Merge pull request #8473 from woocommerce/feat/8453-check-role-eligibility

REST API: Check application password availability after logging in

Author: itsmeichigo

Networking/Networking/ApplicationPassword/ApplicationPasswordUseCase.swift

@@ -3,23 +3,23 @@ import WordPressShared
 import WordPressKit
 import enum Alamofire.AFError
 
-enum ApplicationPasswordUseCaseError: Error {
+public enum ApplicationPasswordUseCaseError: Error {
     case duplicateName
     case applicationPasswordsDisabled
     case failedToConstructLoginOrAdminURLUsingSiteAddress
 }
 
-struct ApplicationPassword {
+public struct ApplicationPassword {
     /// WordPress org username that the application password belongs to
     ///
-    let wpOrgUsername: String
+    public let wpOrgUsername: String
 
     /// Application password
     ///
-    let password: Secret<String>
+    public let password: Secret<String>
 }
 
-protocol ApplicationPasswordUseCase {
+public protocol ApplicationPasswordUseCase {
     /// Returns the locally saved ApplicationPassword if available
     ///
     var applicationPassword: ApplicationPassword? { get }
@@ -37,7 +37,7 @@ protocol ApplicationPasswordUseCase {
     func deletePassword() async throws
 }
 
-final class DefaultApplicationPasswordUseCase: ApplicationPasswordUseCase {
+final public class DefaultApplicationPasswordUseCase: ApplicationPasswordUseCase {
     /// Site Address
     ///
     private let siteAddress: String
@@ -64,10 +64,10 @@ final class DefaultApplicationPasswordUseCase: ApplicationPasswordUseCase {
         }
     }
 
-    init(username: String,
-         password: String,
-         siteAddress: String,
-         network: Network? = nil) throws {
+    public init(username: String,
+                password: String,
+                siteAddress: String,
+                network: Network? = nil) throws {
         self.siteAddress = siteAddress
         self.username = username
 
@@ -92,7 +92,7 @@ final class DefaultApplicationPasswordUseCase: ApplicationPasswordUseCase {
 
     /// Returns the locally saved ApplicationPassword if available
     ///
-    var applicationPassword: ApplicationPassword? {
+    public var applicationPassword: ApplicationPassword? {
         storage.applicationPassword
     }
 
@@ -102,7 +102,7 @@ final class DefaultApplicationPasswordUseCase: ApplicationPasswordUseCase {
     ///
     /// - Returns: Generated `ApplicationPassword` instance
     ///
-    func generateNewPassword() async throws -> ApplicationPassword {
+    public func generateNewPassword() async throws -> ApplicationPassword {
         async let password = try {
             do {
                 return try await createApplicationPassword()
@@ -121,7 +121,7 @@ final class DefaultApplicationPasswordUseCase: ApplicationPasswordUseCase {
     ///
     ///  Deletes locally and also sends an API request to delete it from the site
     ///
-    func deletePassword() async throws {
+    public func deletePassword() async throws {
         try await deleteApplicationPassword()
     }
 }

WooCommerce/Classes/Authentication/AuthenticationManager.swift

@@ -3,12 +3,15 @@ import KeychainAccess
 import WordPressAuthenticator
 import WordPressKit
 import Yosemite
+import WordPressUI
 import class Networking.UserAgent
 import enum Experiments.ABTest
 import struct Networking.Settings
 import protocol Experiments.FeatureFlagService
 import protocol Storage.StorageManagerType
-
+import protocol Networking.ApplicationPasswordUseCase
+import class Networking.DefaultApplicationPasswordUseCase
+import enum Networking.ApplicationPasswordUseCaseError
 
 /// Encapsulates all of the interactions with the WordPress Authenticator
 ///
@@ -45,6 +48,9 @@ class AuthenticationManager: Authentication {
 
     private let analytics: Analytics
 
+    /// Keep strong reference of the use case to check for application password availability if necessary.
+    private var applicationPasswordUseCase: ApplicationPasswordUseCase?
+
     init(storageManager: StorageManagerType = ServiceLocator.storageManager,
          featureFlagService: FeatureFlagService = ServiceLocator.featureFlagService,
          analytics: Analytics = ServiceLocator.analytics) {
@@ -796,15 +802,68 @@ private extension AuthenticationManager {
         return accountMismatchUI(for: site.url, siteCredentials: nil, with: matcher, in: navigationController)
     }
 
+    /// The error screen to be displayed when the user tries to log in with site credentials
+    /// with application password disabled.
+    ///
+    func applicationPasswordDisabledUI(for siteURL: String) -> UIViewController {
+        let viewModel = ApplicationPasswordDisabledViewModel(siteURL: siteURL)
+        return ULErrorViewController(viewModel: viewModel)
+    }
+
     /// Checks if the authenticated user is eligible to use the app and navigates to the home screen.
     ///
     func didAuthenticateUser(to siteURL: String,
                              with siteCredentials: WordPressOrgCredentials,
                              in navigationController: UINavigationController,
                              source: SignInSource?) {
-        // TODO: check if application password is enabled & check for role eligibility & check for Woo
-        // then navigate to home screen immediately with a placeholder store ID
-        startStorePicker(with: WooConstants.placeholderStoreID, in: navigationController)
+        // check if application password is enabled
+        guard let applicationPasswordUseCase = try? DefaultApplicationPasswordUseCase(
+            username: siteCredentials.username,
+            password: siteCredentials.password,
+            siteAddress: siteCredentials.siteURL
+        ) else {
+            return assertionFailure("⛔️ Error creating application password use case")
+        }
+        self.applicationPasswordUseCase = applicationPasswordUseCase
+        checkApplicationPassword(for: siteURL,
+                                 with: applicationPasswordUseCase,
+                                 in: navigationController) { [weak self] in
+            guard let self else { return }
+            // TODO: check for role eligibility & check for Woo
+            // navigates to home screen immediately with a placeholder store ID
+            self.startStorePicker(with: WooConstants.placeholderStoreID, in: navigationController)
+        }
+    }
+
+    func checkApplicationPassword(for siteURL: String,
+                                  with useCase: ApplicationPasswordUseCase,
+                                  in navigationController: UINavigationController, onSuccess: @escaping () -> Void) {
+        Task {
+            do {
+                let _ = try await useCase.generateNewPassword()
+                await MainActor.run {
+                    onSuccess()
+                }
+            } catch ApplicationPasswordUseCaseError.applicationPasswordsDisabled {
+                // show application password disabled error
+                await MainActor.run {
+                    let errorUI = applicationPasswordDisabledUI(for: siteURL)
+                    navigationController.show(errorUI, sender: nil)
+                }
+            } catch {
+                // show generic error
+                await MainActor.run {
+                    DDLogError("⛔️ Error generating application password: \(error)")
+                    let alert = FancyAlertViewController.makeApplicationPasswordAlert(retryAction: { [weak self] in
+                        self?.checkApplicationPassword(for: siteURL, with: useCase, in: navigationController, onSuccess: onSuccess)
+                    }, restartLoginAction: {
+                        ServiceLocator.stores.deauthenticate()
+                        navigationController.popToRootViewController(animated: true)
+                    })
+                    navigationController.present(alert, animated: true)
+                }
+            }
+        }
     }
 }
 

WooCommerce/Classes/Authentication/Navigation Exceptions/ApplicationPasswordDisabledViewModel.swift

@@ -0,0 +1,77 @@
+import UIKit
+
+/// Configuration and actions for an ULErrorViewController,
+/// modeling an error when application password is disabled.
+///
+struct ApplicationPasswordDisabledViewModel: ULErrorViewModel {
+    init(siteURL: String) {
+        self.siteURL = siteURL
+    }
+
+    let siteURL: String
+    let image: UIImage = .errorImage // TODO: update this if needed
+
+    var text: NSAttributedString {
+        let font: UIFont = .body
+        let boldFont: UIFont = font.bold
+
+        let boldSiteAddress = NSAttributedString(string: siteURL.trimHTTPScheme(),
+                                                 attributes: [.font: boldFont])
+        let message = NSMutableAttributedString(string: Localization.errorMessage)
+
+        message.replaceFirstOccurrence(of: "%@", with: boldSiteAddress)
+
+        return message
+    }
+
+    let isAuxiliaryButtonHidden = false
+    let auxiliaryButtonTitle = Localization.auxiliaryButtonTitle
+
+    let primaryButtonTitle = ""
+    let isPrimaryButtonHidden = true
+
+    let secondaryButtonTitle = Localization.secondaryButtonTitle
+
+    func viewDidLoad(_ viewController: UIViewController?) {
+        // TODO: add tracks if necessary
+    }
+
+    func didTapPrimaryButton(in viewController: UIViewController?) {
+        // no-op
+    }
+
+    func didTapSecondaryButton(in viewController: UIViewController?) {
+        ServiceLocator.stores.deauthenticate()
+        viewController?.navigationController?.popToRootViewController(animated: true)
+    }
+
+    func didTapAuxiliaryButton(in viewController: UIViewController?) {
+        guard let viewController else {
+            return
+        }
+        WebviewHelper.launch(Constants.applicationPasswordLink, with: viewController)
+    }
+}
+
+private extension ApplicationPasswordDisabledViewModel {
+    enum Localization {
+        static let errorMessage = NSLocalizedString(
+            "It seems that your site %@ has Application Password disabled. Please enable it to use the WooCommerce app.",
+            comment: "An error message displayed when the user tries to log in to the app with site credentials but has application password disabled. " +
+            "Reads like: It seems that your site google.com has Application Password disabled. " +
+            "Please enable it to use the WooCommerce app."
+        )
+        static let secondaryButtonTitle = NSLocalizedString(
+            "Log In With Another Account",
+            comment: "Action button that will restart the login flow."
+            + "Presented when the user tries to log in to the app with site credentials but has application password disabled."
+        )
+        static let auxiliaryButtonTitle = NSLocalizedString(
+            "What is Application Password?",
+            comment: "Button that will navigate to a web page explaining Application Password"
+        )
+    }
+    enum Constants {
+        static let applicationPasswordLink = "https://make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/"
+    }
+}

WooCommerce/Classes/ViewRelated/AppCoordinator.swift

@@ -216,6 +216,11 @@ private extension AppCoordinator {
             return
         }
 
+        /// If authenticating with site credentials only is incomplete,
+        /// show the prologue screen to force the user to log in again.
+        guard stores.isAuthenticatedWithoutWPCom == false else {
+            return displayAuthenticatorWithOnboardingIfNeeded()
+        }
         configureAuthenticator()
 
         let matcher = ULAccountMatcher(storageManager: storageManager)

WooCommerce/Classes/ViewRelated/Fancy Alerts/FancyAlertViewController+UnifiedLogin.swift

@@ -53,6 +53,20 @@ extension FancyAlertViewController {
         let controller = FancyAlertViewController.controllerWithConfiguration(configuration: config)
         return controller
     }
+
+    static func makeApplicationPasswordAlert(retryAction: @escaping () -> Void,
+                                             restartLoginAction: @escaping () -> Void) -> FancyAlertViewController {
+        let retryButton = makeRetryButtonConfig(retryAction: retryAction)
+        let loginButton = makeLoginButtonConfig(loginAction: restartLoginAction)
+        let config = FancyAlertViewController.Config(titleText: Localization.cannotLogin,
+                                                     bodyText: Localization.applicationPasswordError,
+                                                     headerImage: nil,
+                                                     dividerPosition: .top,
+                                                     defaultButton: loginButton,
+                                                     cancelButton: retryButton)
+        let controller = FancyAlertViewController.controllerWithConfiguration(configuration: config)
+        return controller
+    }
 }
 
 
@@ -107,6 +121,16 @@ private extension FancyAlertViewController {
             comment: "Description of alert for suggestion on how to connect to a WP.com site" +
             "Presented when a user logs in with an email that does not have access to a WP.com site"
         )
+        static let applicationPasswordError = NSLocalizedString(
+            "Error fetching application password for your site.",
+            comment: "Error message displayed when application password cannot be fetched after authentication."
+        )
+        static let retryButton = NSLocalizedString("Try Again", comment: "Button to refetch application password for the current site")
+        static let retryLoginButton = NSLocalizedString("Log In With Another Account", comment: "Button to restart the login flow.")
+        static let cannotLogin = NSLocalizedString(
+            "Cannot log in",
+            comment: "Title of the alert displayed when application password cannot be fetched after authentication"
+        )
     }
 
     enum Strings {
@@ -124,6 +148,20 @@ private extension FancyAlertViewController {
         }
     }
 
+    static func makeRetryButtonConfig(retryAction: @escaping () -> Void) -> FancyAlertViewController.Config.ButtonConfig {
+        return FancyAlertViewController.Config.ButtonConfig(Localization.retryButton) { controller, _ in
+            controller.dismiss(animated: true)
+            retryAction()
+        }
+    }
+
+    static func makeLoginButtonConfig(loginAction: @escaping () -> Void) -> FancyAlertViewController.Config.ButtonConfig {
+        return FancyAlertViewController.Config.ButtonConfig(Localization.retryLoginButton) { controller, _ in
+            controller.dismiss(animated: true)
+            loginAction()
+        }
+    }
+
     static func makeLearnMoreAboutJetpackButtonConfig(analytics: Analytics) -> FancyAlertViewController.Config.ButtonConfig {
         return FancyAlertViewController.Config.ButtonConfig(Localization.learnMore) { controller, _ in
             guard let url = URL(string: Strings.whatsJetpackURLString) else {

WooCommerce/Classes/Yosemite/DefaultStoresManager.swift

@@ -61,6 +61,15 @@ class DefaultStoresManager: StoresManager {
         return state is AuthenticatedState
     }
 
+    /// Indicates if the StoresManager is currently authenticated with site credentials only.
+    ///
+    var isAuthenticatedWithoutWPCom: Bool {
+        if case .wporg = sessionManager.defaultCredentials {
+            return true
+        }
+        return false
+    }
+
     @Published private var isLoggedIn: Bool = false
 
     var isLoggedInPublisher: AnyPublisher<Bool, Never> {

WooCommerce/WooCommerce.xcodeproj/project.pbxproj

@@ -1786,6 +1786,7 @@
 		DE279BAF26EA03EA002BA963 /* ShippingLabelSinglePackageViewModelTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = DE279BAE26EA03EA002BA963 /* ShippingLabelSinglePackageViewModelTests.swift */; };
 		DE279BB126EA184A002BA963 /* ShippingLabelPackageListViewModel.swift in Sources */ = {isa = PBXBuildFile; fileRef = DE279BB026EA184A002BA963 /* ShippingLabelPackageListViewModel.swift */; };
 		DE2BF4FD2846192B00FBE68A /* CouponAllowedEmailsViewModelTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = DE2BF4FC2846192B00FBE68A /* CouponAllowedEmailsViewModelTests.swift */; };
+		DE2E8EB729547771002E4B14 /* ApplicationPasswordDisabledViewModel.swift in Sources */ = {isa = PBXBuildFile; fileRef = DE2E8EB629547771002E4B14 /* ApplicationPasswordDisabledViewModel.swift */; };
 		DE2FE5812923729A0018040A /* JetpackSetupRequiredViewModel.swift in Sources */ = {isa = PBXBuildFile; fileRef = DE2FE5802923729A0018040A /* JetpackSetupRequiredViewModel.swift */; };
 		DE2FE5832924DA2F0018040A /* JetpackSetupRequiredViewModelTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = DE2FE5822924DA2F0018040A /* JetpackSetupRequiredViewModelTests.swift */; };
 		DE2FE5862925DA050018040A /* SiteCredentialLoginView.swift in Sources */ = {isa = PBXBuildFile; fileRef = DE2FE5852925DA050018040A /* SiteCredentialLoginView.swift */; };
@@ -3847,6 +3848,7 @@
 		DE279BAE26EA03EA002BA963 /* ShippingLabelSinglePackageViewModelTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ShippingLabelSinglePackageViewModelTests.swift; sourceTree = "<group>"; };
 		DE279BB026EA184A002BA963 /* ShippingLabelPackageListViewModel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ShippingLabelPackageListViewModel.swift; sourceTree = "<group>"; };
 		DE2BF4FC2846192B00FBE68A /* CouponAllowedEmailsViewModelTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CouponAllowedEmailsViewModelTests.swift; sourceTree = "<group>"; };
+		DE2E8EB629547771002E4B14 /* ApplicationPasswordDisabledViewModel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ApplicationPasswordDisabledViewModel.swift; sourceTree = "<group>"; };
 		DE2FE5802923729A0018040A /* JetpackSetupRequiredViewModel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = JetpackSetupRequiredViewModel.swift; sourceTree = "<group>"; };
 		DE2FE5822924DA2F0018040A /* JetpackSetupRequiredViewModelTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = JetpackSetupRequiredViewModelTests.swift; sourceTree = "<group>"; };
 		DE2FE5852925DA050018040A /* SiteCredentialLoginView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SiteCredentialLoginView.swift; sourceTree = "<group>"; };
@@ -8773,6 +8775,7 @@
 				DE3404E728B4B96800CF0D97 /* NonAtomicSiteViewModel.swift */,
 				DE50294C28BEF8F100551736 /* JetpackConnectionWebViewModel.swift */,
 				DE2FE5802923729A0018040A /* JetpackSetupRequiredViewModel.swift */,
+				DE2E8EB629547771002E4B14 /* ApplicationPasswordDisabledViewModel.swift */,
 			);
 			path = "Navigation Exceptions";
 			sourceTree = "<group>";
@@ -10312,6 +10315,7 @@
 				02BAB02724D13A6400F8B06E /* ProductVariationFormActionsFactory.swift in Sources */,
 				45CDAFAE2434CFCA00F83C22 /* ProductCatalogVisibilityViewController.swift in Sources */,
 				D85B8333222FABD1002168F3 /* StatusListTableViewCell.swift in Sources */,
+				DE2E8EB729547771002E4B14 /* ApplicationPasswordDisabledViewModel.swift in Sources */,
 				0259D65D2582248D003B1CD6 /* PrintShippingLabelViewController.swift in Sources */,
 				D881A31B256B5CC500FE5605 /* ULErrorViewController.swift in Sources */,
 				CE22E3F72170E23C005A6BEF /* PrivacySettingsViewController.swift in Sources */,