REST API: Custom cookie nonce authenticator #8659

itsmeichigo · 2023-01-17T04:51:47Z

Part of #8453

Description

There has been an ongoing issue with handling cookie-nonce authentication for Pressable sites (also mentioned by @joshheald in #8587). This blocks testing for these sites and can be an issue on production as well (though not reproducible or reported yet).

Previously we were using WordPressKit's CookieNonceAuthenticator to handle the authentication, but there's a potential issue with using the cookie nonce retrieval URL as the redirect URL for the login request.

This PR creates an updated authenticator that handles nonce retrieval as a separate request. This seems to fix the failures on Pressable sites. I'm not creating a PR to WordPressKit to avoid affecting other apps that are using this library.

Also: in order to avoid confusion, this PR also renames the existing RequestAuthenticator, RequestProcessor with the ApplicationPassword prefix.

Due to time constraints, unit tests for the authenticator will be added in a future PR.

Testing instructions

Pre-requisite: Make sure that you have a test site hosted on Pressable.

Enable the feature flag applicationPasswordAuthenticationForSiteCredentialLogin and build the app.
Log out of the app or skip onboarding if needed.
On the prologue screen, select Enter your site address and proceed with the address of your test site.
Log in with your site credentials. Notice that the login succeeds.
Please feel free to try a few times again to make sure that the authentication succeeds in case the failure is not consistent.

Screenshots

N/A

I have considered if this change warrants user-facing release notes and have added them to RELEASE-NOTES.txt if necessary.

…stAuthenticator

…icatorError

wpmobilebot · 2023-01-17T05:12:14Z

You can test the changes from this Pull Request by:

Clicking here or scanning the QR code below to access App Center
Then installing the build number pr8659-d820410 on your iPhone

If you need access to App Center, please ask a maintainer to add you.

jaclync

Login works with multiple Pressable sites! had some clarifying questions, feel free to merge to unblock testing other PRs

jaclync · 2023-01-18T01:24:05Z

Networking/Networking/ApplicationPassword/ApplicationPasswordRequestProcessor.swift

 /// Authenticates and retries requests
 ///
-final class RequestProcessor {
+final class ApplicationPasswordRequestProcessor {


Maybe @selanthiraiyan can confirm the renaming of these classes since you created them? I didn't know they're only used in the application password context when I reviewed the previous PR on these classes.

The processor triggers generating application passwords when retrying requests, so it is specific to application password authentication only. I renamed this to avoid confusion with any other authentication method.

I am afraid that using ApplicationPassword as a prefix wouldn't make sense here.

The RequestProcessor handles authentication for both WPCOM token and application password cases. RequestProcessor uses DefaultRequestAuthenticator to perform the authentication here

Extra info: Only REST requests are retried, and errors from other requests are just passed through. Due to this method in AlamofireNetwork

jaclync · 2023-01-18T01:26:56Z

Networking/NetworkingTests/ApplicationPassword/RequestProcessorTests.swift


 /// RequestProcessor Unit Tests
 ///
 final class RequestProcessorTests: XCTestCase {


nit: do we want to rename the test case name & file name as well?

Good catch, updated in d820410.

jaclync · 2023-01-18T01:34:25Z