jetpack icon indicating copy to clipboard operation
jetpack copied to clipboard
verified publisher icon Automattic

WAF: add account recovery flow

Open Initsogar opened this issue 8 months ago • 4 comments

Resolves PROTECT-22

Adds an account recovery flow for users with blocklisted IP addresses.

Proposed changes:

  • Centralizes and reuses the Brute Force Protection blocked login class for WAF account recovery
  • Adds a context property for class instantiation so we can conditionally supply unique support links

Other information:

  • [ ] Have you written new tests for your changes, if applicable?
  • [ ] Have you checked the E2E test CI results, and verified that your changes do not break them?
  • [ ] Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

https://github.com/Automattic/jetpack-scan-team/issues/516

Does this pull request change what data or activity we track or use?

No

Testing instructions:

  • Checkout this branch and run JT with Protect installed
  • Add your current IP to the block list and refresh
  • Verify that every request sent is blocked and logged by the WAF
  • Proceed to /wp-login.php and ensure the blocked login form displays and the support link context is relevant to the WAF
  • Submit your user email address and follow the recovery flow in the recovery email sent
  • Verify that you are able to login and that WAF bypasses blocking all requests for a period of 10 mins (allowing you just enough time to whitelist your IP or remove it from the blocklist)
  • Ensure the mechanism continues to work as per usual for the BFP module and ensure link context is correct for docs
  • Test using Jetpack also

Initsogar avatar Apr 11 '25 23:04 Initsogar

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the add/waf-account-recovery-flow branch.
  • To test on Simple, run the following command on your sandbox:
bin/jetpack-downloader test jetpack add/waf-account-recovery-flow

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

github-actions[bot] avatar Apr 11 '25 23:04 github-actions[bot]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • :white_check_mark: Include a description of your PR changes.
  • :white_check_mark: Add a "[Status]" label (In Progress, Needs Review, ...).
  • :white_check_mark: Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  • :white_check_mark: Add testing instructions.
  • :white_check_mark: Specify whether this PR includes any changes to data or privacy.
  • :white_check_mark: Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation :robot:

Follow this PR Review Process:

  1. Ensure all required checks appearing at the bottom of this PR are passing.
  2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
  3. You can use GitHub's Reviewers functionality to request a review.
  4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

github-actions[bot] avatar Apr 11 '25 23:04 github-actions[bot]

Code Coverage Summary

Coverage changed in 1 file.

File Coverage Δ% Δ Uncovered
projects/packages/waf/src/class-waf-runtime.php 221/305 (72.46%) -4.01% 16 💔

3 files are newly checked for coverage.

File Coverage
projects/packages/waf/src/abstract-blocked-login-page.php 0/225 (0.00%) 💔
projects/packages/waf/src/brute-force-protection/class-brute-force-protection-blocked-login-page.php 0/4 (0.00%) 💔
projects/packages/waf/src/class-waf-blocked-login-page.php 0/4 (0.00%) 💔

Full summary · PHP report · JS report

Coverage check overridden by https://github.com/Automattic/jetpack/labels/Coverage%20tests%20to%20be%20added%20later.

jp-launch-control[bot] avatar Apr 11 '25 23:04 jp-launch-control[bot]

Just wanted to review this but it looks like we should resolve the conflicts and update this branch first.

Thanks for pointing it out. I just merged from trunk and fixed the conflicts 🙌

Initsogar avatar Jun 14 '25 00:06 Initsogar