Skip to content

test(e2e): regression guards for #1185 (SSO bootstrap race) and #1169 (subsite password reset)#1198

Merged
superdav42 merged 1 commit into
Ultimate-Multisite:mainfrom
kenedytorcatt:tests/e2e-regression-sso-bootstrap-and-password-reset
May 12, 2026
Merged

test(e2e): regression guards for #1185 (SSO bootstrap race) and #1169 (subsite password reset)#1198
superdav42 merged 1 commit into
Ultimate-Multisite:mainfrom
kenedytorcatt:tests/e2e-regression-sso-bootstrap-and-password-reset

Conversation

@kenedytorcatt

Copy link
Copy Markdown
Contributor

Why this PR exists

A senior contributor on our side recently shipped two fixes that affected ~300+ subsites in our production network (kursopro.com), and we'd like to make sure they can't silently regress in a future refactor:

This PR adds two Cypress specs + matching WP-CLI fixtures that lock in the behaviour of those fixes. They sit alongside your existing 060-sso-cross-domain.spec.js, 065-sso-redirect-loop.spec.js, and 050-password-strength-enforcement.spec.js and follow the same patterns (cy.wpCliFile, JSON output from fixture, cy.loginByApi, baseUrl localhost:8889).

What each spec verifies

066-sso-bootstrap-race.spec.js — guards #1185

  • calculate_secret_from_date('') does not throw and returns a real hash.
  • Two consecutive calls with empty input return the same hash (deterministic fallback — important so SSO state stays consistent across requests during the empty-`registered` window).
  • convert_bearer_into_auth_cookies() does not throw when `$current_blog` exists with an empty `registered` property.

Driven entirely from PHP via setup-sso-bootstrap-race.php. The race is at the PHP layer (between sunrise.php and ms-settings.php), so no browser interaction is required.

011-password-reset-subsite-domain.spec.js — guards #1169

  • The URL produced by the retrieve_password_message filter on a subsite uses the subsite host — not the main-site `/wp-login.php` host (the symptom of the original bug that confused zuletadia on yariglam.cl).
  • The reset query args `action=rp / key / login / wp_lang` are preserved so WooCommerce my-account, BuddyPress, custom themes, and the default wp-login fallback can still complete the reset.
  • The new wu_subsite_password_reset_url filter is reachable for integration overrides.

Driven via setup-password-reset-subsite.php which creates a test subsite, switches into it, and applies the filter chain directly with a synthetic raw message — no SMTP / Mailpit / cron dependency.

How they fit your existing suite

File Type Notes
tests/e2e/cypress/integration/066-sso-bootstrap-race.spec.js new Numbered after your 060/065 SSO specs
tests/e2e/cypress/integration/011-password-reset-subsite-domain.spec.js new Numbered next to the 010-manual-checkout-flow.spec.js group
tests/e2e/cypress/fixtures/setup-sso-bootstrap-race.php new Same pattern as your setup-sso-test.php
tests/e2e/cypress/fixtures/setup-password-reset-subsite.php new Same pattern as your setup-sso-test.php

Both specs are deterministic, single-process, and avoid any heavy setup (no Stripe, no PayPal, no Mailpit).

Honest note — please validate in your CI before merging

I authored these on Windows without Docker locally, so I was not able to run npm run cy:run:test against your wp-env setup. I verified:

  • PHP -l syntax check on both fixtures.
  • node --check syntax check on both specs.
  • That the SSO class is a singleton (\WP_Ultimo\SSO\SSO::get_instance()) by reading inc/sso/class-sso.php.
  • That replace_reset_password_link() and the wu_subsite_password_reset_url filter live where the PR diffs say they do.
  • That fixture conventions match your setup-sso-test.php (JSON output, wp_json_encode, container path via cy.wpCliFile).

If anything fails in your CI I'm happy to iterate — feel free to push directly to the branch or comment with the failure output.

Production context

Bug context behind each spec, in case it helps reviewing the assertions:

Thanks David — and thank you for shipping both fixes so quickly. These specs are our way of helping keep them locked in.

…strap race) and PR Ultimate-Multisite#1169 (subsite password reset)

Two Cypress specs + matching WP-CLI fixtures that lock in the behaviour of two
recently merged fixes so future refactors of the SSO bootstrap chain or the
password reset rewrite can't silently regress them.

## 066-sso-bootstrap-race.spec.js (guards PR Ultimate-Multisite#1185)

Verifies:
- `calculate_secret_from_date('')` does NOT throw and returns a hash.
- Two consecutive calls with empty input return the SAME hash (deterministic
  fallback — important so SSO state stays consistent across requests during
  a bootstrap window).
- `convert_bearer_into_auth_cookies()` does NOT throw when `$current_blog`
  exists with an empty `registered` property.

Driven via fixture `setup-sso-bootstrap-race.php` which calls both methods
through the live `SSO::get_instance()` singleton and emits JSON.

## 011-password-reset-subsite-domain.spec.js (guards PR Ultimate-Multisite#1169)

Verifies:
- The URL produced by `retrieve_password_message` on a subsite uses the
  subsite host (or at least no longer points at `/wp-login.php` on a
  different host).
- The reset query args `action / key / login / wp_lang` are preserved so
  WooCommerce my-account, BuddyPress, custom themes, and the default
  wp-login fallback can still pick the request up.
- The new `wu_subsite_password_reset_url` filter (added by Ultimate-Multisite#1169) is
  reachable for integration overrides.

Driven via fixture `setup-password-reset-subsite.php` which creates a test
subsite, switches into it, and applies the filter chain directly with a
synthetic raw message — no SMTP / Mailpit / cron dependency.
@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor

Warning

Rate limit exceeded

@superdav42 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 27 minutes and 28 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2c169c0a-f035-459b-b312-e1505647f901

📥 Commits

Reviewing files that changed from the base of the PR and between ddd628c and 93875eb.

📒 Files selected for processing (4)
  • tests/e2e/cypress/fixtures/setup-password-reset-subsite.php
  • tests/e2e/cypress/fixtures/setup-sso-bootstrap-race.php
  • tests/e2e/cypress/integration/011-password-reset-subsite-domain.spec.js
  • tests/e2e/cypress/integration/066-sso-bootstrap-race.spec.js
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@superdav42 superdav42 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved by pulse runner @superdav42 — author @kenedytorcatt confirmed collaborator, pre-merge gates passed.

@superdav42 superdav42 marked this pull request as ready for review May 12, 2026 22:59
@superdav42 superdav42 merged commit b17f5b0 into Ultimate-Multisite:main May 12, 2026
10 of 11 checks passed
@superdav42 superdav42 added the review-feedback-scanned Merged PR already scanned for quality feedback label May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

review-feedback-scanned Merged PR already scanned for quality feedback

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants