Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix jetpack comments via chrome when logged in #38554

Merged
merged 5 commits into from
Jul 29, 2024
Merged

Fix jetpack comments via chrome when logged in #38554

merged 5 commits into from
Jul 29, 2024

Conversation

enejb
Copy link
Member

@enejb enejb commented Jul 25, 2024
edited
Loading

Fixes #38520

Before:

Screen.Recording.2024-07-25.at.4.28.24.PM.-.before.mov

After:

Screen.Recording.2024-07-25.at.4.29.30.PM.-.after.mov

Proposed changes:

  • This PR implements a retry process for users that try to submit comment but for some reason the browser that is submitting the comment from jetpack.wordpress.com iframe doesn't send the cookies. This will make it so that the nonce verification fails there is a retry process that happens on the jetpack site that submits make the same request as the remote one. This PR doesn't change the verification steps. That the comment goes though but since the request is now being done on from the jetpack site it the cookies are being forwarded as expected and the request succeeds.

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

Testing instructions:

Enable jetpack comments.
In latest Chrome login to wordpress.com as well the jetpack site. leave a comment.
Notice that you are able to leave a comment successfully. There might be a slight glitch with the spinner that you might notice but I think this is a better solution that currently exists.

@enejb enejb added [Feature] Comments [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. labels Jul 25, 2024
@enejb enejb added this to the jetpack/13.7 milestone Jul 25, 2024
@enejb enejb requested a review from coder-karen July 25, 2024 23:38
@enejb enejb self-assigned this Jul 25, 2024
@github-actions github-actions bot added the [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ label Jul 25, 2024
@github-actions GitHub Actions
Copy link
Contributor

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

Once your PR is ready for review, check one last time that all required checks appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team Review" label and ask someone from your team review the code. Once reviewed, it can then be merged.
If you need an extra review from someone familiar with the codebase, you can update the labels from "[Status] Needs Team Review" to "[Status] Needs Review", and in that case Jetpack Approvers will do a final review of your PR.

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

  • WordPress.com Simple releases happen daily.
  • WoA releases happen weekly.
  • Releases to self-hosted sites happen monthly. The next release is scheduled for August 6, 2024 (scheduled code freeze on August 5, 2024).

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 25, 2024
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the fix/jetpack-comments-chrome branch.

  • To test on Simple, run the following command on your sandbox:

    bin/jetpack-downloader test jetpack fix/jetpack-comments-chrome

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@coder-karen
Copy link
Contributor

Just dropping a comment here as well to say I left a comment in Slack about this - p1721979363629269/1721951133.674309-slack-CDLH4C1UZ - but there appears to be related work happening in #38485 as well.

heavyweight
heavyweight previously approved these changes Jul 26, 2024
View reviewed changes
Copy link
Contributor

@heavyweight heavyweight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and works great!
I'm fine with merging this once the static analysis is fixed.

@heavyweight heavyweight mentioned this pull request Jul 26, 2024
Closed
3 tasks
coder-karen
coder-karen previously approved these changes Jul 29, 2024
View reviewed changes
Copy link
Contributor

@coder-karen coder-karen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me too 👍 Thanks for working on this fix!

I left two comments, but I wouldn't call them blockers, as they're just related to comments.

projects/plugins/jetpack/modules/comments/comments.php Outdated Show resolved Hide resolved
projects/plugins/jetpack/modules/comments/comments.php Outdated Show resolved Hide resolved
@enejb enejb merged commit 08de409 into trunk Jul 29, 2024
56 checks passed
@enejb enejb deleted the fix/jetpack-comments-chrome branch July 29, 2024 18:44
@github-actions github-actions bot removed the [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. label Jul 29, 2024
@heavyweight heavyweight mentioned this pull request Jul 30, 2024
Closed
@jsnajdr
Copy link
Member

jsnajdr commented Jul 30, 2024

Looking at this PR after @simison pinged me about it... If I understand it correctly, the pre_comment_on_post function runs only on jetpack.wordpress.com, integrated into the Simple site in wpcom code, is that right? And when the nonce verification fails, it will return a response with a form that auto-submits to the Jetpack site itself.

It's certainly a workaround -- the ideal solution will be that the Verbum iframe asks for storage access (document.requestStorageAccess) after you click on the "Comment" button and before it submits the POST request to jetpack.wordpress.com. Then the POST request will be properly authenticated and there will be no nonce mismatch.

But we are still a long way from that: first we need to migrate the WP.com REST proxy away from auth cookies and only then we can start calling Storage Access API on individual widgets.

@enejb
Copy link
Member Author

enejb commented Jul 30, 2024

I don't expect any changes for simple sites here since simple sites don't use the iframe.

This PR is just for jetpack sites that are not atomic. Since I wasn't able to replicate this issue on atomic at all.

No, pre_comment_on_post runs on the jetpack site. (it might run on simple sites as well but that is not what I was looking at)

the reason why this is needed is because when the you submit the comment. The iframe make a JS POST form submission request to the site. See fbhepr%2Skers%2Sjcpbz%2Sjc%2Qpbagrag%2Szh%2Qcyhtvaf%2Swrgcnpx%2Spynff.wrgcnpx%2Qeraqrere.cuc%3Se%3Q0rrqp613%231288-og

but in chrome that request doesn't contain any cookie info. So on the Jetpack side the nonce verification fails because the request doesn't have a logged in user.

I think in the ideal case we would be making a different authenticated request request to the Jetpack site from the iframe.
but that solution could have its own problems such as REST requests being blocked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coder-karen coder-karen coder-karen approved these changes

@heavyweight heavyweight heavyweight left review comments

Assignees

@enejb enejb

Labels
[Feature] Comments [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/
Projects
None yet
Milestone
jetpack/13.7
Development

Successfully merging this pull request may close these issues.

Jetpack Comments: Chrome prevent a logged in used from posting comments.
4 participants
@enejb @coder-karen @jsnajdr @heavyweight