-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a webview for WP.com login #21414
Conversation
Generated by 🚫 Danger |
📲 You can test the changes from this Pull Request in WordPress by scanning the QR code below to install the corresponding build.
|
📲 You can test the changes from this Pull Request in Jetpack by scanning the QR code below to install the corresponding build.
|
|
||
runBlocking { | ||
val tokenResult = loginClient.exchangeAuthCodeForToken(code, BuildConfig.OAUTH_REDIRECT_URI) | ||
accountStore.updateAccessToken(tokenResult.getOrThrow()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you'd want to check if the token belongs to the current user before saving it. Users can log in with any account from the login webpage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be for first-time authentication only – I'm thinking we'll want a reauthenticate
method that does what you say – forces login to a specific account
@jkmassel I'm running into some issues with this. When I try to login with a 2FA account, I see this screen and can't go any further: If I try with a non-2FA account, after I login I'm not redirected to the app - instead I'm still in the browser. Is this intended? I also did not expect to be taken to the browser to login. Is it not possible to do this in a WebView within the app? wplogin.mp4 |
@@ -113,7 +113,18 @@ | |||
<activity | |||
android:name=".ui.accounts.LoginActivity" | |||
android:theme="@style/LoginTheme.TransparentSystemBars" | |||
android:windowSoftInputMode="adjustResize" /> | |||
android:windowSoftInputMode="adjustResize" | |||
android:exported="true"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sonarcloud flags this as a security risk. Does it need to be exported?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding is that this was required in order to handle custom URL schemes, but I might be incorrect!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I suspect you're right about that. This Sonarcloud page mentions ways to fix this warning.
That's really odd – I wonder if maybe the app needs to be fully uninstalled? You're being redirected to
Good question! I had assumed that we'd want to use the default browser for password managers, etc – if we can do it in an in-app browser that would be nicer for sure. |
I tried again, this time using a new emulator instance (so no previous install), and I'm still seeing this behavior. |
Project dependencies changesThe following changes in project dependencies were detected (configuration list
tree+\--- androidx.browser:browser:1.5.0 -> 1.8.0 (*) |
eb5c5a5
to
d93b1f8
Compare
@nbradbury – could you give this a try again? It now uses Chrome Tabs in-app, which should share all of password management goodness we need. I tried it with a Google-synced passkey and it worked, and I tried with a Yubikey and that worked too (on my ancient Galaxy S9) so I'm hopeful it works for you too! |
@jkmassel Chrome Custom tabs is a much better solution, but I'm still seeing issues. With a non-2FA account, I end up being redirected to the Automattic home page. redirect.mp4With a 2FA account, I still get stuck in some sort of passkey loop which I don't understand. passkey.mp4 |
@@ -9,6 +9,7 @@ androidx-activity = '1.9.3' | |||
androidx-annotation = '1.9.1' | |||
androidx-appcompat = '1.7.0' | |||
androidx-arch-core = '2.2.0' | |||
androidx-browser = '1.5.0' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that this is an outdated version of the library. The latest is 1.8.0.
public void showEmailLoginScreen(@NonNull Context context) { | ||
CustomTabsIntent intent = new CustomTabsIntent.Builder() | ||
.setShareState(CustomTabsIntent.SHARE_STATE_OFF) | ||
.setStartAnimations(this, R.anim.activity_slide_up_from_bottom, R.anim.activity_slide_up_from_bottom) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency with the other login screens, WDYT about changing this to slide in from the right, slide out to the left?
e8ffbf9
to
bd142eb
Compare
ebe5b84
to
0fbfecd
Compare
Version |
Quality Gate failedFailed conditions See analysis details on SonarQube Cloud Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release/25.6 #21414 +/- ##
================================================
- Coverage 39.44% 39.38% -0.07%
================================================
Files 2119 2123 +4
Lines 99556 99707 +151
Branches 15313 15332 +19
================================================
- Hits 39269 39265 -4
- Misses 56806 56961 +155
Partials 3481 3481 ☔ View full report in Codecov by Sentry. |
@jkmassel I continue to see this passkey issue when trying to login using an account with 2FA. I'm not sure what this is about but we'll definitely want to address this before merging. passkey.mp4 |
Version |
@nbradbury What do you use for Passkeys? There's a flag in Chrome that needs to be enabled to make it work with 1Password. There's info about this here. |
android:windowSoftInputMode="adjustResize" | ||
android:exported="true"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you're missing android:launchMode="singleTask"
. Without that, a new Activity is created after the OAuth flow is approved, and you can navigate back to it (that shouldn't be possible).
jetpack-launchmode.mp4
singleTop
does work as well in most browsers except Firefox. So singleTask
is the safe option here.
Once you add that you should handle the onNewIntent
properly.
CustomTabsIntent intent = new CustomTabsIntent.Builder() | ||
.setShareState(CustomTabsIntent.SHARE_STATE_OFF) | ||
.setStartAnimations(this, R.anim.activity_slide_in_from_right, R.anim.activity_slide_out_to_left) | ||
.setExitAnimations(this, R.anim.activity_slide_in_from_left, R.anim.activity_slide_out_to_right) | ||
.setUrlBarHidingEnabled(true) | ||
.setInstantAppsEnabled(false) | ||
.setShowTitle(false) | ||
.build(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for jumping in, but since I took a look I wanted to share.
Using Custom Tabs with the magic link leads to a weird experience. Assuming you are not logged into WP in the web browser, you will have to open the email client to get the magic link. Tapping this magic link opens the web browser, not the Custom Tab which was confusing slightly. In the end, it worked, however, 3 apps were required to finish the process.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for sharing!
This is an interesting one – we might need to update the login email URLs
mAppId = appId; | ||
mAppSecret = appSecret; | ||
mRedirectUri = redirectUri; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nbradbury Have you run the bundle exec fastlane run configure_apply
command? New secrets were added - redirectUri
so you might be missing it. The OAuth flow won't work without those, the redirect URL that's expected is likely null in your case, so a web browser takes care of it, because it's not the one that's set in the AndroidManifest.xml
.
@AdamGrzybkowski Thanks for the info, I wasn't aware of this. Is this issue something users are likely to experience?
I hadn't when I first tested this PR but @jkmassel made me aware I needed to do this. |
I believe so. Passkeys are still fairly new so it's not seamless everywhere. |
355774f
to
e1368ed
Compare
e1368ed
to
fdcc438
Compare
It’s not a secret
d2c17a6
to
591ec79
Compare
Quality Gate passedIssues Measures |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is has been a long time coming, but it's now approved!
Fixes a fairly common login issue reported in https://a8c.slack.com/archives/C02AVAR9B/p1728576885606729.
To Test:
Regression Notes
Potential unintended areas of impact
Could be other issues around login – I tried very narrowly address the issue in this PR – nothing has been removed, so everything should work like it did before (for instance, use re-authentication).
What I did to test those areas of impact (or what existing automated tests I relied on)
n/a
What automated tests I added (or what prevented me from doing so)
There wouldn't be a lot of benefit to automated tests at this point.
PR Submission Checklist:
RELEASE-NOTES.txt
if necessary.Testing Checklist (strike-out the not-applying and unnecessary ones):