Improve authentication logic for authenticated web view

[itsmeichigo]

Closes: #15147

Description

This PR implements the improvements suggested in pe5sF9-3QB-p2. Authenticated web view now handles auto authentication in the web view for the following cases:

• WordPress.com authenticated:
  • wordpress.com supported URLs.
  • Jetpack SSO sites (including both Atomic and self-hosted sites)
• Site Credentials authenticated (assuming native login worked for the authentication)

Also, the web view now catches the authentication failures to navigate the user to the original URL in these cases.

Steps to reproduce

Important

• To avoid any false positives, please ensure that you are signed out from the WebView after each test by tapping the WordPress logout button manually in the WebView.
• If you changed the Jetpack SSO module settings for a site, ensure that you restart the app to fetch the new site modules.
• WPS Hide Login that I used in some tests below has issues with redirection, so expect some issues. I couldn't find an alternative plugin that works better, in the past we used to use WP Hide & Security Enhancer which worked well, but its free version doesn't seem to work with Jurassic Ninja sites nor Pressable sites anymore.
• Jetpack SSO settings can be accessed from Jetpack Settings in wp-admin (wp-admin/admin.php?page=jetpack#/settings)

TC1: WordPress.com authenticated with a wordpress.com supported link

1. Sign in using WordPress.com
2. Open the payments hub.
3. Tap on "order card reader"
4. Tap on Log In in the hamburger menu.
5. Confirm that your WordPress.com account is signed in and suggested as first option.

TC2: WordPress.com authenticated with a Jetpack SSO site

1. Sign in using WordPress.com
2. Select a Jetpack website (Atomic or self-hosted) where Jetpack SSO is enabled (can be enabled from Jetpack settings in wp-admin).
3. Open the dashboard screen.
4. If needed, add the performance card.
5. Tap on "View all store analytics"
6. Tap on "See report" in one of the analytics cards.
7. Confirm that you are auto-authenticated to your account.
8. Optional: Set your site to coming soon wp-admin > WooCommerce Settings > Site Visibility. Then on the app, select a published product > View Product in Store and confirm that the product page can be displayed successfully with a banner at the bottom about the coming soon state.

TC3: WordPress.com authenticated with a Jetpack site without SSO

1. Sign in using WordPress.com
2. Select a Jetpack website where Jetpack SSO is disabled (can be disabled from Jetpack settings in wp-admin).
3. Open the dashboard screen.
4. If needed, add the performance card.
5. Tap on "View all store analytics"
6. Tap on "See report" in one of the analytics cards.
7. Confirm that you see the WPOrg login page instead of being authenticated automatically.

TC4: Site Credentials authenticated using web authorization

1. Use a self-hosted site.
2. Install WPS Hide Login plugin.
3. Open WPS Hide Login settings, and use a custom login URL (Enter the same URL in the redirection URL too).
4. Open the app and sign in (you might need to perform the Web Authorization twice, because WPS Hide Login doesn't work well with the redirection, but I didn't find a better alternative)
5. Open the dashboard screen.
6. If needed, add the performance card.
7. Tap on "View all store analytics"
8. Tap on "See report" in one of the analytics cards.
9. Confirm that you see the WPOrg login page instead of being authenticated automatically.

TC5: Site Credentials authenticated natively

1. Use a self-hosted site that doesn't use any security measures that could break the native login.
2. Sign in using site credentials.
3. Open the dashboard screen.
4. If needed, add the performance card.
5. Tap on "View all store analytics"
6. Tap on "See report" in one of the analytics cards.
7. Confirm that you are auto-authenticated to your account.

TC6: Site Credentials authenticated natively, but uses custom login URL now

1. Use a self-hosted site that doesn't use any security measures that could break the native login.
2. Sign in using site credentials.
3. Install WPS Hide Login plugin.
4. Configure WPS Hide Login to use a custom login URL (Enter the same URL in the redirection URL too).
5. Open the dashboard screen.
6. If needed, add the performance card.
7. Tap on "View all store analytics"
8. Tap on "See report" in one of the analytics cards.
9. Confirm that the login screen is shown (which is expected in this case given the custom login URL).

Testing information

• Tested all the cases above using simulator iPhone 16 Pro iOS 18.1 and 18.2.
• Unit tests were added to verify the logic for authentication flow checks.

Screenshots

N/A

---

• I have considered if this change warrants user-facing release notes and have added them to RELEASE-NOTES.txt if necessary.

Reviewer (or Author, in the case of optional code reviews):

Please make sure these conditions are met before approving the PR, or request changes if the PR needs improvement:

• The PR is small and has a clear, single focus, or a valid explanation is provided in the description. If needed, please request to split it into smaller PRs.
• Ensure Adequate Unit Test Coverage: The changes are reasonably covered by unit tests or an explanation is provided in the PR description.
• Manual Testing: The author listed all the tests they ran, including smoke tests when needed (e.g., for refactorings). The reviewer confirmed that the PR works as expected on all devices (phone/tablet) and no regressions are added.

[wpmobilebot]

📲 You can test the changes from this Pull Request in WooCommerce iOS by scanning the QR code below to install the corresponding build.

	App Name	WooCommerce iOS
	Build Number	pr15164-75ec99a
	Version	21.7
	Bundle ID	com.automattic.alpha.woocommerce
	Commit	75ec99a
	App Center Build	WooCommerce - Prototype Builds #13063

Automatticians: You can use our internal self-serve MC tool to give yourself access to App Center if needed.

[itsmeichigo]

Using authenticated web view controller now for all product preview - the web view now can check to see if authentication is possible. If not, it would just open the original URL.

[selanthiraiyan]

Nice work, Huong!

The code LGTM and tests as expected. 🚀

---

I am sharing a few observations just for information.

1. I think the 8th point in TC3 is not relevant and should be removed.
2. With WPS Hide Login installed I had to exit the web view during the login flow and try login again. I think this is expected as your mentioned in test instructions.
3. With WPS Hide Login installed after logging in to the app, I had to logout of the web view before testing further to avoid false positives. This is expected as you mentioned in the test instructions.

[selanthiraiyan]

Suggested change

	/// More information: https://wp.me/pe5sF9-3Si
	/// More information: pe5sF9-3Si-p2

[itsmeichigo]

Nice catch! Fixed in e9d83df.

[selanthiraiyan]

❓ Should we rename isAuthenticationFailure into isAuthenticationInProgress? If I understand this correctly, we are checking whether the current url is related to authentication and return false if the url is related to log. This lets the web view proceed further with the navigation and authentication.

[itsmeichigo]

I believe isAuthenticationFailure makes more sense here, as the web view fails to handle the authentication (POST request) and attempts to load the login page (the HTLM page) instead.

[selanthiraiyan]

Nice tests. ❤️

[dangermattic]

	1 Warning
⚠️	This PR is assigned to the milestone 21.8. This milestone is due in less than 2 days. Please make sure to get it merged by then or assign it to a milestone with a later deadline.

Generated by 🚫 Danger

[itsmeichigo]

Thank you Sharma for the review!

I think the 8th point in TC3 is not relevant and should be removed.

I removed this from the PR description ✅