Hardening for the Atomic application-password validator and cleanup flow

[jkmassel]

Four corrections to the validator + cleanup flow introduced in #22885. Found during on-device testing of that PR.

Summary

1. Tighten validator error classification — only return Invalid when there's positive evidence the credential was rejected.
2. Treat 401/403 WpError responses as auth failures regardless of error-code name.
3. Clear the SiteModel's credential columns in deleteStoredApplicationPasswordCredentials, not just the encrypted-prefs cache.
4. Adapt to the wordpress-rs UInt status-code API (post-rebase mechanical change).

Root Cause

#22885 introduced an asymmetric pipeline: any Outcome.Invalid from ApplicationPasswordValidator triggers siteStore.deleteStoredApplicationPasswordCredentials(...) + a re-mint. The original implementation had three bugs that combined to either destroy working credentials or strand the user with an unrecoverable revoked password:

1. Validator misclassified recoverable errors as Invalid

The original when mapped WpRequestResult.WpError, UnknownError, and the else branch all to Outcome.Invalid. That meant a transient 5xx, a DeviceIsOfflineError, a parse error, or any unrecognized variant would all wipe working credentials. The generic catch (Exception) also swallowed CancellationException.

2. WpError auth detection used WpErrorCode names instead of status codes

The first fix tightened the classification to recognize a fixed allowlist of WpErrorCode variants (Unauthorized, Forbidden, ApplicationPasswordNotFound, NoAuthenticatedAppPassword). That missed the most common case in practice: WordPress returns {"code": "incorrect_password", ...} for a revoked application password (Basic auth rejection), and wordpress-rs parses that into WpErrorCode.CustomError("incorrect_password") via its untagged-string fallback. None of the name-based matchers caught CustomError, so the validator silently returned Outcome.NetworkUnavailable and the My Site card stayed hidden when it should have triggered a re-mint. Reproduced on-device:

A_P: Validating application password for ... as user='jkmassel'
A_P: Validation response: WpError
A_P: Validation network error for ...

Status code is the reliable signal — any parseable WpError with a 401/403 status is, by definition, an auth rejection regardless of which WpErrorCode it carries.

3. deleteStoredApplicationPasswordCredentials only cleared the encrypted-prefs cache

The method cleared only ApplicationPasswordsStore (encrypted SharedPreferences) and left the SiteModel's apiRest* DB columns untouched. Combined with the validate→wipe→re-mint loop, if validation returned Invalid and the subsequent mint failed (network down, server unreachable, etc.), the next buildCard reloaded the site from DB, decryptAPIRestCredentials resurrected the stale plain fields, siteHasBadCredentials reported false, and validation ran again with the same revoked password. The attemptXmlRpcRediscovery path also reads the plain fields directly and 401s when they're stale.

Fix

Validator

• Invert the default: anything unrecognized → Outcome.NetworkUnavailable (non-destructive). Only return Outcome.Invalid when there's positive evidence of an auth rejection — auth-specific WpErrorCode (mirrors the canonical PostRsErrorUtils.isAuthError pattern), auth-specific RequestExecutionErrorReason, or a WpError with 401/403 status.
• Re-throw CancellationException before the generic Exception catch.

Credential cleanup

• deleteStoredApplicationPasswordCredentials now clears the SiteModel's plain and encrypted credential columns in addition to the encrypted-prefs cache, using the same fetch-fresh-from-DB / mutate / save pattern as removeApplicationPassword. Emits OnSiteChanged so observers see the credential state change. wpApiRestUrl is intentionally preserved — unlike full sign-out, the discovered REST URL is reusable across credential rotations.

Wordpress-rs UInt migration

• The wordpress-rs bump on trunk (fc05d3bb3d9) changed statusCode from UShort to UInt. One-line signature change in isAuthStatusCode + four toUShort() → toUInt() test fixture updates. No behavior change.

Tests

ApplicationPasswordValidatorTest (new, 21 tests):

• Success → Valid.
• WpError for each auth-related WpErrorCode → Invalid.
• WpError with any code + status 401/403 → Invalid (covers the incorrect_password case).
• WpError with non-auth code + non-auth status → NetworkUnavailable.
• WpError with non-auth code + 500 → NetworkUnavailable.
• RequestExecutionFailed for each auth-related reason → Invalid.
• RequestExecutionFailed for each non-auth reason (timeout, offline, DNS, generic transport) → NetworkUnavailable.
• UnknownError, InvalidHttpStatusCode, ResponseParsingError → NetworkUnavailable.
• Generic Exception → NetworkUnavailable.
• CancellationException is rethrown.

Test plan

• Atomic site with valid creds — pull-to-refresh. Validate succeeds → no card.
• Atomic site with revoked creds — pull-to-refresh. Validator returns Invalid → wipe → re-mint succeeds → no card.
• Atomic site with revoked creds + airplane mode — pull-to-refresh. Validator returns NetworkUnavailable → no card, no destructive action; creds preserved in DB.
• Self-hosted regression: still works.
• :WordPress:testJetpackDebugUnitTest --tests "org.wordpress.android.ui.mysite.cards.applicationpassword.*" all pass.

Related

• Stacked on Allow headless application-password creation on Atomic sites #22885.

[dangermattic]

	1 Message
📖	This PR is still a Draft: some checks will be skipped.

Generated by 🚫 Danger

[wpmobilebot]

📲 You can test the changes from this Pull Request in Jetpack Android by scanning the QR code below to install the corresponding build.

	App Name	Jetpack Android
	Build Type	Debug
	Version	pr22893-e570420
	Build Number	1488
	Application ID	com.jetpack.android.prealpha
	Commit	e570420
	Installation URL	7h36vbjg2q658

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[wpmobilebot]

📲 You can test the changes from this Pull Request in WordPress Android by scanning the QR code below to install the corresponding build.

	App Name	WordPress Android
	Build Type	Debug
	Version	pr22893-e570420
	Build Number	1488
	Application ID	org.wordpress.android.prealpha
	Commit	e570420
	Installation URL	2o0iue89alr48

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[codecov]

Codecov Report

❌ Patch coverage is 59.37500% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 37.35%. Comparing base (cc93500) to head (e570420).

Files with missing lines	Patch %	Lines
...ava/org/wordpress/android/fluxc/store/SiteStore.kt	0.00%	13 Missing ⚠️

Additional details and impacted files

@@                   Coverage Diff                    @@
##           jkmassel/issue-22884   #22893      +/-   ##
========================================================
+ Coverage                 37.33%   37.35%   +0.02%     
========================================================
  Files                      2321     2321              
  Lines                    124644   124662      +18     
  Branches                  16938    16944       +6     
========================================================
+ Hits                      46538    46570      +32     
+ Misses                    74342    74328      -14     
  Partials                   3764     3764              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.