Replace network-dependent login tests with mocked versions

Convert login/API discovery tests (specs 1, 3-7, 9-14) to use mock
request executors instead of hitting real *.wpmt.co servers. This
eliminates CI flakiness from network dependencies while maintaining
full test coverage of the discovery flow.

All three platforms (Rust, Swift, Kotlin) share the same JSON and
HTML fixture files in test-data/login-mocks/, ensuring responses
stay in sync across platforms.

Tests that require real HTTP stack behavior remain remote: rate
limiting (spec 15), DNS failure (spec 16), invalid SSL (spec 17),
XML-RPC detection (spec 18), and WordFence plugin detection (spec 8).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jkmassel

Package.swift

@@ -77,7 +77,10 @@ var package = Package(
                 .target(name: libwordpressFFI.name)
             ],
             path: "native/swift/Tests/wordpress-api",
-            resources: [.copy("../../../../test-data/integration-test-responses/")],
+            resources: [
+                .copy("../../../../test-data/integration-test-responses/"),
+                .copy("../../../../test-data/login-mocks/"),
+            ],
             swiftSettings: [
                 .define("PROGRESS_REPORTING_ENABLED", .when(platforms: [.iOS, .macOS, .tvOS, .watchOS]))
             ]

native/kotlin/api/kotlin/build.gradle.kts

@@ -130,6 +130,8 @@ tasks.named("processIntegrationTestResources").configure {
     dependsOn(rootProject.tasks.named("copyTestCredentials"))
     dependsOn(rootProject.tasks.named("copyTestMedia"))
     dependsOn(rootProject.tasks.named("copySampleJSON"))
+    dependsOn(rootProject.tasks.named("copyTestResponses"))
+    dependsOn(rootProject.tasks.named("copyLoginMocks"))
 }
 tasks.named("sourcesJar").configure {
     dependsOn(generateUniFFIBindingsTask)

native/kotlin/api/kotlin/src/integrationTest/kotlin/ApiUrlDiscoveryTest.kt

@@ -27,15 +27,35 @@ class Stub(val evaluator: (WpNetworkRequest) -> Boolean, val response: WpNetwork
 class NoStubFoundException(message: String) : Exception(message)
 
 // A class used for testing the request executor.
-class MockRequestExecutor(private var stubs: List<Stub> = listOf()) : RequestExecutor {
+class MockRequestExecutor(
+    private var stubs: List<Stub> = listOf(),
+    private val missingStubResponse: WpNetworkResponse? = null
+) : RequestExecutor {
 
     override suspend fun execute(request: WpNetworkRequest): WpNetworkResponse {
         val stub = stubs.firstOrNull {
             it.evaluator(request)
         }
 
         if (stub != null) {
-            return stub.response
+            // Copy request headers to response for auth error detection
+            return WpNetworkResponse(
+                stub.response.body,
+                stub.response.statusCode,
+                stub.response.responseHeaderMap,
+                stub.response.requestUrl,
+                request.headerMap()
+            )
+        }
+
+        if (missingStubResponse != null) {
+            return WpNetworkResponse(
+                missingStubResponse.body,
+                missingStubResponse.statusCode,
+                missingStubResponse.responseHeaderMap,
+                missingStubResponse.requestUrl,
+                request.headerMap()
+            )
         }
 
         throw NoStubFoundException("No stub found for ${request.url()}")
@@ -101,3 +121,34 @@ fun WpNetworkResponse.Companion.retryResponse(delay: ULong): WpNetworkResponse {
         WpNetworkHeaderMap.empty
     )
 }
+
+fun WpNetworkResponse.Companion.htmlResponse(name: String): WpNetworkResponse {
+    val data = {}.javaClass.getResource(name)?.readText()
+
+    if (data == null) {
+        throw FileNotFoundException("No resource found for $name")
+    }
+
+    return WpNetworkResponse(
+        data.toByteArray(),
+        200u,
+        WpNetworkHeaderMap.fromMap(mapOf("Content-Type" to "text/html; charset=UTF-8")),
+        "",
+        WpNetworkHeaderMap.empty
+    )
+}
+
+fun WpNetworkResponse.Companion.responseWithStatus(
+    statusCode: UShort,
+    headers: Map<String, String> = mapOf()
+): WpNetworkResponse {
+    return WpNetworkResponse(
+        ByteArray(0),
+        statusCode,
+        WpNetworkHeaderMap.fromMap(headers),
+        "",
+        WpNetworkHeaderMap.empty
+    )
+}
+
+

native/kotlin/api/kotlin/src/integrationTest/kotlin/MockRequestExecutor.kt

@@ -108,6 +108,18 @@ fun setupJniAndBindings() {
         from("$cargoProjectRoot/test-data/integration-test-responses/localhost-json-root.json")
         into(generatedTestResourcesPath)
     }
+
+    tasks.register<Copy>("copyTestResponses") {
+        dependsOn(tasks.named("deleteGeneratedTestResources"))
+        from("$cargoProjectRoot/test-data/integration-test-responses/")
+        into(generatedTestResourcesPath)
+    }
+
+    tasks.register<Copy>("copyLoginMocks") {
+        dependsOn(tasks.named("deleteGeneratedTestResources"))
+        from("$cargoProjectRoot/test-data/login-mocks/")
+        into("$generatedTestResourcesPath/login-mocks")
+    }
 }
 
 fun resolveBinary(name: String): String {

native/kotlin/build.gradle.kts

@@ -15,6 +15,11 @@ class LoginTests {
 
     @Test("Login Spec Example 1: Valid URL")
     func testValidURL() async throws {
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "https://vanilla.wpmt.co/", with: .withApiRoot("https://vanilla.wpmt.co/wp-json/")),
+            try HTTPStubs.stub(url: "https://vanilla.wpmt.co/wp-json/", with: .loginMockResponse(named: "vanilla-api-root"))
+        ])
+        let client = WordPressLoginClient(requestExecutor: stubs)
         let parsedUrl = try await client.findLoginUrl(forSite: "https://vanilla.wpmt.co")
         #expect("https://vanilla.wpmt.co/wp-admin/authorize-application.php" == parsedUrl.url())
     }
@@ -50,20 +55,46 @@ class LoginTests {
         ("https://vanilla.wpmt.co/wp-admin", "https://vanilla.wpmt.co/wp-admin/authorize-application.php")
     ])
     func testAdminUrlProvided(_ provided: String, _ expected: String) async throws {
+        // The UserInput attempt uses the admin URL as-is (no stub found -> fails).
+        // The AutoStrippedHttps attempt strips the admin suffix and succeeds.
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "https://vanilla.wpmt.co/", with: .withApiRoot("https://vanilla.wpmt.co/wp-json/")),
+            try HTTPStubs.stub(url: "https://vanilla.wpmt.co/wp-json/", with: .loginMockResponse(named: "vanilla-api-root"))
+        ])
+        let client = WordPressLoginClient(requestExecutor: stubs)
         let parsedUrl = try await client.findLoginUrl(forSite: provided)
         #expect(expected == parsedUrl.url())
     }
 
     @Test("Login Spec Example 4: HTTP URL with HTTPS Support")
     func testAutoHttpsSupport() async throws {
+        // UserInput attempt fetches http://vanilla.wpmt.co/ (no stub -> fails).
+        // AutoStrippedHttps attempt converts to https:// and succeeds.
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "https://vanilla.wpmt.co/", with: .withApiRoot("https://vanilla.wpmt.co/wp-json/")),
+            try HTTPStubs.stub(url: "https://vanilla.wpmt.co/wp-json/", with: .loginMockResponse(named: "vanilla-api-root"))
+        ])
+        let client = WordPressLoginClient(requestExecutor: stubs)
         let parsedUrl = try await client.findLoginUrl(forSite: "http://vanilla.wpmt.co")
         #expect("https://vanilla.wpmt.co/wp-admin/authorize-application.php" == parsedUrl.url())
     }
 
     @Test("Login Spec Example 5: HTTP-only site")
     func testHttpOnlySite() async {
+        let stubs: HTTPStubs
+        do {
+            stubs = HTTPStubs(stubs: [
+                try HTTPStubs.stub(url: "http://no-https.wpmt.co/", with: .withApiRoot("http://no-https.wpmt.co/wp-json/")),
+                try HTTPStubs.stub(url: "http://no-https.wpmt.co/wp-json/", with: .loginMockResponse(named: "http-only-api-root"))
+            ])
+        } catch {
+            Issue.record("Failed to create stubs: \(error)")
+            return
+        }
+        let client = WordPressLoginClient(requestExecutor: stubs)
+
         await #expect(performing: {
-            _ = try await self.client.findLoginUrl(forSite: "http://no-https.wpmt.co")
+            _ = try await client.findLoginUrl(forSite: "http://no-https.wpmt.co")
         }, throws: { error in
             let reason = try #require(try self.getApplicationPasswordsNotSupportedReason(from: error))
 
@@ -78,12 +109,23 @@ class LoginTests {
 
     @Test("Login Spec Example 6: HTTP-Only Site with Application Password Override")
     func testHttpOnlySiteWithApplicationPasswordsEnabled() async throws {
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "http://no-https-with-application-passwords.wpmt.co/", with: .withApiRoot("http://no-https-with-application-passwords.wpmt.co/wp-json/")),
+            try HTTPStubs.stub(url: "http://no-https-with-application-passwords.wpmt.co/wp-json/", with: .loginMockResponse(named: "http-only-with-app-passwords-api-root"))
+        ])
+        let client = WordPressLoginClient(requestExecutor: stubs)
         let parsedUrl = try await client.findLoginUrl(forSite: "http://no-https-with-application-passwords.wpmt.co")
         #expect("http://no-https-with-application-passwords.wpmt.co/wp-admin/authorize-application.php" == parsedUrl.url())
     }
 
     @Test("Login Spec Example 7: CDN-Cached Site")
     func testAggressivelyCachedSiteWithNoLinkheader() async throws {
+        // Homepage has no Link header, but HTML contains a <link> tag pointing to the API root
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "https://aggressive-caching.wpmt.co/", with: .htmlResponse(named: "homepage-with-link-tag")),
+            try HTTPStubs.stub(url: "https://aggressive-caching.wpmt.co/wp-json/", with: .loginMockResponse(named: "aggressive-caching-api-root"))
+        ])
+        let client = WordPressLoginClient(requestExecutor: stubs)
         let parsedUrl = try await client.findLoginUrl(forSite: "https://aggressive-caching.wpmt.co")
         #expect("https://aggressive-caching.wpmt.co/wp-admin/authorize-application.php" == parsedUrl.url())
     }
@@ -111,8 +153,20 @@ class LoginTests {
         "https://google.com"
     ])
     func testNotWordPressSite(url: String) async throws {
+        // Homepage returns non-WordPress HTML, no Link header, and no WP markers
+        let stubs: HTTPStubs
+        do {
+            stubs = HTTPStubs(stubs: [
+                try HTTPStubs.stub(url: "https://google.com/", with: .htmlResponse(named: "homepage-not-wordpress"))
+            ])
+        } catch {
+            Issue.record("Failed to create stubs: \(error)")
+            return
+        }
+        let client = WordPressLoginClient(requestExecutor: stubs)
+
         await #expect(performing: {
-            _ = try await self.client.findLoginUrl(forSite: url)
+            _ = try await client.findLoginUrl(forSite: url)
         }, throws: { error in
             try #require(error is AutoDiscoveryAttemptFailure)
 
@@ -130,26 +184,55 @@ class LoginTests {
 
     @Test("Login Spec Example 10: WordPress in a subdirectory with a link header")
     func testWordPressSubdirectoryWithLinkHeader() async throws {
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "https://subdirectory.wpmt.co/index.php?link_header=true", with: .withApiRoot("https://subdirectory.wpmt.co/wordpress/wp-json/")),
+            try HTTPStubs.stub(url: "https://subdirectory.wpmt.co/wordpress/wp-json/", with: .loginMockResponse(named: "subdirectory-api-root"))
+        ])
+        let client = WordPressLoginClient(requestExecutor: stubs)
         let parsedUrl = try await client.findLoginUrl(forSite: "https://subdirectory.wpmt.co/index.php?link_header=true")
         #expect("https://subdirectory.wpmt.co/wordpress/wp-admin/authorize-application.php" == parsedUrl.url())
     }
 
     @Test("Login Spec Example 11: WordPress in a subdirectory with a link tag")
     func testWordPressSubdirectoryWithLinkTag() async throws {
+        // Homepage has no Link header but HTML contains a <link> tag pointing to subdirectory wp-json
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "https://subdirectory.wpmt.co/index.php?link_tag=true", with: .htmlResponse(named: "homepage-with-subdirectory-link-tag")),
+            try HTTPStubs.stub(url: "https://subdirectory.wpmt.co/wordpress/wp-json/", with: .loginMockResponse(named: "subdirectory-api-root"))
+        ])
+        let client = WordPressLoginClient(requestExecutor: stubs)
         let parsedUrl = try await client.findLoginUrl(forSite: "https://subdirectory.wpmt.co/index.php?link_tag=true")
         #expect("https://subdirectory.wpmt.co/wordpress/wp-admin/authorize-application.php" == parsedUrl.url())
     }
 
     @Test("Login Spec Example 12: WordPress in a subdirectory with a redirect")
     func testWordPressSubdirectory() async throws {
+        // In the real scenario, the server redirects to /wordpress/ which has the Link header.
+        // With mocks, we simulate the final response directly on the requested URL.
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "https://subdirectory.wpmt.co/index.php?redirect=true", with: .withApiRoot("https://subdirectory.wpmt.co/wordpress/wp-json/")),
+            try HTTPStubs.stub(url: "https://subdirectory.wpmt.co/wordpress/wp-json/", with: .loginMockResponse(named: "subdirectory-api-root"))
+        ])
+        let client = WordPressLoginClient(requestExecutor: stubs)
         let parsedUrl = try await client.findLoginUrl(forSite: "https://subdirectory.wpmt.co/index.php?redirect=true")
         #expect("https://subdirectory.wpmt.co/wordpress/wp-admin/authorize-application.php" == parsedUrl.url())
     }
 
     @Test("Login Spec Example 13: Site uses HTTP basic with no provided credentials")
     func testWordPressHttpBasic() async throws {
+        let stubs: HTTPStubs
+        do {
+            stubs = HTTPStubs(stubs: [
+                try HTTPStubs.stub(host: "basic-auth.wpmt.co", with: .responseWithStatus(401, headers: ["WWW-Authenticate": "Basic realm=\"Restricted\""]))
+            ])
+        } catch {
+            Issue.record("Failed to create stubs: \(error)")
+            return
+        }
+        let client = WordPressLoginClient(requestExecutor: stubs)
+
         await #expect(performing: {
-            _ = try await self.client.findLoginUrl(forSite: "https://basic-auth.wpmt.co")
+            _ = try await client.findLoginUrl(forSite: "https://basic-auth.wpmt.co")
         }, throws: { error in
             let reason = try #require(try self.getRequestExecutionErrorReason(from: error))
 
@@ -168,11 +251,20 @@ class LoginTests {
 
     @Test("Login Spec Example 13: Site uses HTTP basic with invalid credentials provided")
     func testWordPressHttpBasicWithInvalidCredentials() async throws {
+        let stubs: HTTPStubs
+        do {
+            stubs = HTTPStubs(stubs: [
+                try HTTPStubs.stub(host: "basic-auth.wpmt.co", with: .responseWithStatus(401, headers: ["WWW-Authenticate": "Basic realm=\"Restricted\""]))
+            ])
+        } catch {
+            Issue.record("Failed to create stubs: \(error)")
+            return
+        }
         let invalid = ApiDiscoveryAuthenticationMiddleware(username: "invalid", password: "invalid")
 
         await #expect(performing: {
             _ = try await WordPressLoginClient(
-                urlSession: .init(configuration: .ephemeral),
+                requestExecutor: stubs,
                 middleware: MiddlewarePipeline(middlewares: invalid)
             ).findLoginUrl(forSite: "https://basic-auth.wpmt.co")
         }, throws: { error in
@@ -193,10 +285,14 @@ class LoginTests {
 
     @Test("Login Spec Example 13: Site uses HTTP basic with correct credentials provided")
     func testWordPressHttpBasicWithValidCredentials() async throws {
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "https://basic-auth.wpmt.co/", with: .withApiRoot("https://basic-auth.wpmt.co/wp-json/")),
+            try HTTPStubs.stub(url: "https://basic-auth.wpmt.co/wp-json/", with: .loginMockResponse(named: "basic-auth-api-root"))
+        ])
         let valid = ApiDiscoveryAuthenticationMiddleware(username: "test@example.com", password: "str0ngp4ssw0rd!")
 
         let parsedUrl = try await WordPressLoginClient(
-            urlSession: .init(configuration: .ephemeral),
+            requestExecutor: stubs,
             middleware: MiddlewarePipeline(middlewares: valid)
         ).findLoginUrl(forSite: "https://basic-auth.wpmt.co")
 
@@ -205,6 +301,13 @@ class LoginTests {
 
     @Test("Login Spec Example 14: Custom REST API Prefix")
     func testWordPressCustomRestApiPrefix() async throws {
+        // Site uses a custom REST prefix (e.g., /custom-api/ instead of /wp-json/)
+        // The Link header points to the custom API root
+        let stubs = HTTPStubs(stubs: [
+            try HTTPStubs.stub(url: "https://custom-rest-prefix.wpmt.co/", with: .withApiRoot("https://custom-rest-prefix.wpmt.co/custom-api/")),
+            try HTTPStubs.stub(url: "https://custom-rest-prefix.wpmt.co/custom-api/", with: .loginMockResponse(named: "custom-rest-prefix-api-root"))
+        ])
+        let client = WordPressLoginClient(requestExecutor: stubs)
         let parsedUrl = try await client.findLoginUrl(forSite: "https://custom-rest-prefix.wpmt.co")
         #expect("https://custom-rest-prefix.wpmt.co/wp-admin/authorize-application.php" == parsedUrl.url())
     }