Auto-mint application password before showing the My Site card

Before the "Authenticate using Application Password" card is shown on
My Site, attempt headless creation via the new
`SiteStore.createApplicationPassword(site)` (which routes through the
existing Jetpack tunnel and persists credentials onto the SiteModel so
`siteHasBadCredentials` flips). On Created/Existing we hide the card;
on NotSupported/Failure we fall back to today's discovery + Custom Tab
prompt.

This makes the Atomic guard relaxation actually user-visible — Atomic
users no longer see the card or have to authorize through a browser.

Author: jkmassel

WordPress/src/main/java/org/wordpress/android/ui/mysite/cards/applicationpassword/ApplicationPasswordViewModelSlice.kt

@@ -184,6 +184,21 @@ class ApplicationPasswordViewModelSlice @Inject constructor(
                 return@launch
             }
 
+            // Headless mint short-circuits the Custom Tab flow for sites the WP.com tunnel can
+            // mint against (Atomic, Jetpack-WPCom-REST). Other sites return NotSupported and fall
+            // through to discovery + card below.
+            val siteForMint = storedSite ?: site
+            val createResult = siteStore.createApplicationPassword(siteForMint)
+            if (!createResult.isError && createResult.credentials != null) {
+                uiModelMutable.postValue(null)
+                appLogWrapper.d(AppLog.T.MAIN, "A_P: Hiding card for ${site.url} - headless mint succeeded")
+                return@launch
+            }
+            appLogWrapper.d(
+                AppLog.T.MAIN,
+                "A_P: Headless mint failed for ${site.url} (notSupported=${createResult.error?.notSupported})"
+            )
+
             val authorizationUrlComplete = applicationPasswordLoginHelper.getAuthorizationUrlComplete(site.url)
             if (authorizationUrlComplete.isEmpty()) {
                 uiModelMutable.postValue(null)

WordPress/src/test/java/org/wordpress/android/ui/mysite/cards/applicationpassword/ApplicationPasswordViewModelSliceTest.kt

@@ -20,10 +20,14 @@ import org.mockito.kotlin.mock
 import org.wordpress.android.fluxc.Dispatcher
 import org.wordpress.android.fluxc.model.SiteModel
 import org.wordpress.android.fluxc.model.SitesModel
+import org.wordpress.android.fluxc.network.BaseRequest.BaseNetworkError
+import org.wordpress.android.fluxc.network.BaseRequest.GenericErrorType
 import org.wordpress.android.fluxc.network.discovery.SelfHostedEndpointFinder
 import org.wordpress.android.fluxc.network.xmlrpc.site.SiteXMLRPCClient
+import org.wordpress.android.fluxc.network.rest.wpapi.applicationpasswords.ApplicationPasswordCredentials
 import org.wordpress.android.fluxc.network.rest.wpapi.rs.WpApiClientProvider
 import org.wordpress.android.fluxc.store.SiteStore
+import org.wordpress.android.fluxc.store.SiteStore.OnApplicationPasswordCreated
 import org.wordpress.android.fluxc.utils.AppLogWrapper
 import org.wordpress.android.ui.accounts.login.ApplicationPasswordLoginHelper
 import org.wordpress.android.ui.mysite.MySiteCardAndItem
@@ -98,8 +102,28 @@ class ApplicationPasswordViewModelSliceTest : BaseUnitTest() {
         }
     }
 
+    private suspend fun stubMintFailure(notSupported: Boolean = false) {
+        whenever(siteStore.createApplicationPassword(any())).thenReturn(
+            OnApplicationPasswordCreated(
+                siteTest,
+                BaseNetworkError(GenericErrorType.UNKNOWN, "fail"),
+                notSupported = notSupported,
+            )
+        )
+    }
+
+    private suspend fun stubMintSuccess() {
+        whenever(siteStore.createApplicationPassword(any())).thenReturn(
+            OnApplicationPasswordCreated(
+                siteTest,
+                ApplicationPasswordCredentials("user", "pass", uuid = "u")
+            )
+        )
+    }
+
     @Test
     fun `given proper site, when api discovery is success, then add the application password card`() = runTest {
+        stubMintFailure()
         whenever(applicationPasswordLoginHelper.getAuthorizationUrlComplete(eq(TEST_URL)))
             .thenReturn("$TEST_URL_AUTH$TEST_URL_AUTH_SUFFIX")
 
@@ -111,6 +135,7 @@ class ApplicationPasswordViewModelSliceTest : BaseUnitTest() {
 
     @Test
     fun `given login scenario, when api discovery is empty, then show no card`() = runTest {
+        stubMintFailure()
         whenever(applicationPasswordLoginHelper.getAuthorizationUrlComplete(eq(TEST_URL)))
             .thenReturn("")
 
@@ -120,6 +145,30 @@ class ApplicationPasswordViewModelSliceTest : BaseUnitTest() {
         verify(applicationPasswordLoginHelper).getAuthorizationUrlComplete(eq(TEST_URL))
     }
 
+    @Test
+    fun `given headless mint succeeds, then hide card and skip discovery`() = runTest {
+        stubMintSuccess()
+
+        applicationPasswordViewModelSlice.buildCard(siteTest)
+
+        assertNull(applicationPasswordCard)
+        verify(siteStore).createApplicationPassword(any())
+        verify(applicationPasswordLoginHelper, never()).getAuthorizationUrlComplete(any())
+    }
+
+    @Test
+    fun `given headless mint returns NotSupported, then fall back to discovery`() = runTest {
+        stubMintFailure(notSupported = true)
+        whenever(applicationPasswordLoginHelper.getAuthorizationUrlComplete(eq(TEST_URL)))
+            .thenReturn("$TEST_URL_AUTH$TEST_URL_AUTH_SUFFIX")
+
+        applicationPasswordViewModelSlice.buildCard(siteTest)
+
+        assertNotNull(applicationPasswordCard)
+        verify(siteStore).createApplicationPassword(any())
+        verify(applicationPasswordLoginHelper).getAuthorizationUrlComplete(eq(TEST_URL))
+    }
+
     @Test
     fun `given site already authenticated, when calling api discovery, then show no card`() = runTest {
         whenever(siteStore.sites)

libs/fluxc/src/main/java/org/wordpress/android/fluxc/store/SiteStore.kt

@@ -85,6 +85,8 @@ import org.wordpress.android.fluxc.model.jetpacksocial.JetpackSocialMapper
 import org.wordpress.android.fluxc.network.BaseRequest.BaseNetworkError
 import org.wordpress.android.fluxc.network.rest.wpapi.WPAPINetworkError
 import org.wordpress.android.fluxc.network.rest.wpapi.WPAPIResponse
+import org.wordpress.android.fluxc.network.rest.wpapi.applicationpasswords.ApplicationPasswordCreationResult
+import org.wordpress.android.fluxc.network.rest.wpapi.applicationpasswords.ApplicationPasswordCredentials
 import org.wordpress.android.fluxc.network.rest.wpapi.applicationpasswords.ApplicationPasswordDeletionResult
 import org.wordpress.android.fluxc.network.rest.wpapi.applicationpasswords.ApplicationPasswordsManager
 import org.wordpress.android.fluxc.network.rest.wpapi.site.SiteWPAPIRestClient
@@ -798,6 +800,15 @@ open class SiteStore @Inject constructor(
         }
     }
 
+    data class OnApplicationPasswordCreated(
+        val site: SiteModel,
+        val credentials: ApplicationPasswordCredentials? = null,
+    ) : OnChanged<OnApplicationPasswordCreateError>() {
+        constructor(site: SiteModel, error: BaseNetworkError, notSupported: Boolean): this(site) {
+            this.error = OnApplicationPasswordCreateError(error, notSupported)
+        }
+    }
+
     class OnSiteLaunched() : OnChanged<LaunchSiteError>() {
         constructor(error: LaunchSiteError) : this() {
             this.error = error
@@ -829,6 +840,23 @@ open class SiteStore @Inject constructor(
         }
     }
 
+    class OnApplicationPasswordCreateError(
+        error: BaseNetworkError,
+        val notSupported: Boolean,
+    ) : OnChangedError {
+        var errorCode: String? = null
+        var message: String
+
+        init {
+            if (error is WPAPINetworkError) {
+                errorCode = error.errorCode
+            } else if (error is WPComGsonNetworkError) {
+                errorCode = error.apiError
+            }
+            message = error.message
+        }
+    }
+
     class PlansError
     @JvmOverloads constructor(
         @JvmField val type: PlansErrorType,
@@ -2372,6 +2400,41 @@ open class SiteStore @Inject constructor(
             }
         }
 
+    suspend fun createApplicationPassword(site: SiteModel): OnApplicationPasswordCreated =
+        coroutineEngine.withDefaultContext(T.API, this, "Create Application Password") {
+            when (val result = applicationPasswordsManagerProvider.get().getApplicationCredentials(site)) {
+                is ApplicationPasswordCreationResult.Created -> {
+                    persistApplicationPasswordCredentials(site, result.credentials)
+                    OnApplicationPasswordCreated(site, result.credentials)
+                }
+                is ApplicationPasswordCreationResult.Existing -> {
+                    if (site.apiRestUsernamePlain.isNullOrEmpty() || site.apiRestPasswordPlain.isNullOrEmpty()) {
+                        persistApplicationPasswordCredentials(site, result.credentials)
+                    }
+                    OnApplicationPasswordCreated(site, result.credentials)
+                }
+                is ApplicationPasswordCreationResult.NotSupported ->
+                    OnApplicationPasswordCreated(site, result.originalError, notSupported = true)
+                is ApplicationPasswordCreationResult.Failure ->
+                    OnApplicationPasswordCreated(site, result.error, notSupported = false)
+            }
+        }
+
+    private fun persistApplicationPasswordCredentials(
+        site: SiteModel,
+        credentials: ApplicationPasswordCredentials,
+    ) {
+        site.apply {
+            apiRestUsernamePlain = credentials.userName
+            apiRestPasswordPlain = credentials.password
+            apiRestUsernameEncrypted = ""
+            apiRestPasswordEncrypted = ""
+            apiRestUsernameIV = ""
+            apiRestPasswordIV = ""
+        }
+        emitChange(updateApplicationPassword(site))
+    }
+
     suspend fun fetchSitePlans(siteModel: SiteModel): FetchedPlansPayload {
         return if (siteModel.isUsingWpComRestApi) {
             coroutineEngine.withDefaultContext(T.API, this, "Fetch site plans") {