Skip to content

fix: make passwordless login opt-in#1399

Merged
superdav42 merged 1 commit into
mainfrom
followup/passwordless-login-setting
Jun 10, 2026
Merged

fix: make passwordless login opt-in#1399
superdav42 merged 1 commit into
mainfrom
followup/passwordless-login-setting

Conversation

@superdav42

@superdav42 superdav42 commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add a disabled-by-default Use Passwordless Login setting under Login & Registration.
  • Gate passwordless assets, markup, wp-login injection, checkout dependencies, and AJAX handlers behind the setting.
  • Restore username/password login as the default WP login, custom login form, and checkout inline-login experience.

Follow-up to #1358.

Verification

  • php -l inc/class-settings.php inc/auth/class-passwordless-auth-manager.php inc/ui/class-login-form-element.php inc/checkout/class-checkout.php views/checkout/partials/inline-login-prompt.php tests/WP_Ultimo/Settings_Test.php tests/WP_Ultimo/Auth/Passwordless_Auth_Test.php
  • bash bin/check-env.sh
  • vendor/bin/phpcs inc/class-settings.php inc/auth/class-passwordless-auth-manager.php inc/ui/class-login-form-element.php inc/checkout/class-checkout.php views/checkout/partials/inline-login-prompt.php tests/WP_Ultimo/Settings_Test.php tests/WP_Ultimo/Auth/Passwordless_Auth_Test.php
  • ./node_modules/.bin/eslint tests/e2e/cypress/integration/login.spec.js --max-warnings=0
  • vendor/bin/phpunit --filter Settings_Test
  • vendor/bin/phpunit --filter Passwordless_Auth_Test
  • vendor/bin/phpunit --filter Login_Form_Element_Test
  • git diff --check

Notes

  • PHPUnit still emits an existing PHP 8.4 deprecation notice in inc/sso/jasny/Broker/Session.php.
  • ESLint still emits the existing Browserslist data-age advisory.

aidevops.sh v3.20.49 plugin for OpenCode v1.17.1 with gpt-5.5 spent 16h 54m and 2,784,885 tokens on this with the user in an interactive session.

Summary by CodeRabbit

  • New Features
    • Added a passwordless login toggle in Login & Registration settings. When disabled (default), users see the standard username/password login form. When enabled, passwordless authentication becomes available.

@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 680e488e-8f15-4ea6-855f-c6ca8bea062d

📥 Commits

Reviewing files that changed from the base of the PR and between df8c7af and 75de135.

📒 Files selected for processing (8)
  • inc/auth/class-passwordless-auth-manager.php
  • inc/checkout/class-checkout.php
  • inc/class-settings.php
  • inc/ui/class-login-form-element.php
  • tests/WP_Ultimo/Auth/Passwordless_Auth_Test.php
  • tests/WP_Ultimo/Settings_Test.php
  • tests/e2e/cypress/integration/login.spec.js
  • views/checkout/partials/inline-login-prompt.php

📝 Walkthrough

Walkthrough

Add a use_passwordless_login settings toggle (disabled by default) and gate all passwordless functionality behind is_enabled(). When disabled, the manager skips hook registration, early-returns from asset enqueuing and markup rendering, AJAX endpoints short-circuit with a passwordless_login_disabled error, and UI surfaces fall back to standard username/password forms.

Changes

Passwordless Login Enablement Setting

Layer / File(s) Summary
Settings registration and defaults
inc/class-settings.php, tests/WP_Ultimo/Settings_Test.php
New use_passwordless_login toggle field added to login-and-registration section with default 0 (disabled); Settings::get_setting_defaults() includes the key in the fallback map; two new tests verify the field and default exist.
Passwordless manager enablement check
inc/auth/class-passwordless-auth-manager.php
is_enabled() method reads the use_passwordless_login setting; init() returns early when disabled, preventing hook and AJAX action registration.
UI rendering and asset enqueuing guards
inc/auth/class-passwordless-auth-manager.php
enqueue_assets(), enqueue_login_assets(), render_wp_login_form(), and get_login_form_markup() early-return when disabled, preventing script/style/markup emission.
AJAX endpoint enablement validation
inc/auth/class-passwordless-auth-manager.php, tests/WP_Ultimo/Auth/Passwordless_Auth_Test.php
New ensure_enabled_for_ajax() sends passwordless_login_disabled error when disabled; all five AJAX handlers call this check before nonce verification; new test verifies AJAX endpoints return the error when disabled; test setup/teardown enables/disables the setting.
Conditional passwordless asset enqueuing
inc/ui/class-login-form-element.php, inc/checkout/class-checkout.php
Login_Form_Element and Checkout conditionally call enqueue_assets() and register wu-passwordless-auth dependency only when is_enabled() returns true; login form output branches on enablement to render passwordless or standard fields.
Inline login prompt conditional UI
views/checkout/partials/inline-login-prompt.php
Template now branches on is_enabled(): when enabled, shows passwordless helper and markup; when disabled, shows password field and forgot-password/sign-in controls.
E2E test expectations
tests/e2e/cypress/integration/login.spec.js
Updated Cypress spec to expect standard username/password form visible by default and passwordless auth element absent, aligning with disabled-by-default setting.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested labels

status:available, review-feedback-scanned

Poem

🐰 A feature flag hops into place,
Passwordless tucked away with grace,
When toggle's off, the form falls back—
No fancy auth, just username track!
Settings dance, tests leap and bound,
Disabled by default, safe and sound! 🔐

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix: make passwordless login opt-in' directly and clearly summarizes the main change: converting passwordless login from default to disabled by default, requiring explicit opt-in via a new setting.
Docstring Coverage ✅ Passed Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch followup/passwordless-login-setting

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

@superdav42 superdav42 merged commit be2a59c into main Jun 10, 2026
11 checks passed
@superdav42

Copy link
Copy Markdown
Collaborator Author

Summary

  • Add a disabled-by-default Use Passwordless Login setting under Login & Registration.
  • Gate passwordless assets, markup, wp-login injection, checkout dependencies, and AJAX handlers behind the setting.
  • Restore username/password login as the default WP login, custom login form, and checkout inline-login experience.
    Follow-up to GH#1357: feat(auth): add passwordless login with passkeys #1358.

Verification

  • php -l inc/class-settings.php inc/auth/class-passwordless-auth-manager.php inc/ui/class-login-form-element.php inc/checkout/class-checkout.php views/checkout/partials/inline-login-prompt.php tests/WP_Ultimo/Settings_Test.php tests/WP_Ultimo/Auth/Passwordless_Auth_Test.php
  • bash bin/check-env.sh
  • vendor/bin/phpcs inc/class-settings.php inc/auth/class-passwordless-auth-manager.php inc/ui/class-login-form-element.php inc/checkout/class-checkout.php views/checkout/partials/inline-login-prompt.php tests/WP_Ultimo/Settings_Test.php tests/WP_Ultimo/Auth/Passwordless_Auth_Test.php
  • ./node_modules/.bin/eslint tests/e2e/cypress/integration/login.spec.js --max-warnings=0
  • vendor/bin/phpunit --filter Settings_Test
  • vendor/bin/phpunit --filter Passwordless_Auth_Test
  • vendor/bin/phpunit --filter Login_Form_Element_Test
  • git diff --check

Notes

  • PHPUnit still emits an existing PHP 8.4 deprecation notice in inc/sso/jasny/Broker/Session.php.
  • ESLint still emits the existing Browserslist data-age advisory.

aidevops.sh v3.20.49 plugin for OpenCode v1.17.1 with gpt-5.5 spent 16h 54m and 2,784,885 tokens on this with the user in an interactive session.


Merged via PR #1399 to main.
Merged by deterministic merge pass (pulse-wrapper.sh).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

review-feedback-scanned Merged PR already scanned for quality feedback

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant