test(e2e): regression guards for #1185 (SSO bootstrap race) and #1169 (subsite password reset)#1198
Conversation
…strap race) and PR Ultimate-Multisite#1169 (subsite password reset) Two Cypress specs + matching WP-CLI fixtures that lock in the behaviour of two recently merged fixes so future refactors of the SSO bootstrap chain or the password reset rewrite can't silently regress them. ## 066-sso-bootstrap-race.spec.js (guards PR Ultimate-Multisite#1185) Verifies: - `calculate_secret_from_date('')` does NOT throw and returns a hash. - Two consecutive calls with empty input return the SAME hash (deterministic fallback — important so SSO state stays consistent across requests during a bootstrap window). - `convert_bearer_into_auth_cookies()` does NOT throw when `$current_blog` exists with an empty `registered` property. Driven via fixture `setup-sso-bootstrap-race.php` which calls both methods through the live `SSO::get_instance()` singleton and emits JSON. ## 011-password-reset-subsite-domain.spec.js (guards PR Ultimate-Multisite#1169) Verifies: - The URL produced by `retrieve_password_message` on a subsite uses the subsite host (or at least no longer points at `/wp-login.php` on a different host). - The reset query args `action / key / login / wp_lang` are preserved so WooCommerce my-account, BuddyPress, custom themes, and the default wp-login fallback can still pick the request up. - The new `wu_subsite_password_reset_url` filter (added by Ultimate-Multisite#1169) is reachable for integration overrides. Driven via fixture `setup-password-reset-subsite.php` which creates a test subsite, switches into it, and applies the filter chain directly with a synthetic raw message — no SMTP / Mailpit / cron dependency.
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
superdav42
left a comment
There was a problem hiding this comment.
Auto-approved by pulse runner @superdav42 — author @kenedytorcatt confirmed collaborator, pre-merge gates passed.
Why this PR exists
A senior contributor on our side recently shipped two fixes that affected ~300+ subsites in our production network (kursopro.com), and we'd like to make sure they can't silently regress in a future refactor:
inc/sso/class-sso.phpearly-return + deterministic-secret fallback (merged 2.11.1).inc/checkout/class-checkout-pages.phpsubsite password reset URL rewrite (merged 2.10.2).This PR adds two Cypress specs + matching WP-CLI fixtures that lock in the behaviour of those fixes. They sit alongside your existing
060-sso-cross-domain.spec.js,065-sso-redirect-loop.spec.js, and050-password-strength-enforcement.spec.jsand follow the same patterns (cy.wpCliFile, JSON output from fixture,cy.loginByApi, baseUrllocalhost:8889).What each spec verifies
066-sso-bootstrap-race.spec.js— guards #1185calculate_secret_from_date('')does not throw and returns a real hash.convert_bearer_into_auth_cookies()does not throw when `$current_blog` exists with an empty `registered` property.Driven entirely from PHP via
setup-sso-bootstrap-race.php. The race is at the PHP layer (betweensunrise.phpandms-settings.php), so no browser interaction is required.011-password-reset-subsite-domain.spec.js— guards #1169retrieve_password_messagefilter on a subsite uses the subsite host — not the main-site `/wp-login.php` host (the symptom of the original bug that confusedzuletadiaonyariglam.cl).wu_subsite_password_reset_urlfilter is reachable for integration overrides.Driven via
setup-password-reset-subsite.phpwhich creates a test subsite, switches into it, and applies the filter chain directly with a synthetic raw message — no SMTP / Mailpit / cron dependency.How they fit your existing suite
tests/e2e/cypress/integration/066-sso-bootstrap-race.spec.js060/065SSO specstests/e2e/cypress/integration/011-password-reset-subsite-domain.spec.js010-manual-checkout-flow.spec.jsgrouptests/e2e/cypress/fixtures/setup-sso-bootstrap-race.phpsetup-sso-test.phptests/e2e/cypress/fixtures/setup-password-reset-subsite.phpsetup-sso-test.phpBoth specs are deterministic, single-process, and avoid any heavy setup (no Stripe, no PayPal, no Mailpit).
Honest note — please validate in your CI before merging
I authored these on Windows without Docker locally, so I was not able to run
npm run cy:run:testagainst yourwp-envsetup. I verified:-lsyntax check on both fixtures.node --checksyntax check on both specs.\WP_Ultimo\SSO\SSO::get_instance()) by readinginc/sso/class-sso.php.replace_reset_password_link()and thewu_subsite_password_reset_urlfilter live where the PR diffs say they do.setup-sso-test.php(JSON output,wp_json_encode, container path viacy.wpCliFile).If anything fails in your CI I'm happy to iterate — feel free to push directly to the branch or comment with the failure output.
Production context
Bug context behind each spec, in case it helps reviewing the assertions:
.clTLD) requested a password reset and received an email pointing at the main network'swp-login.php. She didn't recognise the domain, treated the email as phishing, and complained to the subsite owner that the site had been hacked. Reproduced on 8/8 subsites in our staging network before patch.Thanks David — and thank you for shipping both fixes so quickly. These specs are our way of helping keep them locked in.