Offer the application password login inside a card in MySite screen

[adalpari]

Description

This PR is adding a new card at the top of MySite screen. That card should be only visible for self-hosted sited, and clicking on it should open the Application Password authentication flow.

Most of the logic has been moved from the VM to a Slide class to follow how other cards are constructed. In addition, a local memory cache has been included to avoid calling the api unnecessarily.

Testing instructions

1. Log into the app using both, a WP site and a self-hosted one
2. Change between both sites screens

• Verify you DON'T see any new login card

1. Set the variable ´ApplicationPasswordViewModelSlice.buildCard´ to true

2. Browse the sites screens now

• Verify you DO see a new card to log in for the self-hosted site
• Verify you DON'T see a new card for the WP site

Screen.Recording.2025-05-14.at.16.50.50.mov

3. Follow the login flow for the self-hosted site

• After logging in, verify you don't see the card anymore.

Screen.Recording.2025-05-14.at.16.58.03.mov

[dangermattic]

	3 Warnings
⚠️	strings.xml files should only be updated on release branches, when the translations are downloaded by our automation.
⚠️	This PR is larger than 300 lines of changes. Please consider splitting it into smaller PRs for easier and faster reviews.
⚠️	PR is not assigned to a milestone.

Generated by 🚫 Danger

[wpmobilebot]

📲 You can test the changes from this Pull Request in WordPress by scanning the QR code below to install the corresponding build.

	App Name	WordPress
	Flavor	Jalapeno
	Build Type	Debug
	Version	pr21878-5552813
	Commit	5552813
	Direct Download	wordpress-prototype-build-pr21878-5552813.apk

Note: Google Login is not supported on these builds.

[wpmobilebot]

📲 You can test the changes from this Pull Request in Jetpack by scanning the QR code below to install the corresponding build.

	App Name	Jetpack
	Flavor	Jalapeno
	Build Type	Debug
	Version	pr21878-5552813
	Commit	5552813
	Direct Download	jetpack-prototype-build-pr21878-5552813.apk

Note: Google Login is not supported on these builds.

[Copilot]

Pull Request Overview

This pull request introduces a new Application Password login card on the MySite screen for self-hosted sites. Key changes include the addition of an ApplicationPasswordViewModelSlice with local caching, updates to integrate this card in MySiteViewModel and MySiteFragment, and corresponding test adjustments.

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
WordPress/src/test/java/org/wordpress/android/ui/mysite/cards/applicationpassword/ApplicationPasswordViewModelSliceTest.kt	New tests to verify the behavior of the application password card.
WordPress/src/test/java/org/wordpress/android/ui/mysite/MySiteViewModelTest.kt	Removed redundant test cases and references for application password.
WordPress/src/main/res/values/strings.xml	Added a new localized string for the application password title.
WordPress/src/main/java/org/wordpress/android/ui/mysite/cards/applicationpassword/ApplicationPasswordViewModelSlice.kt	Implements the business logic for discovering and showing the auth URL.
WordPress/src/main/java/org/wordpress/android/ui/mysite/SiteNavigationAction.kt	Added a new navigation action for application password authentication.
WordPress/src/main/java/org/wordpress/android/ui/mysite/MySiteViewModel.kt	Integrated the new slice into the overall UI model composition.
WordPress/src/main/java/org/wordpress/android/ui/mysite/MySiteFragment.kt	Updated fragment to trigger the new application password flow.

Comments suppressed due to low confidence (1)

WordPress/src/main/java/org/wordpress/android/ui/mysite/MySiteViewModel.kt:151

• Rename 'applicationPAsswordModel' to 'applicationPasswordModel' for consistency and clarity.

val headerList = listOfNotNull(nonNullSiteInfoHeaderCard, applicationPAsswordModel)

[codecov]

Codecov Report

Attention: Patch coverage is 71.42857% with 2 lines in your changes missing coverage. Please review.

Project coverage is 39.63%. Comparing base (4223d55) to head (5552813).
Report is 1 commits behind head on trunk.

Files with missing lines	Patch %	Lines
...org/wordpress/android/ui/mysite/MySiteViewModel.kt	71.42%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##            trunk   #21878   +/-   ##
=======================================
  Coverage   39.63%   39.63%           
=======================================
  Files        2124     2124           
  Lines       99218    99218           
  Branches    15243    15243           
=======================================
  Hits        39330    39330           
  Misses      56427    56427           
  Partials     3461     3461           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nbradbury]

This card doesn't show up in the "Personalize your home tab" screen. I assume we don't want it there, but just wanted to let you know this feature exists.

personliaze.mp4

[nbradbury]

Verify you DO see a new card to log in for the self-hosted site
Verify you DON'T see a new card for the WP site

I'm seeing the card for both self-hosted and WP.com.

Self-hosted

WP.com

[adalpari]

This card doesn't show up in the "Personalize your home tab" screen. I assume we don't want it there, but just wanted to let you know this feature exists.

Good point. I don't think this is a personalizable card sicne it's an encouraged one-time action.

[adalpari]

Verify you DO see a new card to log in for the self-hosted site
Verify you DON'T see a new card for the WP site

I'm seeing the card for both self-hosted and WP.com.

How did you logged in for nickbradbury.com site? Edit: I mean, did you use use the site url + credentials if that is even possible?
Could you send me the logs you see when opening the site screen. Filter them by "WP_RS". Thanks!

[nbradbury]

@adalpari I logged in using the WP.com site url and credentials. Here's the relevant logging:

VM: Error during API discovery for https://nbradbury10.wordpress.com (Ask Gemini)
ava.lang.Exception: FailureFindApiRoot
at org.wordpress.android.ui.mysite.cards.applicationpassword.ApplicationPasswordViewModelSlice$getAuthorizationUrlCompleteInternal$2.invokeSuspend(ApplicationPasswordViewModelSlice.kt:139)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:100)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:586)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:829)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:717)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:704)
2025-05-14 16:08:31.880 30760-30840 WP_RS                   com.jetpack.android.beta             
D  Found authorization for https://nickbradbury.com URL: https://nickbradbury.com/wp-admin/authorize-application.php?app_name=android-jetpack-client&success_url=jetpack%3A%2F%2Fapp-pass-authorize

Note in the log it's attempting to log into nbradbury10.wordpress.com instead of nickbradbury.com even though I entered the latter URL, but those are both WP.com sites.

Odd that the site can not be discovered but the card is shown anyway.. Maybe a problem with the local cache...

1. Can you reproduce it 100% of the times? If so, could you tell me the steps?
2. What happens if you tap on the card? Which login site does it open?

About the used URL, I am using the one stored in the DB. So, probably we are storing ´nbradbury10.wordpress.com´ directly instead of nickbradbury.com 🤔

[nbradbury]

Note in the log it's attempting to log into nbradbury10.wordpress.com instead of nickbradbury.com

@adalpari Possibly related to this, I noticed that WPMainActivity.setSelectedSite was being called multiple times after logging in, and not always with the site that was selected after logging in. This is a pre-existing issue, but I'm wondering if it might be causing the problem I mentioned?

[adalpari]

Note: the way of running this PR has changed because of commenting the initial line was causing the tests to fail.
So, in order to test the PR, please set the variable ApplicationPasswordViewModelSlice.buildCard to true

[adalpari]

Note in the log it's attempting to log into nbradbury10.wordpress.com instead of nickbradbury.com

@adalpari Possibly related to this, I noticed that WPMainActivity.setSelectedSite was being called multiple times after logging in, and not always with the site that was selected after logging in. This is a pre-existing issue, but I'm wondering if it might be causing the problem I mentioned?

It could certainly be... But if te other cards are correctly built I am wondering why the Application Password card is not 🤔

[nbradbury]

Can you reproduce it 100% of the times? If so, could you tell me the steps?

Yes, this happens every time. The steps are I simply login using a site address.

What happens if you tap on the card? Which login site does it open?

Tapping the card opens the site I expected.

[adalpari]

ok, it looks like the login discovery is returning a valid URL for , when probably it shouldn't...

Found authorisation for http://nickbradbury.com URL: https://nickbradbury.com/wp-....

[adalpari]

@nbradbury could you run the PR again, and send me the logs with the tag DEBUG_TAG I've added?
Basically open your WP.com site and click on the card. Thanks!

[nbradbury]

@adalpari Here's what I see in the log:

2025-05-20 07:24:56.366  5618-5618  DEBUG_TAG               com.jetpack.android.beta             D  Cache miss for https://nbradbury10.wordpress.com, set to null
2025-05-20 07:24:56.787  5618-5674  DEBUG_TAG               com.jetpack.android.beta             D  Failed discovery for https://nbradbury10.wordpress.com
2025-05-20 07:24:56.822  5618-5618  DEBUG_TAG               com.jetpack.android.beta             D  Site not authenticable https://nbradbury10.wordpress.com, set to null
2025-05-20 07:24:56.822  5618-5618  DEBUG_TAG               com.jetpack.android.beta             D  ----------------------
2025-05-20 07:24:59.337  5618-5618  DEBUG_TAG               com.jetpack.android.beta             D  Cache miss for https://nickbradbury.com, set to null
2025-05-20 07:24:59.498  5618-5676  DEBUG_TAG               com.jetpack.android.beta             D  Got URL for site https://nickbradbury.com: https://nickbradbury.com/wp-admin/authorize-application.php
2025-05-20 07:24:59.523  5618-5618  DEBUG_TAG               com.jetpack.android.beta             D  Site authenticable https://nickbradbury.com, set to https://nickbradbury.com/wp-admin/authorize-application.php?app_name=android-jetpack-client&success_url=jetpack%3A%2F%2Fapp-pass-authorize
2025-05-20 07:24:59.523  5618-5618  DEBUG_TAG               com.jetpack.android.beta             D  ----------------------
2025-05-20 07:28:04.127  5618-5618  DEBUG_TAG               com.jetpack.android.beta             D  Opening card for https://nickbradbury.com/wp-admin/authorize-application.php?app_name=android-jetpack-client&success_url=jetpack%3A%2F%2Fapp-pass-authorize

[adalpari]

Hey @nbradbury!
It looks like the WP.com site is actually an Atomic site. So, it's expected to show the Application Password login.
On the other hand https://nbradbury10.wordpress.com should show that error and hide the card.
Do you see any other non-solved issue preventing to merge the PR?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[nbradbury]

@adalpari Thanks for the clarification! I'll approve this PR.

[nbradbury]

Looks good!