REST API: Custom cookie nonce authenticator

[itsmeichigo]

Part of #8453

Description

There has been an ongoing issue with handling cookie-nonce authentication for Pressable sites (also mentioned by @joshheald in #8587). This blocks testing for these sites and can be an issue on production as well (though not reproducible or reported yet).

Previously we were using WordPressKit's CookieNonceAuthenticator to handle the authentication, but there's a potential issue with using the cookie nonce retrieval URL as the redirect URL for the login request.

This PR creates an updated authenticator that handles nonce retrieval as a separate request. This seems to fix the failures on Pressable sites. I'm not creating a PR to WordPressKit to avoid affecting other apps that are using this library.

Also: in order to avoid confusion, this PR also renames the existing RequestAuthenticator, RequestProcessor with the ApplicationPassword prefix.

Due to time constraints, unit tests for the authenticator will be added in a future PR.

Testing instructions

Pre-requisite: Make sure that you have a test site hosted on Pressable.

• Enable the feature flag applicationPasswordAuthenticationForSiteCredentialLogin and build the app.
• Log out of the app or skip onboarding if needed.
• On the prologue screen, select Enter your site address and proceed with the address of your test site.
• Log in with your site credentials. Notice that the login succeeds.
• Please feel free to try a few times again to make sure that the authentication succeeds in case the failure is not consistent.

Screenshots

N/A

---

• I have considered if this change warrants user-facing release notes and have added them to RELEASE-NOTES.txt if necessary.

[wpmobilebot]

You can test the changes from this Pull Request by:

• Clicking here or scanning the QR code below to access App Center
• Then installing the build number pr8659-d820410 on your iPhone

If you need access to App Center, please ask a maintainer to add you.

[jaclync]

Login works with multiple Pressable sites! had some clarifying questions, feel free to merge to unblock testing other PRs

[jaclync]

Maybe @selanthiraiyan can confirm the renaming of these classes since you created them? I didn't know they're only used in the application password context when I reviewed the previous PR on these classes.

[itsmeichigo]

The processor triggers generating application passwords when retrying requests, so it is specific to application password authentication only. I renamed this to avoid confusion with any other authentication method.

[selanthiraiyan]

I am afraid that using ApplicationPassword as a prefix wouldn't make sense here.

The RequestProcessor handles authentication for both WPCOM token and application password cases. RequestProcessor uses DefaultRequestAuthenticator to perform the authentication here

Extra info: Only REST requests are retried, and errors from other requests are just passed through. Due to this method in AlamofireNetwork

[jaclync]

nit: do we want to rename the test case name & file name as well?

[itsmeichigo]

Good catch, updated in d820410.

[jaclync]

❓ the comment seems to contradict the code canRetry = true? 🤔 my interpretation of the comment is that we're not retrying.

[itsmeichigo]

This comment is meant to say that we should allow retrying only once, but I've removed the comment since it can be misleading.

[jaclync]

super nit:

Suggested change

	guard let nonce = nonce else {
	guard let nonce else {

[itsmeichigo]

Done in 22c6ef0.

[jaclync]

it'd be helpful to have some notes on the differences from the implementation in WordPressKit, so that it's easier to understand the changes since most of us aren't familiar with the cookie nonce auth 🙂

[itsmeichigo]

Comment added in 3be18f8 and 67ec443.

[jaclync]

❓ how is the priority determined? just thought the login request might be the top priority so that the user can log in.

[itsmeichigo]

I think for networking requests, we want to use priorities lower than .userInitiated to avoid blocking the UI. .medium is my go-to for higher-priority networking requests - I hope that makes sense.

[jaclync]

❓ when I was comparing the implementation with the WordPressKit version, there was a check on version 5.3.0 (I assume it's the WP version) to use the ajax URL. just confirming that we don't need this check anymore?

[itsmeichigo]

That's true, we want to support only sites with WP from 5.6.0 to handle application passwords. This means only ajax nonce retrieval is needed. I updated the comment for the authenticator in 67ec443.

[jaclync]

❓ it looks like the request does not include a redirect_to URL anymore from the WPKit implementation, is it one of the major changes that fix the issue?

[itsmeichigo]

Yes, that's the objective for this PR 😄.

[jaclync]

nit: maybe can simplify?

Suggested change

	guard !html.isEmpty else {
	return nil
	}
	return html
	html.isEmpty ? nil: html

[itsmeichigo]

I'm merging this PR to avoid blocking other PRs. @selanthiraiyan - if there's any issue with the renaming, I'll update it in a future PR.

[selanthiraiyan]

Thanks for the ping @itsmeichigo !

I am afraid that adding ApplicationPassword prefix to the name wouldn't be right. Added my comment to the original thread here https://github.com/woocommerce/woocommerce-ios/pull/8659/files#r1073281562