icationpasswords/WPcomAuthorizationCodeResponse.kt 0.00% 6 Missing ⚠️
...roid/fluxc/network/rest/wpcom/auth/AppSecrets.java 0.00% 3 Missing ⚠️
...rg/wordpress/android/fluxc/store/AccountStore.java 0.00% 2 Missing ⚠️
...press/android/ui/accounts/LoginNavigationEvents.kt 0.00% 1 Missing ⚠️
...rdpress/android/ui/accounts/UnifiedLoginTracker.kt 66.66% 1 Missing ⚠️
Additional details and impacted files
@@               Coverage Diff                @@
##           release/25.6   #21414      +/-   ##
================================================
- Coverage         39.44%   39.38%   -0.07%     
================================================
  Files              2119     2123       +4     
  Lines             99556    99707     +151     
  Branches          15313    15332      +19     
================================================
- Hits              39269    39265       -4     
- Misses            56806    56961     +155     
  Partials           3481     3481              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nbradbury
Copy link
Contributor

@jkmassel I continue to see this passkey issue when trying to login using an account with 2FA. I'm not sure what this is about but we'll definitely want to address this before merging.

passkey.mp4

@wpmobilebot
Copy link
Contributor

Version 25.6 has now entered code-freeze, so the milestone of this PR has been updated to 25.7.

@AdamGrzybkowski
Copy link
Contributor

AdamGrzybkowski commented Dec 23, 2024

I continue to see this passkey issue when trying to login using an account with 2FA. I'm not sure what this is about but we'll definitely want to address this before merging.

@nbradbury What do you use for Passkeys? There's a flag in Chrome that needs to be enabled to make it work with 1Password. There's info about this here.

Comment on lines +116 to +117
android:windowSoftInputMode="adjustResize"
android:exported="true">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're missing android:launchMode="singleTask". Without that, a new Activity is created after the OAuth flow is approved, and you can navigate back to it (that shouldn't be possible).

jetpack-launchmode.mp4

singleTop does work as well in most browsers except Firefox. So singleTask is the safe option here.

Once you add that you should handle the onNewIntent properly.

Comment on lines +475 to +482
CustomTabsIntent intent = new CustomTabsIntent.Builder()
.setShareState(CustomTabsIntent.SHARE_STATE_OFF)
.setStartAnimations(this, R.anim.activity_slide_in_from_right, R.anim.activity_slide_out_to_left)
.setExitAnimations(this, R.anim.activity_slide_in_from_left, R.anim.activity_slide_out_to_right)
.setUrlBarHidingEnabled(true)
.setInstantAppsEnabled(false)
.setShowTitle(false)
.build();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for jumping in, but since I took a look I wanted to share.

Using Custom Tabs with the magic link leads to a weird experience. Assuming you are not logged into WP in the web browser, you will have to open the email client to get the magic link. Tapping this magic link opens the web browser, not the Custom Tab which was confusing slightly. In the end, it worked, however, 3 apps were required to finish the process.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for sharing!

This is an interesting one – we might need to update the login email URLs

mAppId = appId;
mAppSecret = appSecret;
mRedirectUri = redirectUri;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nbradbury Have you run the bundle exec fastlane run configure_apply command? New secrets were added - redirectUri so you might be missing it. The OAuth flow won't work without those, the redirect URL that's expected is likely null in your case, so a web browser takes care of it, because it's not the one that's set in the AndroidManifest.xml.

@nbradbury
Copy link
Contributor

@nbradbury What do you use for Passkeys? There's a flag in Chrome that needs to be enabled to make it work with 1Password. There's info about this here.

@AdamGrzybkowski Thanks for the info, I wasn't aware of this. Is this issue something users are likely to experience?

Have you run the bundle exec fastlane run configure_apply command

I hadn't when I first tested this PR but @jkmassel made me aware I needed to do this.

@AdamGrzybkowski
Copy link
Contributor

Is this issue something users are likely to experience?

I believe so. Passkeys are still fairly new so it's not seamless everywhere.

@kean
Copy link

kean commented Jan 16, 2025

Hey, I've tested the following five scenarios. I didn't read the thread, so I apologize if it duplicates previous reports.

  1. Login with a simple login/password pair ✅
  2. Login with a password and a OTP ✅
  3. Logout/login ✅
  4. Login with a different account ⚠️
  5. Login with a passkey ❗️

In the scenario 4, after a tapped "login with a different account" (not exact copy), the browser got stuck on the following screen and I had to use pull-to-refresh to get to the login form:

In the scenario 5, I was blocked because I don't have passkeys on this device and I usually use a "use a different device option" to approve the login using my iPhone. This option on iOS shows a QR code that you scan on the device that has a passkey to approve the login. I don't know if the same option is available on Android, but it wasn't available when I tried it:

@kean
Copy link

kean commented Jan 16, 2025

Update on the scenario with a passkey. There is a workaround. If you tap "NFC security key", which obviously isn't what you need, then tap "More options", it goes back to the initial dialog, but it now shows a "Use a different phone or tablet" option, which is what I was looking for. I tried using it, and it worked.

@nbradbury nbradbury self-assigned this Jan 16, 2025
@jkmassel jkmassel changed the base branch from trunk to release/25.6 January 16, 2025 20:17
@jkmassel jkmassel force-pushed the use/webview-for-dotcom-login branch from e1368ed to fdcc438 Compare January 16, 2025 20:19
@jkmassel jkmassel requested a review from crazytonyli January 22, 2025 23:13
@jkmassel jkmassel force-pushed the use/webview-for-dotcom-login branch from d2c17a6 to 591ec79 Compare January 24, 2025 19:03
Copy link
Contributor

@nbradbury nbradbury left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is has been a long time coming, but it's now approved! :shipit:

@jkmassel jkmassel enabled auto-merge (squash) January 24, 2025 19:27
@jkmassel jkmassel merged commit 8b98532 into release/25.6 Jan 24, 2025
21 of 22 checks passed
@jkmassel jkmassel deleted the use/webview-for-dotcom-login branch January 24, 2025 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants