Account Protection: Add password detection flow

[dkmyta]

Fixes #

Proposed changes:

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

Testing instructions:

• Go to '..'

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the add/packages/account-protection-password-detection-flow branch.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack add/packages/account-protection-password-detection-flow
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• 🔴 Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• 🔴 Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

🔴 Action required: Please add missing changelog entries for the following projects: projects/packages/account-protection, projects/plugins/jetpack, projects/plugins/protect

Use the Jetpack CLI tool to generate changelog entries by running the following command: jetpack changelog add.
Guidelines: /docs/writing-a-good-changelog-entry.md

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Choose a review path based on your changes:
   • A. Team Review: add the "[Status] Needs Team Review" label
     • For most changes, including minor cross-team impacts.
     • Example: Updating a team-specific component or a small change to a shared library.
   • B. Crew Review: add the "[Status] Needs Review" label
     • For significant changes to core functionality.
     • Example: Major updates to a shared library or complex features.
   • C. Both: Start with Team, then request Crew
     • For complex changes or when you need extra confidence.
     • Example: Refactor affecting multiple systems.
3. Get at least one approval before merging.

Still unsure? Reach out in #jetpack-developers for guidance!

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen semi-continuously (PCYsg-Jjm-p2).
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly. The next release is scheduled for February 4, 2025 (scheduled code freeze on February 4, 2025).

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

---

Protect plugin:

• Next scheduled release: none scheduled.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[ArSn]

that was probably supposed to be a .svg file? 😉

[dkmyta]

Good eye!

[ArSn]

I'm not sure if a user will have to wait 15 minutes before re-sending it, if thats what we're using the transient for. I have seen things like 1 minute or maybe 2 before.

[dkmyta]

I added this transient because we want to trigger an email when initially visiting the variant of the page that renders when we detect $_POST['reset'] (which is defined by submitting the Create new password button in the initial state of the page) and not on browser refresh. I made it a lengthier period to avoid easily duplicating the process, but if you think a shorter duration is more appropriate I am happy to reconsider.

Also note that if within that timeframe the user does not receive the email, they can resend the email using the AJAX request facilitated around the Resend email button (which does not respect the transient but does have its own internal resend limitations).

[ArSn]

does this have to be an AJAX request? and if so, why?

[dkmyta]

This is an AJAX action for the Resend button only, perhaps it can be done in a different way but this approach allowed for a more dynamic handling of the outcome:

Note that the flow is modified in the above screen capture to demo the functionality.

Open to alternative suggestions if you have any that could attain a similar outcome.

[ArSn]

Seems to make sense. I'm just always wary with adding the whole complexity that an AJAX request brings when it could just be a normal request refreshing the site. And it sure could, but I can see how this can feel better from the user perspective.

[ArSn]

This is just a gut feeling, but this method echos so much HTML, that I think it might be wise to end PHP and start it again, only for the dynamic parts? Not sure if you tried that before and it actually looked worse, though

[dkmyta]

I was specifically interested in your opinion on this approach. I took the template approach initially with /templates/password-detection-template.php (opening and closing PHP accordingly) and then used an include in the main render_password_detection_page method, however, because the variables are defined in the method, and used in the template, the linter kept erroring out - no matter how attempted to approach it another issue surfaced (despite it actually working).

I opted for using the method here which resolved those errors but attempting to supply the HTML in the same fashion caused nothing to render. If this is your recommendation I'll attempt it again, but I am mostly curious about your take on the template approach as it seemed a lot cleaner/better organized - if you agree, and I can't figure out a solution to resolve the lint errors do you think it's safe to disable the lines?

UPDATE: Don't know what I doing wrong before but updated the method to open and close PHP instead of echoing all the HTML out, works fine - regardless, still interested in you opinion on the template use.

[ArSn]

The one advantage of ending/starting PHP is that (most) IDEs will properly display HTML syntax and stuff, but (most) not when it is in PHP strings as here.