wip: scope inline login captcha token selectors to prompt container a…

[superdav42]

…nd add reset on error

Summary by CodeRabbit

• Bug Fixes
  • Improved captcha token collection during inline login to ensure tokens are correctly captured from the login prompt.
  • Enhanced error handling for inline login requests with better error reporting.
  • Added automatic captcha verification reset after login attempts to maintain security.

[coderabbitai]

📝 Walkthrough

Walkthrough

The checkout.js file was updated to improve inline login captcha handling: token selectors now scope to individual inline login prompt containers instead of the entire page, a captcha reset mechanism was added post-request, and AJAX error handling was improved to pass response JSON to error callbacks.

Changes

Cohort / File(s)	Summary
Inline Login Captcha Management assets/js/checkout.js	Updated captcha token collection to scope selectors to individual inline login prompt containers; added post-request captcha reset invocation (window.wuCaptchaResetInlineLogin()); improved AJAX error handling to pass response JSON (xhr.responseJSON || {}) to error callbacks; restructured error handler definitions and invocation patterns.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

A rabbit hops through login flows so neat,
Captcha tokens scoped—no more bittersweet!
Reset mechanisms guard the way,
Error handlers save the day! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title partially matches the changeset - it mentions scoping captcha token selectors to the prompt container (the primary change), but is truncated and omits the 'reset on error' aspect mentioned in full objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/inline-login-captcha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

assets/js/checkout.js (1)

1436-1443: Duplicate wuCaptchaResetInlineLogin() call in the AJAX error branch.

handleError at lines 1361–1364 already invokes window.wuCaptchaResetInlineLogin(), so the reset block at 1440–1442 fires it a second time on every HTTP error. Drop the redundant block here and let handleError own the reset (keeps the success-but-{success:false} path consistent, which also goes through handleError at line 1432).

♻️ Proposed cleanup

 		error(xhr) {
 			handleError(xhr.responseJSON || {});
-
-			// Reset inline login captcha widgets so the user can re-verify.
-			if (typeof window.wuCaptchaResetInlineLogin === 'function') {
-				window.wuCaptchaResetInlineLogin();
-			}
 		}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/js/checkout.js` around lines 1436 - 1443, The AJAX error branch
currently calls window.wuCaptchaResetInlineLogin() redundantly; handleError
already performs that reset (see handleError and its calls at lines around
1361–1364 and 1432). Remove the inline reset block inside the error(xhr) handler
(the conditional that checks typeof window.wuCaptchaResetInlineLogin ===
'function' and invokes it) so only handleError is responsible for resetting the
captcha; keep the error(xhr) → handleError(xhr.responseJSON || {}) call intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@assets/js/checkout.js`:
- Around line 1243-1273: The inline login success handler in handle_inline_login
currently only handles results.success === true and ignores server 200 responses
with success:false; update the success callback inside the
this.request('wu_inline_login', ...) call to treat a non-true results.success
the same as the error path: set that.login_error from results.data.message
(falling back to wu_checkout.i18n.login_failed), call
window.wuCaptchaResetInlineLogin() if available, and invoke the existing
handleError/results error-handling flow used by setup_inline_login_handlers (or
reuse its logic) so captcha tokens are reset and the user sees the error message
when the server returns {success:false}.
- Around line 1212-1273: The added captcha-collection block (creating
promptContainer, login_data, recaptcha_token/hcaptcha_token/cap_token and
attaching them to login_data) and the two other newly added helper functions
(handleError and the captcha portion inside handleLogin) are incorrectly
under-indented; re-indent those entire blocks to match their surrounding scope
(use the same number of leading tabs as the enclosing methods/blocks where
promptContainer is used and where handleError/handleLogin live), so the
declarations for promptContainer, login_data, recaptcha_token, hcaptcha_token,
cap_token and the wu_inline_login request callback align with the existing 5–7
tab indentation in that file and satisfy the project's tab-based ESLint rules.

---

Nitpick comments:
In `@assets/js/checkout.js`:
- Around line 1436-1443: The AJAX error branch currently calls
window.wuCaptchaResetInlineLogin() redundantly; handleError already performs
that reset (see handleError and its calls at lines around 1361–1364 and 1432).
Remove the inline reset block inside the error(xhr) handler (the conditional
that checks typeof window.wuCaptchaResetInlineLogin === 'function' and invokes
it) so only handleError is responsible for resetting the captcha; keep the
error(xhr) → handleError(xhr.responseJSON || {}) call intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5c459599-e6a6-4805-a980-311f121714cd

📥 Commits

Reviewing files that changed from the base of the PR and between 0ca23fb and 33c28a7.

📒 Files selected for processing (1)

• assets/js/checkout.js

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm the added lines are at single-tab indentation while neighbors are deeper,
# and check whether the repo's ESLint config enforces a specific indent depth.
fd -t f eslint -x echo "--- {} ---" \; -x cat {} \;
echo
echo "--- handle_inline_login indentation sample ---"
awk 'NR>=1205 && NR<=1275 { printf "%4d|", NR; for (i=1; i<=length($0); i++) { c=substr($0,i,1); if (c=="\t") printf "."; else { printf "%s", substr($0,i); break } } print "" }' assets/js/checkout.js
echo
echo "--- handleError / handleLogin sample ---"
awk 'NR>=1340 && NR<=1450 { printf "%4d|", NR; for (i=1; i<=length($0); i++) { c=substr($0,i,1); if (c=="\t") printf "."; else { printf "%s", substr($0,i); break } } print "" }' assets/js/checkout.js

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 5824

---

Fix indentation: all newly added code blocks are under-indented by 4–6 tabs.

Lines 1212–1273, 1346–1366, and 1390–1444 are indented with a single leading tab, while surrounding unchanged code at the same scope sits at 5–6 tabs (and 6–7 tabs inside the handleLogin function). For example:

• Line 1210 (......: this.username || '';) sits at 6 tabs, yet the very next added line 1212 (./​/ Include captcha tokens...) drops to 1 tab.
• Line 1340 (......function hideError() {) is at 6 tabs, but the added handleError function at line 1346 is at 1 tab.
• Inside handleLogin (starting line 1368 at 7 tabs), the new captcha collection code at line 1390 starts at 1 tab.

This breaks nesting consistency and violates the project's WordPress ESLint tab-based indentation rule. Re-indent all three blocks to match their enclosing scope depth.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/js/checkout.js` around lines 1212 - 1273, The added captcha-collection
block (creating promptContainer, login_data,
recaptcha_token/hcaptcha_token/cap_token and attaching them to login_data) and
the two other newly added helper functions (handleError and the captcha portion
inside handleLogin) are incorrectly under-indented; re-indent those entire
blocks to match their surrounding scope (use the same number of leading tabs as
the enclosing methods/blocks where promptContainer is used and where
handleError/handleLogin live), so the declarations for promptContainer,
login_data, recaptcha_token, hcaptcha_token, cap_token and the wu_inline_login
request callback align with the existing 5–7 tab indentation in that file and
satisfy the project's tab-based ESLint rules.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

handle_inline_login silently swallows {success:false} responses and skips the captcha reset.

The success callback only handles results.success === true (reload). When the server responds 200 with { success:false, data:{ message } } — e.g., wrong password, captcha rejected — none of the following happens:

• this.login_error is not set, so the user sees no feedback.
• window.wuCaptchaResetInlineLogin() is not called, so a one-time captcha token stays consumed and any retry will fail validation server-side.

Only network/HTTP errors hit the error callback where the reset now lives. The sibling setup_inline_login_handlers flow does route success:false through handleError(results) — these two paths should behave the same.

🐛 Proposed fix

 	this.request('wu_inline_login', login_data, function(results) {

 		that.logging_in = false;

 		if (results.success) {

 			// Login successful - reload page to show logged-in state
 			window.location.reload();
+			return;
+
+		}
+
+		if (results.data && results.data.message) {
+
+			that.login_error = results.data.message;
+
+		} else {
+
+			that.login_error = wu_checkout.i18n.login_failed || 'Login failed. Please try again.';

 		}

+		// Reset inline login captcha widgets so the user can re-verify.
+		if (typeof window.wuCaptchaResetInlineLogin === 'function') {
+			window.wuCaptchaResetInlineLogin();
+		}
+
 	}, function(error) {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	this.request('wu_inline_login', login_data, function(results) {
	// Login successful - reload page to show logged-in state
	window.location.reload();
	that.logging_in = false;
	}
	if (results.success) {
	}, function(error) {
	// Login successful - reload page to show logged-in state
	window.location.reload();
	that.logging_in = false;
	}
	if (error.responseJSON && error.responseJSON.data && error.responseJSON.data.message) {
	}, function(error) {
	that.login_error = error.responseJSON.data.message;
	that.logging_in = false;
	} else {
	if (error.responseJSON && error.responseJSON.data && error.responseJSON.data.message) {
	that.login_error = wu_checkout.i18n.login_failed || 'Login failed. Please try again.';
	that.login_error = error.responseJSON.data.message;
	}
	} else {
	});
	that.login_error = wu_checkout.i18n.login_failed || 'Login failed. Please try again.';
	}
	// Reset inline login captcha widgets so the user can re-verify.
	if (typeof window.wuCaptchaResetInlineLogin === 'function') {
	window.wuCaptchaResetInlineLogin();
	}
	});
	this.request('wu_inline_login', login_data, function(results) {
	that.logging_in = false;
	if (results.success) {
	// Login successful - reload page to show logged-in state
	window.location.reload();
	return;
	}
	if (results.data && results.data.message) {
	that.login_error = results.data.message;
	} else {
	that.login_error = wu_checkout.i18n.login_failed || 'Login failed. Please try again.';
	}
	// Reset inline login captcha widgets so the user can re-verify.
	if (typeof window.wuCaptchaResetInlineLogin === 'function') {
	window.wuCaptchaResetInlineLogin();
	}
	}, function(error) {
	that.logging_in = false;
	if (error.responseJSON && error.responseJSON.data && error.responseJSON.data.message) {
	that.login_error = error.responseJSON.data.message;
	} else {
	that.login_error = wu_checkout.i18n.login_failed || 'Login failed. Please try again.';
	}
	// Reset inline login captcha widgets so the user can re-verify.
	if (typeof window.wuCaptchaResetInlineLogin === 'function') {
	window.wuCaptchaResetInlineLogin();
	}
	});

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/js/checkout.js` around lines 1243 - 1273, The inline login success
handler in handle_inline_login currently only handles results.success === true
and ignores server 200 responses with success:false; update the success callback
inside the this.request('wu_inline_login', ...) call to treat a non-true
results.success the same as the error path: set that.login_error from
results.data.message (falling back to wu_checkout.i18n.login_failed), call
window.wuCaptchaResetInlineLogin() if available, and invoke the existing
handleError/results error-handling flow used by setup_inline_login_handlers (or
reuse its logic) so captcha tokens are reset and the user sees the error message
when the server returns {success:false}.

[github-actions]

Performance Test Results

Performance test results for b07665d are in 🛎️!

Note: the numbers in parentheses show the difference to the previous (baseline) test run. Differences below 2% or 0.5 in absolute values are not shown.

URL: /

Run	DB Queries	Memory	Before Template	Template	WP Total	LCP	TTFB	LCP - TTFB
0	41	37.83 MB	779.50 ms (-85.00 ms / -11% )	160.50 ms	979.00 ms (-72.50 ms / -7% )	1966.00 ms (-72.00 ms / -4% )	1851.50 ms (-99.60 ms / -5% )	80.40 ms (-2.90 ms / -4% )
1	56	49.03 MB	909.00 ms (-40.00 ms / -4% )	137.00 ms (-3.50 ms / -3% )	1045.00 ms (-45.50 ms / -4% )	2036.00 ms (-56.00 ms / -3% )	1957.10 ms (-57.80 ms / -3% )	77.05 ms