Handle and store application password

[adalpari]

Description

On this PR we are showing the Application password

Testing instructions

1. Log into a self-hosted site
2. Open the site fragment
3. Close the app and open it again

• Verify you don't get any dialog to authenticate with Application Password

4. In the code, uncomment line 169 of MySiteFragment.kt to allow running the autodiscovery
5. Run the app

• Verify you see a dialog asking to authenticate with Application Password

6. Follow the flow and authenticate

• Verify you see a success toast
• Verify you see a log like Saved application password credentials for: https://vanilla.wpmt.co
• Verify you don't see the dialog anymore

Screen.Recording.2025-05-09.at.16.39.27.mov

NOTE: As we talked yesterday, dialog is gonna be moved into a card. So no need to check the dialog dimiss actions or dialog translations.

[dangermattic]

	3 Warnings
⚠️	strings.xml files should only be updated on release branches, when the translations are downloaded by our automation.
⚠️	This PR is larger than 300 lines of changes. Please consider splitting it into smaller PRs for easier and faster reviews.
⚠️	PR is not assigned to a milestone.

Generated by 🚫 Danger

[wpmobilebot]

Project manifest changes for WordPress

The following changes in the WordPress's merged AndroidManifest.xml file were detected (build variant: wordpressVanillaRelease):

--- ./build/reports/diff_manifest/WordPress/wordpressVanillaRelease/base_manifest.txt	2025-05-12 16:31:38.880267784 +0000
+++ ./build/reports/diff_manifest/WordPress/wordpressVanillaRelease/head_manifest.txt	2025-05-12 16:31:41.210282006 +0000
@@ -200,6 +200,22 @@
             </intent-filter>
         </activity>
         <activity
+            android:name="org.wordpress.android.ui.accounts.ApplicationPasswordLoginActivity"
+            android:exported="true"
+            android:theme="@style/LoginTheme.TransparentSystemBars"
+            android:windowSoftInputMode="adjustResize" >
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+
+                <data
+                    android:host="app-pass-authorize"
+                    android:scheme="wordpress" />
+            </intent-filter>
+        </activity>
+        <activity
             android:name="org.wordpress.android.ui.accounts.LoginMagicLinkInterceptActivity"
             android:exported="true"
             android:theme="@style/NoDisplay" >
@@ -1426,10 +1442,6 @@
             android:directBootAware="true"
             android:exported="false" />
 
-        <activity
-            android:name="androidx.compose.ui.tooling.PreviewActivity"
-            android:exported="true" />
-
         <provider
             android:name="zendesk.core.MediaFileProvider"
             android:authorities="org.wordpress.android.zendesk.sdk.user.attachments"
@@ -1438,7 +1450,11 @@
             <meta-data
                 android:name="android.support.FILE_PROVIDER_PATHS"
                 android:resource="@xml/zendesk_user_attachments" />
-        </provider> <!-- 'android:authorities' must be unique in the device, across all apps -->
+        </provider>
+
+        <activity
+            android:name="androidx.compose.ui.tooling.PreviewActivity"
+            android:exported="true" /> <!-- 'android:authorities' must be unique in the device, across all apps -->
         <provider
             android:name="io.sentry.android.core.SentryInitProvider"
             android:authorities="org.wordpress.android.SentryInitProvider"

Go to https://buildkite.com/automattic/wordpress-android/builds/21864/canvas?sid=0196c552-469b-4afe-bd75-9c7dd6a660ea, click on the Artifacts tab and audit the files.

[wpmobilebot]

Project manifest changes for WordPress

The following changes in the WordPress's merged AndroidManifest.xml file were detected (build variant: jetpackVanillaRelease):

--- ./build/reports/diff_manifest/WordPress/jetpackVanillaRelease/base_manifest.txt	2025-05-12 16:31:35.900783787 +0000
+++ ./build/reports/diff_manifest/WordPress/jetpackVanillaRelease/head_manifest.txt	2025-05-12 16:31:38.090795136 +0000
@@ -334,6 +334,22 @@
             </intent-filter>
         </activity>
         <activity
+            android:name="org.wordpress.android.ui.accounts.ApplicationPasswordLoginActivity"
+            android:exported="true"
+            android:theme="@style/LoginTheme.TransparentSystemBars"
+            android:windowSoftInputMode="adjustResize" >
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+
+                <data
+                    android:host="app-pass-authorize"
+                    android:scheme="jetpack" />
+            </intent-filter>
+        </activity>
+        <activity
             android:name="org.wordpress.android.ui.accounts.LoginMagicLinkInterceptActivity"
             android:exported="true"
             android:theme="@style/NoDisplay" >
@@ -1453,10 +1469,6 @@
             android:directBootAware="true"
             android:exported="false" />
 
-        <activity
-            android:name="androidx.compose.ui.tooling.PreviewActivity"
-            android:exported="true" />
-
         <provider
             android:name="zendesk.core.MediaFileProvider"
             android:authorities="com.jetpack.android.zendesk.sdk.user.attachments"
@@ -1465,7 +1477,11 @@
             <meta-data
                 android:name="android.support.FILE_PROVIDER_PATHS"
                 android:resource="@xml/zendesk_user_attachments" />
-        </provider> <!-- 'android:authorities' must be unique in the device, across all apps -->
+        </provider>
+
+        <activity
+            android:name="androidx.compose.ui.tooling.PreviewActivity"
+            android:exported="true" /> <!-- 'android:authorities' must be unique in the device, across all apps -->
         <provider
             android:name="io.sentry.android.core.SentryInitProvider"
             android:authorities="com.jetpack.android.SentryInitProvider"

Go to https://buildkite.com/automattic/wordpress-android/builds/21864/canvas?sid=0196c552-469e-454a-b7c7-3e4d0c140beb, click on the Artifacts tab and audit the files.

[wpmobilebot]

📲 You can test the changes from this Pull Request in WordPress by scanning the QR code below to install the corresponding build.

	App Name	WordPress
	Flavor	Jalapeno
	Build Type	Debug
	Version	pr21859-3f8a9b5
	Commit	3f8a9b5
	Direct Download	wordpress-prototype-build-pr21859-3f8a9b5.apk

Note: Google Login is not supported on these builds.

[wpmobilebot]

📲 You can test the changes from this Pull Request in Jetpack by scanning the QR code below to install the corresponding build.

	App Name	Jetpack
	Flavor	Jalapeno
	Build Type	Debug
	Version	pr21859-3f8a9b5
	Commit	3f8a9b5
	Direct Download	jetpack-prototype-build-pr21859-3f8a9b5.apk

Note: Google Login is not supported on these builds.

[codecov]

Codecov Report

Attention: Patch coverage is 67.56757% with 12 lines in your changes missing coverage. Please review.

Project coverage is 39.38%. Comparing base (a658015) to head (3f8a9b5).
Report is 3 commits behind head on trunk.

Files with missing lines	Patch %	Lines
...org/wordpress/android/ui/mysite/MySiteViewModel.kt	66.66%	9 Missing and 1 partial ⚠️
...rdpress/android/fluxc/persistence/WellSqlConfig.kt	33.33%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##            trunk   #21859   +/-   ##
=======================================
  Coverage   39.38%   39.38%           
=======================================
  Files        2133     2133           
  Lines      100044   100044           
  Branches    15408    15408           
=======================================
  Hits        39406    39406           
  Misses      57155    57155           
  Partials     3483     3483           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull Request Overview

This PR introduces support for handling and storing application passwords. It updates the database schema and SiteModel to accommodate new API REST fields, adds UI flows to trigger authentication via application password, and implements comprehensive tests and helper classes to support the new functionality.

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
libs/fluxc/src/main/java/org/wordpress/android/fluxc/persistence/WellSqlConfig.kt	Incremented DB version and added columns for API REST username/password.
libs/fluxc/src/main/java/org/wordpress/android/fluxc/model/SiteModel.java	Added new fields and accessors for API REST username/password.
WordPress/src/test/java/org/wordpress/android/ui/mysite/MySiteViewModelTest.kt	Updated tests to use the new SiteModel fields and application password discovery flow.
WordPress/src/main/java/org/wordpress/android/ui/mysite/MySiteViewModel.kt	Integrated application password discovery logic and preference handling.
WordPress/src/main/java/org/wordpress/android/ui/mysite/MySiteFragment.kt	Updated UI to display the application password authentication dialog and launch custom tabs.
Other files	Added unit tests and helper classes for application password login and updated manifest with appropriate intent filters.

Comments suppressed due to low confidence (1)

WordPress/src/main/java/org/wordpress/android/ui/mysite/MySiteFragment.kt:477

• There is a typo in the dialog message; 'Applictaion' should be corrected to 'Application'.

builder.setMessage("Would you like to authenticate this site using Applictaion Password?")

[nbradbury]

In the code, uncomment line 169 of https://github.com/Automattic/wordpress-rs/pull/719 to allow running the autodiscovery

@adalpari I'm confused by this instruction. Did you mean to reference a line of code in the app instead of in wordpress-rs?

[adalpari]

In the code, uncomment line 169 of https://github.com/Automattic/wordpress-rs/pull/719 to allow running the autodiscovery

@adalpari I'm confused by this instruction. Did you mean to reference a line of code in the app instead of in wordpress-rs?

🤦 Sorry, it was a copy&paste error. The line is inside MySiteFragment.kt file

[nbradbury]

@adalpari I noticed a couple of things which may or may not be issues given that you mentioned "no need to check the dialog dimiss actions." First, if I tap "Yes" on the dialog but hit the back button from the WP authorization page, the dialog reappears. Should it?

dialog.mp4

Second, if I tap "No" the dialog still appears when I restart the app.

dialog2.mp4

Again, these may not be issues, I just wanted to make sure the logic isn't being copied when this switches to a dashboard card.

[adalpari]

@adalpari I noticed a couple of things which may or may not be issues given that you mentioned "no need to check the dialog dimiss actions."

Thank you for the thorough review.
Yes, after working on the dialog, we decided to make it a card. But since it's not trivial to me, I went ahead with this PR and working on the card now.

First, if I tap "Yes" on the dialog but hit the back button from the WP authorization page, the dialog reappears. Should it?

Good point. I could dismiss it, but after converting it to a card, it will make sense to keep it if the user goes back.

Second, if I tap "No" the dialog still appears when I restart the app.

Odd because it should not re-appear (there's even a test for it). Maybe the shared preference was not committed before the restart 🤔.
Anyway, this is not relevant anymore since it won't apply to the new approach. So, we can skip that.

Again, thank you for the deep test!

[nbradbury]

@adalpari I'm curious why we don't show the dialog the first time the site is opened? That means the user won't see the dialog after logging in.

[adalpari]

Yeah, because showing the dialog right after the login felt a bit intrusive. So, I opted to wait for the second run.
However, since we are changing it into a card. Probably this logic doesn't make sense anymore.
I can remove it in this PR, or in the next one. wdyt?

[nbradbury]

Makes sense - we can wait for the next PR.

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[nbradbury]

Changes are good!