fix: route sso grant attach urls#1301
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe PR fixes the routing of ChangesSSO /sso-grant Action Normalization
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
MERGE_SUMMARY Implemented #1298 by normalizing Files changed:
Verification:
|
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
Admin Merge Fallback (t2247)Branch protection blocked the plain Merge method: Original branch-protection errorRemediation: If this bypass was unintended, revert with aidevops.sh v3.20.1 plugin for OpenCode v1.15.11 with unknown spent 10m and 94,856 tokens on this as a headless worker. |
…1309) The unattached-broker JSONP branch in handle_broker() returned '{code: 0, message: "Broker not attached"}', which sso.js treats as a denial (assets/js/sso.js lines 101-117). That set the wu_sso_denied cookie for 5 minutes on the very first subsite front-end page-load, silently disabling auto-SSO before it could complete a single round-trip — even when the user was in fact logged in on the main site. The denial payload is the wrong signal here: the broker not being attached on the JSONP probe is the expected state on the first hit, not a failure. Return 'verify: must-redirect' instead so the already-existing sso.js branch (assets/js/sso.js lines 93-95) performs a top-level navigation to '<broker>/sso?return_url=...'. That request re-enters handle_broker() as a regular page load and falls through to the non-JSONP redirect, which after #1301 reaches the cookie-less server handler via getAttachUrl() and completes the SSO round-trip. This is the minimal subset of #1297 that the post-#1301/#1302 codebase still needs. The /sso-grant routing fix (#1301) and the scoped redirect-loop counter (#1302) already shipped, so the rest of #1297's PHP changes are no longer required. Regression tests in tests/WP_Ultimo/SSO/SSO_Test.php: - test_handle_broker_source_jsonp_unattached_returns_must_redirect: locks in the new payload and forbids the legacy 'Broker not attached' denial. - test_sso_js_handles_must_redirect_verify: confirms sso.js still recognises the must-redirect verify value.
Summary
/sso-grantSSO actions before dispatch soSSO_Broker::getAttachUrl()reaches the existing main-sitewu_sso_handle_sso_grantserver handler.handle_requests().Testing
vendor/bin/phpcs inc/sso/class-sso.phpvendor/bin/phpstan analyse --no-progress --error-format=table inc/sso/class-sso.phpWP_TESTS_DIR=/tmp/wordpress-tests-lib vendor/bin/phpunit --filter SSO_TestWP_TESTS_DIR=/tmp/wordpress-tests-lib vendor/bin/phpunit --filter test_handle_requests_source_normalizes_sso_grant_to_server_actionResolves #1298
Summary by CodeRabbit
Bug Fixes
Tests