Automatically refresh application password (#24742)

* Update wordpress-rs

* Automatically refresh application password

* Make sure the re-authentication flow is only for the current site (#24743)

Author: crazytonyli

Modules/Package.resolved

@@ -54,7 +54,7 @@ let package = Package(
         ),
         .package(url: "https://github.com/zendesk/support_sdk_ios", from: "8.0.3"),
         // We can't use wordpress-rs branches nor commits here. Only tags work.
-        .package(url: "https://github.com/Automattic/wordpress-rs", revision: "alpha-20250715"),
+        .package(url: "https://github.com/Automattic/wordpress-rs", revision: "alpha-20250813"),
         .package(url: "https://github.com/wordpress-mobile/GutenbergKit", from: "0.8.0-alpha.0"),
         .package(
             url: "https://github.com/Automattic/color-studio",

Modules/Package.swift

@@ -226,4 +226,16 @@ public enum WordPressSite {
             return try context.existingObject(with: blogId)
         }
     }
+
+    public func blogId(in coreDataStack: CoreDataStack) -> TaggedManagedObjectID<Blog>? {
+        switch self {
+        case let .dotCom(siteId, _):
+            return coreDataStack.performQuery { context in
+                guard let blog = try? Blog.lookup(withID: siteId, in: context) else { return nil }
+                return TaggedManagedObjectID(blog)
+            }
+        case let .selfHosted(id, _, _, _):
+            return id
+        }
+    }
 }

Sources/WordPressData/Swift/Blog+SelfHosted.swift

@@ -22,7 +22,7 @@ extension WordPressClient {
         // rather than using the shared one on disk).
         let session = URLSession(configuration: .ephemeral)
 
-        let notifier = AppNotifier()
+        let notifier = AppNotifier(site: site, coreDataStack: ContextManager.shared)
         let provider = WpAuthenticationProvider.dynamic(
             dynamicAuthenticationProvider: AutoUpdateAuthenticationProvider(site: site, coreDataStack: ContextManager.shared)
         )
@@ -42,7 +42,6 @@ extension WordPressClient {
             authenticationProvider: provider,
             appNotifier: notifier
         )
-        notifier.api = api
         self.init(api: api, rootUrl: apiRootURL)
     }
 
@@ -84,31 +83,19 @@ private final class AutoUpdateAuthenticationProvider: @unchecked Sendable, WpDyn
         }
     }
 
-    func update() {
+    @discardableResult
+    func update() -> WpAuthentication {
+        // This line does not require `self.lock`. Putting it behind the `self.lock` may lead to dead lock, because
+        // `coreDataStack.performQuery` also aquire locks.
+        let authentication = coreDataStack.performQuery(site.authentication(in:))
+
         self.lock.lock()
         defer {
             self.lock.unlock()
         }
 
-        self.authentication = coreDataStack.performQuery { [site] context in
-            switch site {
-            case let .dotCom(siteId, _):
-                guard let blog = try? Blog.lookup(withID: siteId, in: context),
-                      let token = blog.authToken else {
-                    return WpAuthentication.none
-                }
-                return WpAuthentication.bearer(token: token)
-            case let .selfHosted(blogId, _, _, _):
-                guard let blog = try? context.existingObject(with: blogId),
-                      let username = try? blog.getUsername(),
-                      let password = try? blog.getApplicationToken()
-                else {
-                    return WpAuthentication.none
-                }
-
-                return WpAuthentication(username: username, password: password)
-            }
-        }
+        self.authentication = authentication
+        return authentication
     }
 
     func auth() -> WordPressAPIInternal.WpAuthentication {
@@ -119,12 +106,57 @@ private final class AutoUpdateAuthenticationProvider: @unchecked Sendable, WpDyn
 
         return self.authentication
     }
+
+    func refresh() async -> Bool {
+        guard let blogId = site.blogId(in: coreDataStack) else { return false }
+
+        do {
+            DDLogInfo("Create a new application password")
+            try await ApplicationPasswordRepository.shared.createPasswordIfNeeded(for: blogId)
+        } catch {
+            DDLogInfo("Failed to create a new application password: \(error)")
+            return false
+        }
+
+        let current = auth()
+        let newAuth = update()
+        return newAuth != .none && newAuth != current
+    }
 }
 
 private class AppNotifier: @unchecked Sendable, WpAppNotifier {
-    weak var api: WordPressAPI?
+    let site: WordPressSite
+    let coreDataStack: CoreDataStack
+
+    init(site: WordPressSite, coreDataStack: CoreDataStack) {
+        self.site = site
+        self.coreDataStack = coreDataStack
+    }
 
     func requestedWithInvalidAuthentication() async {
-        NotificationCenter.default.post(name: WordPressClient.requestedWithInvalidAuthenticationNotification, object: api)
+        let blogId = site.blogId(in: coreDataStack)
+        NotificationCenter.default.post(name: WordPressClient.requestedWithInvalidAuthenticationNotification, object: blogId)
+    }
+}
+
+private extension WordPressSite {
+    func authentication(in context: NSManagedObjectContext) -> WpAuthentication {
+        switch self {
+        case let .dotCom(siteId, _):
+            guard let blog = try? Blog.lookup(withID: siteId, in: context),
+                  let token = blog.authToken else {
+                return WpAuthentication.none
+            }
+            return WpAuthentication.bearer(token: token)
+        case let .selfHosted(blogId, _, _, _):
+            guard let blog = try? context.existingObject(with: blogId),
+                  let username = try? blog.getUsername(),
+                  let password = try? blog.getApplicationToken()
+            else {
+                return WpAuthentication.none
+            }
+
+            return WpAuthentication(username: username, password: password)
+        }
     }
 }

WordPress/Classes/Networking/WordPressClient.swift

@@ -57,8 +57,15 @@ actor ApplicationPasswordRepository {
             return
         }
 
+        let alreadyStored = await storage
+            .passwords(belongTo: owners)
+            .contains { $0.password == authToken }
+        guard !alreadyStored else { return }
+
+        // No need to propagate the API request error.
         let api = WordPressAPI(urlSession: URLSession(configuration: .ephemeral), apiRootUrl: apiRootURL, authentication: .init(username: username, password: authToken))
-        let uuid = try await api.applicationPasswords.retrieveCurrentWithViewContext().data.uuid.uuid
+        guard let uuid = try? await api.applicationPasswords.retrieveCurrentWithViewContext().data.uuid.uuid else { return }
+
         try await storage.save(.init(password: .init(uuid: uuid, password: authToken), owners: owners))
     }
 
@@ -139,14 +146,7 @@ private extension ApplicationPasswordRepository {
                 blog.getUrlString(),
             )
         }
-        let passwords = await storage.getAll()
-            .filter {
-                // This nested loop should not have too much negative impact on performance, since `owners` is a short list (2 elements).
-                $0.owners.contains { owners.contains($0) }
-            }
-            .map {
-                $0.password
-            }
+        let passwords = await storage.passwords(belongTo: owners)
 
         let apiRootURL = try await updateRestAPIURLIfNeeded(blogId)
         let siteUsername = try await updateSiteUsernameIfNeeded(blogId)
@@ -407,6 +407,15 @@ private actor ApplicationPasswordStorage {
     }
 }
 
+extension ApplicationPasswordStorage {
+    func passwords(belongTo owners: [ApplicationPasswordOwner]) -> [ApplicationPassword] {
+        getAll()
+            // This nested loop should not have too much negative impact on performance, since `owners` is a short list (2 elements).
+            .filter { $0.owners.contains { owners.contains($0) } }
+            .map { $0.password }
+    }
+}
+
 enum ApplicationPasswordRepositoryError: LocalizedError {
     case usernameNotFound
     case restApiInaccessible

WordPress/Classes/Services/ApplicationPasswordRepository.swift

@@ -92,8 +92,13 @@ extension WordPressAuthenticationManager {
 
         notificationCenter.publisher(for: WordPressClient.requestedWithInvalidAuthenticationNotification)
             .debounce(for: .milliseconds(100), scheduler: DispatchQueue.main)
-            .sink { _ in
-                WordPressAuthenticationManager.showSigninForSelfHostedSiteFixingApplicationPassword()
+            .sink {
+                guard let blogId = $0.object as? TaggedManagedObjectID<Blog> else {
+                    wpAssertionFailure("No blog ID found in the requestedWithInvalidAuthenticationNotification notification")
+                    return
+                }
+
+                WordPressAuthenticationManager.showSigninForSelfHostedSiteFixingApplicationPassword(blogId: blogId)
             }
             .store(in: &cancellables)
     }
@@ -301,14 +306,15 @@ extension WordPressAuthenticationManager {
         }
     }
 
-    static func showSigninForSelfHostedSiteFixingApplicationPassword(showNotice: Bool = true) {
+    static func showSigninForSelfHostedSiteFixingApplicationPassword(blogId: TaggedManagedObjectID<Blog>, showNotice: Bool = true) {
         guard let presenter = UIViewController.topViewController,
               !presenter.isApplicationReauthentication else {
             assertionFailure()
             return
         }
 
-        guard let currentBlog = RootViewCoordinator.sharedPresenter.currentlyVisibleBlog() else {
+        guard let currentBlog = RootViewCoordinator.sharedPresenter.currentlyVisibleBlog(), currentBlog.objectID == blogId.objectID else {
+            DDLogWarn("Requested sign in to a site that is not the currently visible one")
             return
         }