Skip to content

Route the application-passwords list screen through Basic auth#22892

Merged
jkmassel merged 0 commit into
jkmassel/issue-22884from
jkmassel/issue-22884-list-screen-direct-host
May 25, 2026
Merged

Route the application-passwords list screen through Basic auth#22892
jkmassel merged 0 commit into
jkmassel/issue-22884from
jkmassel/issue-22884-list-screen-direct-host

Conversation

@jkmassel
Copy link
Copy Markdown
Contributor

@jkmassel jkmassel commented May 25, 2026

Fixes a bug where the application-passwords list screen returned an empty list / auth error on Atomic sites.

Summary

  • Swap wpApiClientProvider.getWpApiClient(site)wpApiClientProvider.getApplicationPasswordClient(site) in ApplicationPasswordsViewModel.kt.
  • Self-hosted behavior unchanged (both providers return the same Basic-auth client for those sites).
  • Atomic / Jetpack-WPCom-REST: now talks directly to the site's host instead of the WP.com REST proxy.

Root Cause

getWpApiClient routes WPCom-flagged sites (including Atomic) through the WP.com REST proxy at https://public-api.wordpress.com/rest/v1.1/sites/{id}/wp/v2/.... The proxy doesn't expose the application-passwords routes — every request 404s with rest_no_route. The same upstream wordpress-rs limitation (Automattic/wordpress-rs#1350) drove dropping the headless wordpress-rs mint attempt in #22885.

Fix

getApplicationPasswordClient(site) always builds a direct-host Basic-auth client using the SiteModel's apiRestUsernamePlain / apiRestPasswordPlain. The direct host serves the application-passwords routes on every WordPress install.

Limitations

The SiteModel must already have credentials — typically populated by the My Site auto-mint flow on first foreground (introduced in #22885). A user reaching the list screen without ever visiting My Site would 401 instead of seeing the (already-empty) screen. Out of scope here; can be handled by minting on demand if it turns out to matter.

Test plan

  • Open an Atomic site → Me → Application Passwords. List displays correctly.
  • Open a self-hosted site with stored creds → Me → Application Passwords. List displays correctly (regression check).
  • Delete an app password server-side → re-open the screen. Error message surfaces correctly.

Related

@dangermattic
Copy link
Copy Markdown
Collaborator

dangermattic commented May 25, 2026

1 Message
📖 This PR is still a Draft: some checks will be skipped.

Generated by 🚫 Danger

@jkmassel jkmassel requested a review from adalpari May 25, 2026 17:47
@jkmassel jkmassel force-pushed the jkmassel/issue-22884-list-screen-direct-host branch from b22543d to 2828efe Compare May 25, 2026 17:56
@jkmassel jkmassel merged commit 2828efe into jkmassel/issue-22884 May 25, 2026
1 check was pending
@jkmassel jkmassel force-pushed the jkmassel/issue-22884 branch from 912dd2e to a123523 Compare May 25, 2026 17:56
@jkmassel jkmassel deleted the jkmassel/issue-22884-list-screen-direct-host branch May 25, 2026 17:56
@jkmassel jkmassel restored the jkmassel/issue-22884-list-screen-direct-host branch May 25, 2026 17:57
@jkmassel jkmassel mentioned this pull request May 25, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adalpari adalpari Awaiting requested review from adalpari

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkmassel @dangermattic