WPcom login intermittently redirecting to CodePoet for a12s

[anaspk]

Quick summary

A user is experiencing an intermittent issue where when they try to login to their WCCOM account using their WP.com account, instead of being taken back to their WCCOM account, they get redirected to a CodePoet URL.

Steps to reproduce

We couldn't yet reproduce this bug on our end. However, here are the details shared by the original reporter on slack: p1654617195868519-slack-C07418EA0

What you expected to happen

User should always be logged into WCCOM account.

What actually happened

User was taken to a CodePoet blog URL after login.

Browser

No response

Context

No response

Platform (Simple, Atomic, or both?)

No response

Other notes

We have done some investigation on our (WCCOM) side and concluded that this is most likely an issue on WPCOM's end. Our findings are shared here: 13582-gh-Automattic/woocommerce.com

Reproducibility

Intermittent

Severity

One

Available workarounds?

No response

Workaround details

No response

[simonwheatley]

@anaspk @cuemarie At the moment I can reproduce this on every log in when using a passkey for second factor. Let me know if you would like more information.

[cuemarie]

I can reproduce this on every log in when using a passkey for second factor. Let me know if you would like more information.

Hey @simonwheatley , thanks for the ping! To make sure I can retriage this with the right steps, is this happening when you log into WordPress.com, WooCommerce.com via WPcom, or something more specific than that (such as the URL in the OP's slack thread?)

[cuemarie]

@Automattic/solaris is this something y'all can help repro test and advise on? Thanks!

[simonwheatley]

@cuemarie It happens when I log into WordPress.com.

[cuemarie]

81595 also reported this happening for a12s

[pmaiorana]

Wanted to note also that this was happening before the implementation of the new security key capability on WP.com (and has also happened since!).

[cuemarie]

Ah, good to know, thank you @pmaiorana ! Perhaps there's some conflating here - I'll try to sort out these different reports!

[cuemarie]

📌 REPRODUCTION RESULTS

• unable to replicate, but with the multiple reports here from a12s, keeping open to see what we can find out

📌 ACTIONS

• Updated title
• Triage complete

[gikaragia]

So this is probably caused by D62219-code. Method create_response_with_token_links will eventually call Login_Base_Endpoint::create_response_with_login_links_for_user which returns the first five domains that are returned from WPCOM_Remote_Login::after_login_token_links. From these endpoints, we request remote-login.php. The problem happens when one of the endpoints is build.codepoet.com as for this site it fails. So this will happen to a12s that have enough years in the company to own this blog.

From these 5 domains jetpack.com always comes first but the other 4 can probably be in any order, so this explains why the issue is intermittent. @niranjan-uma-shankar I'll leave is with you as I have no idea why we need to redirect in these sites. It also seems to me that this functionality is not intended as the 4 blogs are in random order. A solution that makes sense to me is that only jetpack domain is needed? But I miss a lot of context.

I'll assign it to you and lower the priority as it seems that it affects intermittently only a handful of users.

[niranjan-uma-shankar]

Noted, thanks. I have also added this issue to our project board.

[davemart-in]

Removing this from The One Board since it's been picked up by Martech.