Prevent signing in with another WP.com account (#23682)

* Use shared URLSession to reduce risk of HTTP3 issues

* Fix looking up wrong account

* Fix wrong argument being used in auto-signin UI tests

* Prevent signing in with another WP.com account

* Fix blog prompts unit tests set up

* Fix PromptRemindersSchedulerTests set up

* Fix another unit test

Author: crazytonyli

WordPress/Classes/Login/WordPressDotComAuthenticator.swift

@@ -78,7 +78,7 @@ struct WordPressDotComAuthenticator {
         }
 
         do {
-            let urlSession = URLSession(configuration: .default)
+            let urlSession = URLSession.shared
             let (data, _) = try await urlSession.data(for: tokenRequest)
 
             struct Response: Decodable {

WordPress/Classes/Services/BloggingPrompts/BloggingPromptsService.swift

@@ -207,7 +207,7 @@ class BloggingPromptsService {
             }
 
             // fetch the default account and fall back to default values as needed.
-            guard let account = try? WPAccount.lookupDefaultWordPressComAccount(in: mainContext) else {
+            guard let account = blogInContext?.account else {
                 return (
                     blogInContext?.dotComID,
                     remote,

WordPress/Classes/System/WordPressAppDelegate.swift

@@ -857,7 +857,7 @@ extension WordPressAppDelegate {
         }
 
         let service = WordPressComSyncService()
-        service.syncWPCom(authToken: "valid_token", isJetpackLogin: true, onSuccess: { account in
+        service.syncWPCom(authToken: "valid_token", isJetpackLogin: false, onSuccess: { account in
             if let blog = try? BlogQuery().hostname(containing: wpComSiteAddress).blog(in: ContextManager.shared.mainContext) {
                 self.windowManager.showUI(for: blog)
             } else {

WordPress/Classes/ViewRelated/Jetpack/Login/JetpackLoginViewController.swift

@@ -11,6 +11,14 @@ class JetpackLoginViewController: UIViewController {
 
     var blog: Blog
 
+    // This variable is used to prevent signing into another WP.com account, if the site is not connected to the already signed-in default account.
+    private var shouldDisableLogin: Bool {
+        guard let defaultAccount = try? WPAccount.lookupDefaultWordPressComAccount(in: ContextManager.shared.mainContext) else {
+            return false
+        }
+        return defaultAccount.email != blog.jetpack?.connectedEmail
+    }
+
     // MARK: - Properties
 
     // Defaulting to stats because since that one is written in ObcC we don't have access to the enum there.
@@ -118,7 +126,11 @@ class JetpackLoginViewController: UIViewController {
         if jetpack.isSiteConnection {
             message = promptType.connectMessage
         } else if jetpack.isConnected {
-            message = jetpack.isUpdatedToRequiredVersion ? Constants.Jetpack.isUpdated : Constants.Jetpack.updateRequired
+            if let connectedEmail = jetpack.connectedEmail, shouldDisableLogin {
+                message = Constants.Jetpack.connectToDefaultAccount(connectedEmail: connectedEmail)
+            } else {
+                message = jetpack.isUpdatedToRequiredVersion ? Constants.Jetpack.isUpdated : Constants.Jetpack.updateRequired
+            }
         } else {
             message = promptType.installMessage
         }
@@ -136,7 +148,7 @@ class JetpackLoginViewController: UIViewController {
         connectUserButton.contentEdgeInsets = UIEdgeInsets(top: 12, left: 20, bottom: 12, right: 20)
 
         signinButton.setTitle(Constants.Buttons.loginTitle, for: .normal)
-        signinButton.isHidden = !(blog.hasJetpack && !jetpack.isSiteConnection)
+        signinButton.isHidden = shouldDisableLogin || !(blog.hasJetpack && !jetpack.isSiteConnection)
 
         let paragraph = NSMutableParagraphStyle(minLineHeight: WPStyleGuide.fontSizeForTextStyle(.footnote),
                                                 lineBreakMode: .byWordWrapping,
@@ -338,5 +350,11 @@ private enum Constants {
                                                                                               comment: "Message stating the minimum required " +
                                                                                                 "version for Jetpack and asks the user " +
             "if they want to upgrade"), JetpackState.minimumVersionRequired)
+        static func connectToDefaultAccount(connectedEmail: String) -> String {
+            String.localizedStringWithFormat(
+                NSLocalizedString("jetpackSite.connectToDefaultAccount", value: "You need to sign in with %@ to use Stats and Notifications.", comment: "Message stating that the user is unable to use Stats and Notifications because their site is connected to a different WordPress.com account"),
+                connectedEmail
+            )
+        }
     }
 }

WordPress/WordPressTest/BloggingPromptsServiceTests.swift

@@ -39,6 +39,7 @@ final class BloggingPromptsServiceTests: CoreDataTestCase {
         remote = BloggingPromptsServiceRemoteMock()
         blog = makeBlog()
         accountService = makeAccountService()
+        blog.account = try? WPAccount.lookupDefaultWordPressComAccount(in: mainContext)
         service = BloggingPromptsService(contextManager: contextManager, api: api, remote: remote, blog: blog)
         testPrompts = loadTestPrompts(from: fetchPromptsResponseFileName)
     }

WordPress/WordPressTest/PromptRemindersSchedulerTests.swift

@@ -42,6 +42,7 @@ class PromptRemindersSchedulerTests: XCTestCase {
         dateProvider = MockCurrentDateProvider(currentDate)
         blog = makeBlog()
         accountService = makeAccountService()
+        blog.account = try? WPAccount.lookupDefaultWordPressComAccount(in: mainContext)
         localStore = MockLocalFileStore()
         scheduler = PromptRemindersScheduler(bloggingPromptsServiceFactory: serviceFactory,
                                              notificationScheduler: notificationScheduler,
@@ -333,6 +334,7 @@ class PromptRemindersSchedulerTests: XCTestCase {
         // Arrange
         let schedule = scheduleForToday
         let controlBlog = makeBlog()
+        controlBlog.account = try? WPAccount.lookupDefaultWordPressComAccount(in: mainContext)
         let controlSiteID = controlBlog.dotComID!.intValue
 
         // first, schedule reminders in the control blog.