Add new error type for failure to handle auth challenge

itsmeichigo · itsmeichigo · commit 34ef34d79f9a · 2025-11-21T11:34:02.000+07:00
diff --git a/WooCommerce/Classes/Authentication/Application Password/ApplicationPasswordTutorialViewModel.swift b/WooCommerce/Classes/Authentication/Application Password/ApplicationPasswordTutorialViewModel.swift
@@ -23,6 +23,8 @@ struct ApplicationPasswordTutorialViewModel {
                                      comment: "Reason for why the user could not login tin the application password tutorial screen")
         case .invalidCredentials:
             return error.localizedDescription
+        case .failedAuthenticationChallenge:
+            fatalError("Failure to handle authentication challenge is not eligible for application password flow.")
         }
     }
 }
diff --git a/WooCommerce/Classes/Authentication/AuthenticationManager.swift b/WooCommerce/Classes/Authentication/AuthenticationManager.swift
@@ -363,7 +363,9 @@ extension AuthenticationManager: WordPressAuthenticatorDelegate {
 
         let isAppPasswordAuthError = {
             switch error {
-            case SiteCredentialLoginError.genericFailure, SiteCredentialLoginError.invalidCredentials:
+            case SiteCredentialLoginError.genericFailure,
+                SiteCredentialLoginError.invalidCredentials,
+                SiteCredentialLoginError.failedAuthenticationChallenge:
                 return false
             case is SiteCredentialLoginError:
                 return true
diff --git a/WooCommerce/Classes/Authentication/SiteCredentialLoginUseCase.swift b/WooCommerce/Classes/Authentication/SiteCredentialLoginUseCase.swift
@@ -15,6 +15,7 @@ enum SiteCredentialLoginError: LocalizedError {
     case inaccessibleLoginPage
     case inaccessibleAdminPage
     case unacceptableStatusCode(code: Int)
+    case failedAuthenticationChallenge
     case genericFailure(underlyingError: Error)
 
     /// Used for tracking error code
@@ -26,7 +27,8 @@ enum SiteCredentialLoginError: LocalizedError {
              .invalidLoginResponse,
              .invalidCredentials,
              .loginFailed,
-             .unacceptableStatusCode:
+             .unacceptableStatusCode,
+             .failedAuthenticationChallenge:
             return NSError(domain: Self.errorDomain, code: errorCode, userInfo: [NSLocalizedDescriptionKey: errorMessage])
         case .genericFailure(let underlyingError):
             return underlyingError as NSError
@@ -45,6 +47,8 @@ enum SiteCredentialLoginError: LocalizedError {
             return 401
         case .unacceptableStatusCode(let code):
             return code
+        case .failedAuthenticationChallenge:
+            return -2
         case .genericFailure(let underlyingError):
             return (underlyingError as NSError).code
         }
@@ -64,6 +68,8 @@ enum SiteCredentialLoginError: LocalizedError {
             return message
         case .unacceptableStatusCode(let code):
             return String(format: Localization.unacceptableStatusCode, code)
+        case .failedAuthenticationChallenge:
+            return Localization.failedAuthenticationChallenge
         case .genericFailure:
             return ""
         }
@@ -83,7 +89,8 @@ enum SiteCredentialLoginError: LocalizedError {
             comment: "Error message explaining login failure due to blocked WP Admin page"
         )
         static let invalidLoginResponse = NSLocalizedString(
-            "Unable to login due to an unexpected response from your site. We are working on fixing this issue.",
+            "siteCredentialLoginError.invalidLoginResponse.message",
+            value: "Unable to login due to an unexpected response from your site.",
             comment: "Error message explaining login failure due to unexpected response."
         )
         static let unacceptableStatusCode = NSLocalizedString(
@@ -94,6 +101,11 @@ enum SiteCredentialLoginError: LocalizedError {
             "It seems the username or password you entered doesn't quite match. Double-check your credentials and try again.",
             comment: "Error message explaining login failure due to invalid credentials."
         )
+        static let failedAuthenticationChallenge = NSLocalizedString(
+            "siteCredentialLoginError.failedAuthenticationChallenge.message",
+            value: "Unable to log in due to an unexpected security measure on your store. Please contact support for troubleshooting.",
+            comment: "Error message explaining login failure due to an unexpected authentication challenge."
+        )
     }
 }
 
@@ -104,12 +116,24 @@ enum SiteCredentialLoginError: LocalizedError {
 /// - If the request does not redirect or the redirect fails, login fails.
 /// Ref: pe5sF9-1iQ-p2
 ///
-final class SiteCredentialLoginUseCase: NSObject, SiteCredentialLoginProtocol {
+final class SiteCredentialLoginUseCase: NSObject, SiteCredentialLoginProtocol, URLSessionTaskDelegate {
     private let siteURL: String
     private let cookieJar: HTTPCookieStorage
     private var successHandler: (() -> Void)?
     private var errorHandler: ((SiteCredentialLoginError) -> Void)?
-    private lazy var session = URLSession(configuration: .default)
+
+    private var receivedAuthChallengeMethod: String?
+
+    private lazy var session = {
+        var configuration = URLSessionConfiguration.default
+        configuration.timeoutIntervalForResource = 60
+        return URLSession(configuration: configuration, delegate: self, delegateQueue: nil)
+    }()
+
+    static let supportedAuthChallengeMethods = [
+        NSURLAuthenticationMethodServerTrust,
+        NSURLAuthenticationMethodHTTPBasic
+    ]
 
     init(siteURL: String,
          cookieJar: HTTPCookieStorage = HTTPCookieStorage.shared) {
@@ -128,18 +152,26 @@ final class SiteCredentialLoginUseCase: NSObject, SiteCredentialLoginProtocol {
         // Old cookies can make the login succeeds even with incorrect credentials
         // So we need to clear all cookies before login.
         clearAllCookies()
+
+        receivedAuthChallengeMethod = nil
+
         guard let loginRequest = buildLoginRequest(username: username, password: password) else {
             DDLogError("⛔️ Error constructing login requests")
             return
         }
+
         Task { @MainActor in
             do {
                 try await startLogin(with: loginRequest)
                 successHandler?()
             } catch let error as SiteCredentialLoginError {
                 errorHandler?(error)
             } catch {
-                errorHandler?(.genericFailure(underlyingError: error as NSError))
+                if receivedAuthChallengeMethod != nil {
+                    errorHandler?(.failedAuthenticationChallenge)
+                } else {
+                    errorHandler?(.genericFailure(underlyingError: error as NSError))
+                }
             }
         }
     }
@@ -293,3 +325,14 @@ private extension String {
         return wholeMatch(of: regex) != nil
     }
 }
+
+// MARK: - URLSessionTaskDelegate
+extension SiteCredentialLoginUseCase {
+    func urlSession(_ session: URLSession,
+                    didReceive challenge: URLAuthenticationChallenge,
+                    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
+        let authMethod = challenge.protectionSpace.authenticationMethod
+        receivedAuthChallengeMethod = authMethod
+        completionHandler(.performDefaultHandling, nil)
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ struct ApplicationPasswordTutorialViewModel {`
`23`	`23`	`comment: "Reason for why the user could not login tin the application password tutorial screen")`
`24`	`24`	`case .invalidCredentials:`
`25`	`25`	`return error.localizedDescription`
	`26`	`+ case .failedAuthenticationChallenge:`
	`27`	`+ fatalError("Failure to handle authentication challenge is not eligible for application password flow.")`
`26`	`28`	`}`
`27`	`29`	`}`
`28`	`30`	`}`