Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use a webview for WP.com login #21414

Open
wants to merge 11 commits into
base: trunk
Choose a base branch
from
Open

Conversation

jkmassel
Copy link
Contributor

@jkmassel jkmassel commented Nov 4, 2024

Fixes a fairly common login issue reported in https://a8c.slack.com/archives/C02AVAR9B/p1728576885606729.


To Test:

  • Install both Jetpack and WordPress.
  • Try logging into WP.com
  • Note that it works

Regression Notes

  1. Potential unintended areas of impact
    Could be other issues around login – I tried very narrowly address the issue in this PR – nothing has been removed, so everything should work like it did before (for instance, use re-authentication).

  2. What I did to test those areas of impact (or what existing automated tests I relied on)
    n/a

  3. What automated tests I added (or what prevented me from doing so)
    There wouldn't be a lot of benefit to automated tests at this point.


PR Submission Checklist:

  • I have completed the Regression Notes.
  • I have considered adding accessibility improvements for my changes.
  • I have considered if this change warrants user-facing release notes and have added them to RELEASE-NOTES.txt if necessary.

Testing Checklist (strike-out the not-applying and unnecessary ones):

  • WordPress.com sites and self-hosted Jetpack sites.
  • Portrait and landscape orientations.
  • Light and dark modes.
  • Fonts: Larger, smaller and bold text.
  • High contrast.
  • Talkback.
  • Languages with large words or with letters/accents not frequently used in English.
  • Right-to-left languages. (Even if translation isn’t complete, formatting should still respect the right-to-left layout)
  • Large and small screen sizes. (Tablet and smaller phones)
  • Multi-tasking: Split screen and Pop-up view. (Android 10 or higher)

@dangermattic
Copy link
Collaborator

dangermattic commented Nov 4, 2024

5 Warnings
⚠️ Class WPcomLoginHelper is missing tests, but unit-tests-exemption label was set to ignore this.
⚠️ Class ServiceConnection is missing tests, but unit-tests-exemption label was set to ignore this.
⚠️ Class WPcomLoginClient is missing tests, but unit-tests-exemption label was set to ignore this.
⚠️ Class WPcomLoginError is missing tests, but unit-tests-exemption label was set to ignore this.
⚠️ This PR is assigned to the milestone 25.7. The due date for this milestone has already passed.
Please assign it to a milestone with a later deadline or check whether the release for this milestone has already been finished.

Generated by 🚫 Danger

@wpmobilebot
Copy link
Contributor

wpmobilebot commented Nov 4, 2024

WordPress📲 You can test the changes from this Pull Request in WordPress by scanning the QR code below to install the corresponding build.
App NameWordPress WordPress
FlavorJalapeno
Build TypeDebug
Versionpr21414-355774f
Commit355774f
Direct Downloadwordpress-prototype-build-pr21414-355774f.apk
Note: Google Login is not supported on these builds.

@wpmobilebot
Copy link
Contributor

wpmobilebot commented Nov 4, 2024

Jetpack📲 You can test the changes from this Pull Request in Jetpack by scanning the QR code below to install the corresponding build.
App NameJetpack Jetpack
FlavorJalapeno
Build TypeDebug
Versionpr21414-355774f
Commit355774f
Direct Downloadjetpack-prototype-build-pr21414-355774f.apk
Note: Google Login is not supported on these builds.


runBlocking {
val tokenResult = loginClient.exchangeAuthCodeForToken(code, BuildConfig.OAUTH_REDIRECT_URI)
accountStore.updateAccessToken(tokenResult.getOrThrow())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you'd want to check if the token belongs to the current user before saving it. Users can log in with any account from the login webpage.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be for first-time authentication only – I'm thinking we'll want a reauthenticate method that does what you say – forces login to a specific account

@nbradbury
Copy link
Contributor

nbradbury commented Nov 5, 2024

@jkmassel I'm running into some issues with this. When I try to login with a 2FA account, I see this screen and can't go any further:

passkey

If I try with a non-2FA account, after I login I'm not redirected to the app - instead I'm still in the browser. Is this intended? I also did not expect to be taken to the browser to login. Is it not possible to do this in a WebView within the app?

wplogin.mp4

@@ -113,7 +113,18 @@
<activity
android:name=".ui.accounts.LoginActivity"
android:theme="@style/LoginTheme.TransparentSystemBars"
android:windowSoftInputMode="adjustResize" />
android:windowSoftInputMode="adjustResize"
android:exported="true">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sonarcloud flags this as a security risk. Does it need to be exported?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that this was required in order to handle custom URL schemes, but I might be incorrect!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I suspect you're right about that. This Sonarcloud page mentions ways to fix this warning.

@jkmassel
Copy link
Contributor Author

jkmassel commented Nov 5, 2024

If I try with a non-2FA account, after I login I'm not redirected to the app - instead I'm still in the browser. Is this intended?

That's really odd – I wonder if maybe the app needs to be fully uninstalled? You're being redirected to http://android.a8c.com, which is the old behaviour 🤔

Is it not possible to do this in a WebView within the app

Good question! I had assumed that we'd want to use the default browser for password managers, etc – if we can do it in an in-app browser that would be nicer for sure.

@nbradbury
Copy link
Contributor

That's really odd – I wonder if maybe the app needs to be fully uninstalled? You're being redirected to http://android.a8c.com, which is the old behaviour

I tried again, this time using a new emulator instance (so no previous install), and I'm still seeing this behavior.

@wpmobilebot
Copy link
Contributor

Project dependencies changes

The following changes in project dependencies were detected (configuration wordpressVanillaReleaseRuntimeClasspath):

list

tree
+\--- androidx.browser:browser:1.5.0 -> 1.8.0 (*)

@jkmassel jkmassel force-pushed the use/webview-for-dotcom-login branch from eb5c5a5 to d93b1f8 Compare November 18, 2024 22:07
@jkmassel
Copy link
Contributor Author

@nbradbury – could you give this a try again? It now uses Chrome Tabs in-app, which should share all of password management goodness we need.

I tried it with a Google-synced passkey and it worked, and I tried with a Yubikey and that worked too (on my ancient Galaxy S9) so I'm hopeful it works for you too!

@jkmassel jkmassel requested a review from nbradbury November 18, 2024 22:08
@nbradbury
Copy link
Contributor

could you give this a try again? It now uses Chrome Tabs in-app, which should share all of password management goodness we need.

@jkmassel Chrome Custom tabs is a much better solution, but I'm still seeing issues. With a non-2FA account, I end up being redirected to the Automattic home page.

redirect.mp4

With a 2FA account, I still get stuck in some sort of passkey loop which I don't understand.

passkey.mp4

@@ -9,6 +9,7 @@ androidx-activity = '1.9.3'
androidx-annotation = '1.9.1'
androidx-appcompat = '1.7.0'
androidx-arch-core = '2.2.0'
androidx-browser = '1.5.0'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this is an outdated version of the library. The latest is 1.8.0.

public void showEmailLoginScreen(@NonNull Context context) {
CustomTabsIntent intent = new CustomTabsIntent.Builder()
.setShareState(CustomTabsIntent.SHARE_STATE_OFF)
.setStartAnimations(this, R.anim.activity_slide_up_from_bottom, R.anim.activity_slide_up_from_bottom)
Copy link
Contributor

@nbradbury nbradbury Nov 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency with the other login screens, WDYT about changing this to slide in from the right, slide out to the left?

@jkmassel jkmassel force-pushed the use/webview-for-dotcom-login branch from e8ffbf9 to bd142eb Compare November 27, 2024 23:35
@jkmassel jkmassel requested a review from nbradbury November 27, 2024 23:38
@jkmassel jkmassel marked this pull request as ready for review November 27, 2024 23:38
@jkmassel jkmassel added this to the 25.5 milestone Nov 27, 2024
@jkmassel jkmassel force-pushed the use/webview-for-dotcom-login branch from bd142eb to 917cb9b Compare November 27, 2024 23:44
@jkmassel jkmassel force-pushed the use/webview-for-dotcom-login branch from ebe5b84 to 0fbfecd Compare November 28, 2024 00:19
@wpmobilebot wpmobilebot modified the milestones: 25.5, 25.6 Dec 5, 2024
@wpmobilebot
Copy link
Contributor

Version 25.5 has now entered code-freeze, so the milestone of this PR has been updated to 25.6.

Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Copy link

codecov bot commented Dec 16, 2024

Codecov Report

Attention: Patch coverage is 2.35294% with 83 lines in your changes missing coverage. Please review.

Project coverage is 39.38%. Comparing base (34c994a) to head (355774f).

Files with missing lines Patch % Lines
...droid/fluxc/network/rest/wpapi/WPcomLoginClient.kt 0.00% 41 Missing ⚠️
...ress/android/ui/accounts/login/WPcomLoginHelper.kt 0.00% 29 Missing ⚠️
...icationpasswords/WPcomAuthorizationCodeResponse.kt 0.00% 6 Missing ⚠️
...roid/fluxc/network/rest/wpcom/auth/AppSecrets.java 0.00% 3 Missing ⚠️
...rg/wordpress/android/fluxc/store/AccountStore.java 0.00% 2 Missing ⚠️
...press/android/ui/accounts/LoginNavigationEvents.kt 0.00% 1 Missing ⚠️
...rdpress/android/ui/accounts/UnifiedLoginTracker.kt 66.66% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##            trunk   #21414      +/-   ##
==========================================
- Coverage   39.44%   39.38%   -0.06%     
==========================================
  Files        2119     2125       +6     
  Lines       99556    99711     +155     
  Branches    15313    15333      +20     
==========================================
+ Hits        39269    39273       +4     
- Misses      56806    56957     +151     
  Partials     3481     3481              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nbradbury
Copy link
Contributor

@jkmassel I continue to see this passkey issue when trying to login using an account with 2FA. I'm not sure what this is about but we'll definitely want to address this before merging.

passkey.mp4

@wpmobilebot wpmobilebot modified the milestones: 25.6, 25.7 Dec 16, 2024
@wpmobilebot
Copy link
Contributor

Version 25.6 has now entered code-freeze, so the milestone of this PR has been updated to 25.7.

@AdamGrzybkowski
Copy link
Contributor

AdamGrzybkowski commented Dec 23, 2024

I continue to see this passkey issue when trying to login using an account with 2FA. I'm not sure what this is about but we'll definitely want to address this before merging.

@nbradbury What do you use for Passkeys? There's a flag in Chrome that needs to be enabled to make it work with 1Password. There's info about this here.

Comment on lines +116 to +117
android:windowSoftInputMode="adjustResize"
android:exported="true">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're missing android:launchMode="singleTask". Without that, a new Activity is created after the OAuth flow is approved, and you can navigate back to it (that shouldn't be possible).

jetpack-launchmode.mp4

singleTop does work as well in most browsers except Firefox. So singleTask is the safe option here.

Once you add that you should handle the onNewIntent properly.

Comment on lines +475 to +482
CustomTabsIntent intent = new CustomTabsIntent.Builder()
.setShareState(CustomTabsIntent.SHARE_STATE_OFF)
.setStartAnimations(this, R.anim.activity_slide_in_from_right, R.anim.activity_slide_out_to_left)
.setExitAnimations(this, R.anim.activity_slide_in_from_left, R.anim.activity_slide_out_to_right)
.setUrlBarHidingEnabled(true)
.setInstantAppsEnabled(false)
.setShowTitle(false)
.build();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for jumping in, but since I took a look I wanted to share.

Using Custom Tabs with the magic link leads to a weird experience. Assuming you are not logged into WP in the web browser, you will have to open the email client to get the magic link. Tapping this magic link opens the web browser, not the Custom Tab which was confusing slightly. In the end, it worked, however, 3 apps were required to finish the process.

mAppId = appId;
mAppSecret = appSecret;
mRedirectUri = redirectUri;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nbradbury Have you run the bundle exec fastlane run configure_apply command? New secrets were added - redirectUri so you might be missing it. The OAuth flow won't work without those, the redirect URL that's expected is likely null in your case, so a web browser takes care of it, because it's not the one that's set in the AndroidManifest.xml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants