Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSO: Show wp-admin login form if site has local users #39139

Merged
merged 2 commits into from
Sep 4, 2024

Conversation

mmtr
Copy link
Member

@mmtr mmtr commented Aug 29, 2024

Fixes #39037

Proposed changes:

Stops enforcing the WP.com login for Atomic sites with local users.

Before After
Screenshot 2024-08-29 at 16 15 27 Screenshot 2024-08-29 at 16 16 32

Previously, we were disabling the enforced WP.com login on sites with the classic interface (except for users coming from Calypso), and kept it on sites with the default interface.

However, sites with the default interface can have local users as well (users not connected to WP.com) who are unable to use their wp-admin credentials to log in into wp-admin.

This PR fixes that by changing who is enforced to log in with a WP.com account:

  • Sites without local users:
    • WP.com login, always.
  • Sites with local users:
    • If user comes from Calypso: WP.com login
    • Otherwise: Jetpack SSO login, so they can decide whether to use a WP.com account or a local account.

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

pc4f5j-4Ky-p2

Does this pull request change what data or activity we track or use?

No

Testing instructions:

  • Install Jetpack Beta on a WoA dev site
  • Open Jetpack Beta and activate the branch of this PR in the WordPress.com Site Helper plugin (wpcomsh).
  • Go to https://wordpress.com/settings/general and select your WoA dev site
  • Activate the default admin interface
  • Go to /wp-admin/users.php
  • Create a new local user (do not invite the user to WP.com)
  • Open an incognito/private window
  • Go to /wp-admin
  • Make sure the Jetpack SSO login form shows up which allows you to use either a WP.com account or a local account
  • Go to wordpress.com
  • Log in
  • While in Calypso, switch to your WoA dev site
  • Click on any menu that links to wp-admin (e.g. Settings > Media)
  • Make sure you're automatically logged in
  • Close the incognito/private window
  • Remove all the local users from your site
  • Open an incognito/private window
  • Go to /wp-admin
  • Make sure you're redirected to the WP.com login
  • Close the incognito/private window
  • Activate the classic admin interface now
  • Repeat the steps above and confirm that you get the same results

Copy link
Contributor

github-actions bot commented Aug 29, 2024

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖


The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.


Follow this PR Review Process:

  1. Ensure all required checks appearing at the bottom of this PR are passing.
  2. Choose a review path based on your changes:
    • A. Team Review: add the "[Status] Needs Team Review" label
      • For most changes, including minor cross-team impacts.
      • Example: Updating a team-specific component or a small change to a shared library.
    • B. Crew Review: add the "[Status] Needs Review" label
      • For significant changes to core functionality.
      • Example: Major updates to a shared library or complex features.
    • C. Both: Start with Team, then request Crew
      • For complex changes or when you need extra confidence.
      • Example: Refactor affecting multiple systems.
  3. Get at least one approval before merging.

Still unsure? Reach out in #jetpack-developers for guidance!


Wpcomsh plugin:

  • Next scheduled release: on demand (usually Mondays if not sooner).

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

@github-actions github-actions bot added the [Status] Needs Author Reply We would need you to make some changes or provide some more details about your PR. Thank you! label Aug 29, 2024
@mmtr mmtr added [Status] Needs Team Review and removed [Status] Needs Author Reply We would need you to make some changes or provide some more details about your PR. Thank you! labels Aug 29, 2024
@mmtr mmtr self-assigned this Aug 29, 2024
@mmtr mmtr requested a review from a team August 29, 2024 14:43
Copy link
Contributor

@dsas dsas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works nicely

$connection_manager = new \Automattic\Jetpack\Connection\Manager( 'jetpack' );
$users = get_users( array( 'fields' => array( 'ID' ) ) );
foreach ( $users as $user ) {
if ( ! $connection_manager->is_user_connected( $user->ID ) ) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this perform for large sites? > 10k users?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question! I have no idea 😅 I'll see if there is an easy way to populate a test site with 10k fake users and check

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say though that if a site has 10k users, it's very likely that most of them will be non-connected, and we'll stop the loop when the first one is found.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Used FakerPress to create 5k users (not connected to WP.com) on a site:

Screenshot 2024-09-04 at 11 22 11

It seems that the performance is not largely affected in this scenario.

Before, it took 1.34s to show the Jetpack SSO login. Now, it takes 1.53s

Before After
Screenshot 2024-09-04 at 11 24 03 Screenshot 2024-09-04 at 11 22 51

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Imo, that's just one scenario. If 4.9k users are connected there would be a higher performance penalty. This has an O(n) complexity.

@mmtr mmtr merged commit 5aa9e86 into trunk Sep 4, 2024
57 checks passed
@mmtr mmtr deleted the update/wpcom-sso-local-users branch September 4, 2024 09:28
gogdzl pushed a commit that referenced this pull request Oct 25, 2024
Stops enforcing the WP.com login for Atomic sites with local users.

Previously, we were disabling the enforced WP.com login on sites with the classic interface (except for users coming from Calypso), and kept it on sites with the default interface.

However, sites with the default interface can have local users as well (users not connected to WP.com) who are unable to use their wp-admin credentials to log in into wp-admin.

This commit fixes that by changing who is enforced to log in with a WP.com account:

- Sites without local users:
  - WP.com login, always.
- Sites with local users:
  - If user comes from Calypso: WP.com login
  - Otherwise: Jetpack SSO login, so they can decide whether to use a WP.com account or a local account.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SSO on dotcom: Allow Local Users to Access AT Sites Without Being Logged into wp.com
4 participants