Skip to content

test(checkout-pages): regression tests for subsite password reset (#1168)#1172

Merged
superdav42 merged 1 commit into
mainfrom
regression-tests-1168
May 11, 2026
Merged

test(checkout-pages): regression tests for subsite password reset (#1168)#1172
superdav42 merged 1 commit into
mainfrom
regression-tests-1168

Conversation

@superdav42

@superdav42 superdav42 commented May 11, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds regression tests for the subsite password-reset bug fixed in #1169 (issue #1168).

The original GH#1168 bug was masked for years because an existing test, test_replace_reset_password_link_returns_early_on_subsite, was actively asserting the buggy behaviour as a contract — it expected the function to return the message unchanged on a subsite, which is precisely what was breaking customer password resets. This PR replaces that test and adds nine new tests covering all four hooks introduced in #1169.

What's covered

  • replace_reset_password_link — on a subsite the URL is rewritten away from wp-login.php, the subsite host is preserved, and standard query args (action, key, login, wp_lang) are kept so existing handlers (WooCommerce my-account, BuddyPress, default wp-login fallback) can complete the reset.
  • wu_subsite_password_reset_url filter — verified to fire on subsites so integrations can override the destination URL.
  • retrieve_password_message hook registration — confirmed registered on subsites when enable_custom_login_page is on. Before [URGENT] fix(checkout-pages): rewrite password reset URL on subsites (#1168) #1169 it was wrapped in if (is_main_site()) so it never ran on subsites at all.
  • rewrite_new_user_notification_email — welcome email "set your password" links stay on the subsite for users created there. Plus an empty-message safety test.
  • rewrite_password_notification_email — admin notification email stays on the subsite host.
  • rewrite_email_change_content — profile email-change confirmation links stay on the subsite. Plus an empty-input safety test.

Verification that the tests catch the bug

I reverted inc/checkout/class-checkout-pages.php to its pre-#1169 state on the same branch and re-ran the new tests:

  • 9 of 13 tests fail — 4 errors from the new methods being absent, 5 failures from the subsite host assertions.

Restoring the #1169 fix returns 13/13 green, 37 assertions. The test net is doing its job.

Bisect note for #1168

While reviewing #1169 I traced the bug history. The customer reported "a recent change introduced this bug", and the closest match is:

  • e8f7955c (initial commit) — replace_reset_password_link() already had the if (!is_main_site()) return $message; early-return. The bug has been present from day one but was latent.
  • 706d9637 "fix: keep password reset on subsite domain (Password Reset redirect error #291)", shipped in v2.5.0 — made lostpassword_url subsite-aware. From v2.5.0 onward, subsite users actually started submitting reset requests on their own subsite, which fired retrieve_password() on that subsite, which hit the long-dormant guard. This is the change that turned a latent bug into a customer-visible regression.

That second-order effect is exactly why this kind of regression test belongs in the suite — pinning the contract on subsites means a future "fix" to a related path can't silently re-disable it.

Test plan

vendor/bin/phpunit --filter 'replace_reset_password_link|retrieve_password_message_filter|rewrite_new_user_notification_email|rewrite_password_notification_email|rewrite_email_change_content' --no-coverage
# 13 / 13 (100%)  OK (13 tests, 37 assertions)

PHPCS clean for the new additions. The pre-existing test_maybe_enqueue_payment_status_poll_* failures observed locally are baseline test-isolation issues unrelated to this PR or to #1169.

Ref #1168


aidevops.sh v3.15.29 plugin for OpenCode v1.14.41 with claude-sonnet-4-6 spent 1d 20h and 40 tokens on this as a headless worker.

Summary by CodeRabbit

  • Tests
    • Enhanced test coverage for password reset link generation and email notification rewrites on subsites.
    • Added comprehensive tests for custom login page integration with password reset functionality.
    • Expanded regression test scenarios covering new user notifications, password resets, and email change confirmations on subsites, including filter behavior validation.

Review Change Stack

)

Locks in the subsite-aware behaviour added in #1169 so the bug cannot
silently regress again.

The original GH#1168 bug was masked for years because an existing test
test_replace_reset_password_link_returns_early_on_subsite was actively
asserting the buggy behaviour as a contract. Replacing that test and
adding nine new tests covers all four hooks introduced in #1169:

  - replace_reset_password_link: subsite host is preserved, wp-login.php
    is removed from the URL, all standard query args (action, key,
    login, wp_lang) are kept, and the wu_subsite_password_reset_url
    integration filter actually fires.
  - retrieve_password_message hook is registered on subsites (not just
    main site).
  - rewrite_new_user_notification_email: welcome email links stay on
    the subsite for users created on a subsite.
  - rewrite_password_notification_email: admin notification email
    stays on the subsite.
  - rewrite_email_change_content: profile email-change confirmation
    links stay on the subsite.

Each test includes an empty-input safety case where applicable.

Verification: reverted inc/checkout/class-checkout-pages.php to its
pre-#1169 state and re-ran the new tests; 9/13 fail (4 errors from the
new methods being absent, 5 failures from the subsite host assertions),
proving the tests catch the regression.

Ref #1168
@coderabbitai

coderabbitai Bot commented May 11, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 249cc7e3-f7cb-41a0-900e-08e00584edaa

📥 Commits

Reviewing files that changed from the base of the PR and between 5ac6ee9 and 6903136.

📒 Files selected for processing (1)
  • tests/WP_Ultimo/Checkout/Checkout_Pages_Test.php

📝 Walkthrough

Walkthrough

The PR expands test coverage for subsite password reset URL rewriting and email notification handling. It adds nine new test methods, renames one existing test to reflect actual behavior, and updates fixture data in existing tests to use full userdata objects instead of minimal ID arrays, validating GH#1168 integration work.

Changes

Password Reset and Email Rewriting Tests

Layer / File(s) Summary
Core replace_reset_password_link Behavior
tests/WP_Ultimo/Checkout/Checkout_Pages_Test.php
Adds main-site test verifying replace_reset_password_link produces URLs with action=rp and key= query args when custom login is enabled. Updates two existing tests to pass full get_userdata(...) objects instead of minimal ['ID' => 1] arrays. Renames subsite test from "returns_early_on_subsite" to "rewrites_on_subsite" with assertions verifying reset URL is rewritten onto subsite host while preserving query args.
Subsite Filter Registration and Hooks
tests/WP_Ultimo/Checkout/Checkout_Pages_Test.php
Adds tests confirming the wu_subsite_password_reset_url filter is executed and influences rewritten URLs on subsites, and that the retrieve_password_message filter is registered when custom login is enabled in subsite context.
Email Notification URL Rewriting
tests/WP_Ultimo/Checkout/Checkout_Pages_Test.php
Adds tests verifying rewrite_new_user_notification_email, rewrite_password_notification_email, and rewrite_email_change_content remove wp-login.php references and rewrite notification links to subsite hosts instead.
Edge Cases and Empty Input
tests/WP_Ultimo/Checkout/Checkout_Pages_Test.php
Adds tests confirming rewrite_new_user_notification_email and rewrite_email_change_content safely handle and return empty or unchanged input.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Poem

🐰 A rabbit hops through password resets bright,
With URLs rewritten, subsite links alight!
No more wp-login in the mail they send,
Each test a hop toward the perfect end. ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title clearly and concisely describes the main change: regression tests for subsite password reset functionality, directly aligned with the PR objectives and changeset.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch regression-tests-1168

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

@superdav42 superdav42 merged commit b9cd87d into main May 11, 2026
11 checks passed
@superdav42

Copy link
Copy Markdown
Collaborator Author

Summary

Adds regression tests for the subsite password-reset bug fixed in #1169 (issue #1168).
The original GH#1168 bug was masked for years because an existing test, test_replace_reset_password_link_returns_early_on_subsite, was actively asserting the buggy behaviour as a contract — it expected the function to return the message unchanged on a subsite, which is precisely what was breaking customer password resets. This PR replaces that test and adds nine new tests covering all four hooks introduced in #1169.

What's covered

  • replace_reset_password_link — on a subsite the URL is rewritten away from wp-login.php, the subsite host is preserved, and standard query args (action, key, login, wp_lang) are kept so existing handlers (WooCommerce my-account, BuddyPress, default wp-login fallback) can complete the reset.
  • wu_subsite_password_reset_url filter — verified to fire on subsites so integrations can override the destination URL.
  • retrieve_password_message hook registration — confirmed registered on subsites when enable_custom_login_page is on. Before [URGENT] fix(checkout-pages): rewrite password reset URL on subsites (#1168) #1169 it was wrapped in if (is_main_site()) so it never ran on subsites at all.
  • rewrite_new_user_notification_email — welcome email "set your password" links stay on the subsite for users created there. Plus an empty-message safety test.
  • rewrite_password_notification_email — admin notification email stays on the subsite host.
  • rewrite_email_change_content — profile email-change confirmation links stay on the subsite. Plus an empty-input safety test.

Verification that the tests catch the bug

I reverted inc/checkout/class-checkout-pages.php to its pre-#1169 state on the same branch and re-ran the new tests:

Bisect note for #1168

While reviewing #1169 I traced the bug history. The customer reported "a recent change introduced this bug", and the closest match is:

  • e8f7955c (initial commit) — replace_reset_password_link() already had the if (!is_main_site()) return $message; early-return. The bug has been present from day one but was latent.
  • 706d9637 "fix: keep password reset on subsite domain (Password Reset redirect error #291)", shipped in v2.5.0 — made lostpassword_url subsite-aware. From v2.5.0 onward, subsite users actually started submitting reset requests on their own subsite, which fired retrieve_password() on that subsite, which hit the long-dormant guard. This is the change that turned a latent bug into a customer-visible regression.
    That second-order effect is exactly why this kind of regression test belongs in the suite — pinning the contract on subsites means a future "fix" to a related path can't silently re-disable it.

Test plan

vendor/bin/phpunit --filter 'replace_reset_password_link|retrieve_password_message_filter|rewrite_new_user_notification_email|rewrite_password_notification_email|rewrite_email_change_content' --no-coverage
# 13 / 13 (100%)  OK (13 tests, 37 assertions)

PHPCS clean for the new additions. The pre-existing test_maybe_enqueue_payment_status_poll_* failures observed locally are baseline test-isolation issues unrelated to this PR or to #1169.
Ref #1168


aidevops.sh v3.15.29 plugin for OpenCode v1.14.41 with claude-sonnet-4-6 spent 1d 20h and 40 tokens on this as a headless worker.


Merged via PR #1172 to main.
Merged by deterministic merge pass (pulse-wrapper.sh).

@github-actions

Copy link
Copy Markdown

Performance Test Results

Performance test results for d846c04 are in 🛎️!

Note: the numbers in parentheses show the difference to the previous (baseline) test run. Differences below 2% or 0.5 in absolute values are not shown.

URL: /

Run DB Queries Memory Before Template Template WP Total LCP TTFB LCP - TTFB
0 40 37.73 MB 850.50 ms (-71.50 ms / -8% ) 163.50 ms 1048.50 ms (-85.00 ms / -8% ) 2014.00 ms (-128.00 ms / -6% ) 1907.40 ms (-149.65 ms / -8% ) 96.75 ms
1 56 49.12 MB 916.50 ms (-70.50 ms / -8% ) 148.00 ms (-11.50 ms / -8% ) 1066.00 ms (-78.50 ms / -7% ) 2046.00 ms (-120.00 ms / -6% ) 1959.45 ms (-113.75 ms / -6% ) 85.05 ms (-2.80 ms / -3% )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant