feat(ras): OAuth OTP flow improvements #4341
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rbcorrales
changed the title
There was a problem hiding this comment.
Pull request overview
This PR enhances the OAuth OTP flow by enabling the authentication form to pass the full redirect URL to the backend. This allows backend email code to detect OAuth contexts and customize email templates accordingly.
Key changes include:
- Added a
newspack_magic_link_email_configfilter for customizing email templates based on authentication context - Made the
is_oauth_redirect()method public for external reuse - Updated frontend authentication logic to capture and send the full redirect URL when a
redirectquery parameter is present
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
includes/class-magic-link.php |
Adds the newspack_magic_link_email_config filter to allow customization of email templates based on authentication context |
includes/reader-activation/class-reader-activation.php |
Changes is_oauth_redirect() method visibility from private to public for external reuse |
src/reader-activation-auth/auth-form.js |
Updates authentication form submission logic to include full redirect URL when redirect query parameter is present |
tests/unit-tests/magic-link.php |
Adds test coverage for the new newspack_magic_link_email_config filter |
tests/unit-tests/reader-activation.php |
Adds tests for is_oauth_redirect() method and its extensibility via filter |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rbcorrales
added
the
[Status] Needs Review
rbcorrales
changed the title
github-actions
bot
added
[Status] Approved
|
Hey @rbcorrales, good job getting this PR merged! 🎉 Now, the Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label. If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label. Thank you! ❤️ |
matticbot
pushed a commit
that referenced
this pull request
Dec 11, 2025
# [6.28.0-alpha.1](v6.27.1...v6.28.0-alpha.1) (2025-12-11) ### Bug Fixes * **content-gating:** never gate special pages ([#4340](#4340)) ([a4dcfdd](a4dcfdd)) * **countdown-banner:** don't show on unrestricted posts ([#4349](#4349)) ([66d2c94](66d2c94)) * **indesign-export:** only register the attribute for allowed blocks ([#4330](#4330)) ([e1801cb](e1801cb)) * **my-account:** safe content argument to skip sanitization ([#4326](#4326)) ([b066de5](b066de5)) * **my-account:** set new payment method as default ([#4343](#4343)) ([6ebcaf9](6ebcaf9)) * **my-account:** support dynamic content around shortcode ([#4328](#4328)) ([36b9524](36b9524)) * **subscription-tiers-modal:** skip private products ([#4337](#4337)) ([564d803](564d803)) ### Features * **content-gate:** content rules ([#4265](#4265)) ([b5b8cd9](b5b8cd9)) * **content-gate:** implement restriction rules ([#4251](#4251)) ([4034103](4034103)) * metered content countdown banner ([#4315](#4315)) ([c9a68cc](c9a68cc)) * **payment-notice:** detect equivalent subscription ([#4333](#4333)) ([9a98889](9a98889)) * **ras:** OAuth OTP flow improvements ([#4341](#4341)) ([8b345fa](8b345fa))
Contributor
|
🎉 This PR is included in version 6.28.0-alpha.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
matticbot
pushed a commit
that referenced
this pull request
Jan 5, 2026
# [6.28.0](v6.27.4...v6.28.0) (2026-01-05) ### Bug Fixes * **content-gating:** never gate special pages ([#4340](#4340)) ([a4dcfdd](a4dcfdd)) * **countdown-banner:** don't show on unrestricted posts ([#4349](#4349)) ([66d2c94](66d2c94)) * **countdown-banner:** never show more views than total ([#4369](#4369)) ([0ef3a24](0ef3a24)) * **indesign-export:** only register the attribute for allowed blocks ([#4330](#4330)) ([e1801cb](e1801cb)) * **my-account:** safe content argument to skip sanitization ([#4326](#4326)) ([b066de5](b066de5)) * **my-account:** set new payment method as default ([#4343](#4343)) ([6ebcaf9](6ebcaf9)) * **my-account:** support dynamic content around shortcode ([#4328](#4328)) ([36b9524](36b9524)) * **subscription-tiers-modal:** skip private products ([#4337](#4337)) ([564d803](564d803)) ### Features * **content-gate:** content rules ([#4265](#4265)) ([b5b8cd9](b5b8cd9)) * **content-gate:** implement restriction rules ([#4251](#4251)) ([4034103](4034103)) * metered content countdown banner ([#4315](#4315)) ([c9a68cc](c9a68cc)) * **payment-notice:** detect equivalent subscription ([#4333](#4333)) ([9a98889](9a98889)) * **ras:** OAuth OTP flow improvements ([#4341](#4341)) ([8b345fa](8b345fa))
Contributor
|
🎉 This PR is included in version 6.28.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All Submissions:
Changes proposed in this Pull Request:
When users authenticate via OAuth flows, the authentication form now passes the full redirect URL to the backend, enabling backend email sending code to detect OAuth contexts.
This PR also adds a new
newspack_magic_link_email_configfilter that allows external plugins to override which email template is used for OTP/magic link emails based on the authentication context, and makes theis_oauth_redirect()method public so it can be reused externally.Closes NPPD-1008 (please check the ticket for additional context and dependencies).
How to test the changes in this Pull Request:
https://your-site.com/oauth/authorize/?prompt=login&scope=openid+offline_access&code_challenge_method=S256&response_type=code&client_id=<YOUR_CLIENT_ID>&redirect_uri=https%3A%2F%2Fexample.com%2F&code_challenge=<SAMPLE_CHALLENGE>/my-account/?redirect=<encoded_oauth_url>./my-account/.redirect_urlfield containing the full URL with the redirect query parameter (e.g.,https://your-site.com/my-account/?redirect=...)./my-account/(without the OAuth or redirect params) and verify it still works as expected.Other information: