CMM-1256: Fix 401 errors for self-hosted sites with application passwords (#22603)

adalpari · claude · web-flow · commit 64697b7bb8df · 2026-02-18T16:26:39.000+01:00
* Fix 401 errors for self-hosted sites with application passwords

ReactNativeStore used cookie-nonce auth for all non-WPCom sites,
which fails for sites with application passwords since those
credentials can't log in via wp-login.php. This adds Basic auth
support using the site's application password credentials directly,
bypassing the nonce flow for those sites.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Clean up suppress annotations and remove unused imports

Add LongMethod and ReturnCount suppress annotations to
executeWPAPIRequest and remove unused eq and Unknown imports
from tests.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Add inline comments to ReactNativeStore request flow

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Add null safety and documentation for app password auth

Add defensive null checks for application password credentials
to prevent potential NPE from race conditions. Expand inline
documentation explaining the nonce auth bypass rationale.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Fix PluginWPApiRestClientTest matcher count for new headers param

Add missing any() matcher for the headers parameter added to
syncGetRequest and syncPostRequest in WPAPIGsonRequestBuilder.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Re-add missing nonce unknown test case

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/libs/fluxc/src/main/java/org/wordpress/android/fluxc/network/rest/wpapi/WPAPIGsonRequestBuilder.kt b/libs/fluxc/src/main/java/org/wordpress/android/fluxc/network/rest/wpapi/WPAPIGsonRequestBuilder.kt
@@ -19,9 +19,11 @@ class WPAPIGsonRequestBuilder @Inject constructor() {
         clazz: Class<T>,
         enableCaching: Boolean = false,
         cacheTimeToLive: Int = BaseRequest.DEFAULT_CACHE_LIFETIME,
-        nonce: String? = null
+        nonce: String? = null,
+        headers: Map<String, String> = emptyMap()
     ) = suspendCancellableCoroutine<WPAPIResponse<T>> { cont ->
-        callMethod(Method.GET, url, params, body, clazz, cont, enableCaching, cacheTimeToLive, nonce, restClient)
+        callMethod(Method.GET, url, params, body, clazz, cont, enableCaching, cacheTimeToLive, nonce, restClient,
+            headers)
     }
     suspend fun <T> syncGetRequest(
         restClient: BaseWPAPIRestClient,
@@ -31,19 +33,22 @@ class WPAPIGsonRequestBuilder @Inject constructor() {
         type: Type,
         enableCaching: Boolean = false,
         cacheTimeToLive: Int = BaseRequest.DEFAULT_CACHE_LIFETIME,
-        nonce: String? = null
+        nonce: String? = null,
+        headers: Map<String, String> = emptyMap()
     ) = suspendCancellableCoroutine<WPAPIResponse<T>> { cont ->
-        callMethod(Method.GET, url, params, body, type, cont, enableCaching, cacheTimeToLive, nonce, restClient)
+        callMethod(Method.GET, url, params, body, type, cont, enableCaching, cacheTimeToLive, nonce, restClient,
+            headers)
     }
 
     suspend fun <T> syncPostRequest(
         restClient: BaseWPAPIRestClient,
         url: String,
         body: Map<String, Any> = emptyMap(),
         clazz: Class<T>,
-        nonce: String? = null
+        nonce: String? = null,
+        headers: Map<String, String> = emptyMap()
     ) = suspendCancellableCoroutine<WPAPIResponse<T>> { cont ->
-        callMethod(Method.POST, url, null, body, clazz, cont, false, 0, nonce, restClient)
+        callMethod(Method.POST, url, null, body, clazz, cont, false, 0, nonce, restClient, headers)
     }
 
     suspend fun <T> syncPutRequest(
@@ -77,7 +82,8 @@ class WPAPIGsonRequestBuilder @Inject constructor() {
         enableCaching: Boolean,
         cacheTimeToLive: Int,
         nonce: String?,
-        restClient: BaseWPAPIRestClient
+        restClient: BaseWPAPIRestClient,
+        headers: Map<String, String> = emptyMap()
     ) {
         val request = WPAPIGsonRequest(method, url, params, body, clazz, { response ->
             cont.resume(Success(response))
@@ -97,6 +103,8 @@ class WPAPIGsonRequestBuilder @Inject constructor() {
             request.addHeader("x-wp-nonce", nonce)
         }
 
+        headers.forEach { (key, value) -> request.addHeader(key, value) }
+
         restClient.add(request)
     }
 
@@ -111,7 +119,8 @@ class WPAPIGsonRequestBuilder @Inject constructor() {
         enableCaching: Boolean,
         cacheTimeToLive: Int,
         nonce: String?,
-        restClient: BaseWPAPIRestClient
+        restClient: BaseWPAPIRestClient,
+        headers: Map<String, String> = emptyMap()
     ) {
         val request = WPAPIGsonRequest<T>(method, url, params, body, type, { response ->
             cont.resume(Success(response))
@@ -131,6 +140,8 @@ class WPAPIGsonRequestBuilder @Inject constructor() {
             request.addHeader("x-wp-nonce", nonce)
         }
 
+        headers.forEach { (key, value) -> request.addHeader(key, value) }
+
         restClient.add(request)
     }
 }
diff --git a/libs/fluxc/src/main/java/org/wordpress/android/fluxc/network/rest/wpapi/reactnative/ReactNativeWPAPIRestClient.kt b/libs/fluxc/src/main/java/org/wordpress/android/fluxc/network/rest/wpapi/reactnative/ReactNativeWPAPIRestClient.kt
@@ -28,7 +28,8 @@ class ReactNativeWPAPIRestClient @Inject constructor(
         successHandler: (data: JsonElement?) -> ReactNativeFetchResponse,
         errorHandler: (BaseNetworkError) -> ReactNativeFetchResponse,
         nonce: String? = null,
-        enableCaching: Boolean = true
+        enableCaching: Boolean = true,
+        headers: Map<String, String> = emptyMap()
     ): ReactNativeFetchResponse {
         val response =
                 wpApiGsonRequestBuilder.syncGetRequest(
@@ -38,7 +39,8 @@ class ReactNativeWPAPIRestClient @Inject constructor(
                         emptyMap(),
                         JsonElement::class.java,
                         enableCaching,
-                        nonce = nonce)
+                        nonce = nonce,
+                        headers = headers)
         return when (response) {
             is Success -> successHandler(response.data)
             is Error -> errorHandler(response.error)
@@ -51,14 +53,16 @@ class ReactNativeWPAPIRestClient @Inject constructor(
         successHandler: (data: JsonElement?) -> ReactNativeFetchResponse,
         errorHandler: (BaseNetworkError) -> ReactNativeFetchResponse,
         nonce: String? = null,
+        headers: Map<String, String> = emptyMap()
     ): ReactNativeFetchResponse {
         val response =
             wpApiGsonRequestBuilder.syncPostRequest(
                 this,
                 url,
                 body,
                 JsonElement::class.java,
-                nonce = nonce)
+                nonce = nonce,
+                headers = headers)
         return when (response) {
             is Success -> successHandler(response.data)
             is Error -> errorHandler(response.error)
diff --git a/libs/fluxc/src/main/java/org/wordpress/android/fluxc/store/ReactNativeStore.kt b/libs/fluxc/src/main/java/org/wordpress/android/fluxc/store/ReactNativeStore.kt
@@ -10,6 +10,7 @@ import org.wordpress.android.fluxc.network.discovery.DiscoveryWPAPIRestClient
 import org.wordpress.android.fluxc.network.rest.wpapi.Nonce.Available
 import org.wordpress.android.fluxc.network.rest.wpapi.Nonce.FailedRequest
 import org.wordpress.android.fluxc.network.rest.wpapi.Nonce.Unknown
+import okhttp3.Credentials
 import org.wordpress.android.fluxc.network.rest.wpapi.NonceRestClient
 import org.wordpress.android.fluxc.network.rest.wpapi.reactnative.ReactNativeWPAPIRestClient
 import org.wordpress.android.fluxc.network.rest.wpcom.reactnative.ReactNativeWPComRestClient
@@ -159,7 +160,7 @@ class ReactNativeStore @VisibleForTesting constructor(
         return Error(error)
     }
 
-    @Suppress("ComplexMethod", "NestedBlockDepth", "LongParameterList")
+    @Suppress("ComplexMethod", "NestedBlockDepth", "LongParameterList", "LongMethod", "ReturnCount")
     private suspend fun executeWPAPIRequest(
         site: SiteModel,
         path: String,
@@ -181,6 +182,16 @@ class ReactNativeStore @VisibleForTesting constructor(
         }
         val fullRestUrl = slashJoin(wpApiRestUrl, path)
 
+        // Use Basic auth for sites with application passwords instead of nonce auth.
+        // Application passwords authenticate via REST API Basic auth and cannot
+        // authenticate via wp-login.php (which is required for nonce-based auth).
+        if (site.hasApplicationPassword()) {
+            return executeWithApplicationPassword(
+                site, path, method, params, body, enableCaching,
+                fullRestUrl, usingSavedRestUrl
+            )
+        }
+
         var nonce = nonceRestClient.getNonce(site)
         val usingSavedNonce = nonce is Available
         val failedRecently = true == (nonce as? FailedRequest)?.timeOfResponse?.let {
@@ -208,8 +219,10 @@ class ReactNativeStore @VisibleForTesting constructor(
                         val nonceIsUpdated = newNonce != null && newNonce != previousNonce
                         if (nonceIsUpdated) {
                             return when (method) {
-                                RequestMethod.GET -> executeGet(fullRestUrl, params, newNonce, enableCaching)
-                                RequestMethod.POST -> executePost(fullRestUrl, body, newNonce)
+                                RequestMethod.GET ->
+                                    executeGet(fullRestUrl, params, newNonce, enableCaching)
+                                RequestMethod.POST ->
+                                    executePost(fullRestUrl, body, newNonce)
                             }
                         }
                     }
@@ -227,14 +240,63 @@ class ReactNativeStore @VisibleForTesting constructor(
                         // so the rest url will be retrieved using discovery
                         executeWPAPIRequest(site, path, method, params, body, enableCaching)
                     } else {
-                        // Already used discovery to fetch the rest base url and still got 'not found', so
-                        // just return the error response
+                        // Already used discovery to fetch the rest base url and still got
+                        // 'not found', so just return the error response
                         response
                     }
-
-                    // For all other failures just return the error response
                 }
 
+                // For all other failures just return the error response
+                else -> response
+            }
+        }
+    }
+
+    @Suppress("LongParameterList")
+    private suspend fun executeWithApplicationPassword(
+        site: SiteModel,
+        path: String,
+        method: RequestMethod,
+        params: Map<String, String>,
+        body: Map<String, Any>,
+        enableCaching: Boolean,
+        fullRestUrl: String,
+        usingSavedRestUrl: Boolean
+    ): ReactNativeFetchResponse {
+        val username = site.apiRestUsernamePlain
+        val password = site.apiRestPasswordPlain
+        if (username == null || password == null) {
+            val error = BaseNetworkError(GenericErrorType.UNKNOWN).apply {
+                message = "Application password credentials missing"
+            }
+            return Error(error)
+        }
+        val authHeaderValue = Credentials.basic(username, password)
+        val headers = mapOf(AUTHORIZATION_HEADER to authHeaderValue)
+
+        val response = when (method) {
+            RequestMethod.GET -> executeGet(
+                fullRestUrl, params, nonce = null, enableCaching, headers
+            )
+            RequestMethod.POST -> executePost(
+                fullRestUrl, body, nonce = null, headers
+            )
+        }
+        return when (response) {
+            is Success -> response
+            is Error -> when (response.statusCode()) {
+                HttpURLConnection.HTTP_NOT_FOUND -> {
+                    site.wpApiRestUrl = null
+                    persistSiteSafely(site)
+
+                    if (usingSavedRestUrl) {
+                        executeWPAPIRequest(
+                            site, path, method, params, body, enableCaching
+                        )
+                    } else {
+                        response
+                    }
+                }
                 else -> response
             }
         }
@@ -244,16 +306,24 @@ class ReactNativeStore @VisibleForTesting constructor(
         fullRestApiUrl: String,
         params: Map<String, String>,
         nonce: String?,
-        enableCaching: Boolean
+        enableCaching: Boolean,
+        headers: Map<String, String> = emptyMap()
     ): ReactNativeFetchResponse =
-            wpAPIRestClient.getRequest(fullRestApiUrl, params, ::Success, ::Error, nonce, enableCaching)
+            wpAPIRestClient.getRequest(
+                fullRestApiUrl, params, ::Success, ::Error,
+                nonce, enableCaching, headers
+            )
 
     private suspend fun executePost(
         fullRestApiUrl: String,
         body: Map<String, Any>,
-        nonce: String?
+        nonce: String?,
+        headers: Map<String, String> = emptyMap()
     ): ReactNativeFetchResponse =
-        wpAPIRestClient.postRequest(fullRestApiUrl, body, ::Success, ::Error, nonce)
+        wpAPIRestClient.postRequest(
+            fullRestApiUrl, body, ::Success, ::Error,
+            nonce, headers
+        )
 
     private fun parseUrlAndParamsForWPCom(
         pathWithParams: String,
@@ -294,6 +364,7 @@ class ReactNativeStore @VisibleForTesting constructor(
     private fun getNonce(site: SiteModel) = nonceRestClient.getNonce(site)
 
     companion object {
+        private const val AUTHORIZATION_HEADER = "Authorization"
         private const val FIVE_MIN_MILLIS: Long = 5 * 60 * 1000
 
         /**
diff --git a/libs/fluxc/src/test/java/org/wordpress/android/fluxc/network/rest/wpapi/plugin/PluginWPApiRestClientTest.kt b/libs/fluxc/src/test/java/org/wordpress/android/fluxc/network/rest/wpapi/plugin/PluginWPApiRestClientTest.kt
@@ -186,6 +186,7 @@ class PluginWPApiRestClientTest {
                 eq(type),
                 eq(cachingEnabled),
                 any(),
+                any(),
                 any()
             )
         ).thenReturn(response)
@@ -203,6 +204,7 @@ class PluginWPApiRestClientTest {
                 urlCaptor.capture(),
                 bodyCaptor.capture(),
                 eq(PluginResponseModel::class.java),
+                any(),
                 any()
             )
         ).thenReturn(response)
diff --git a/libs/fluxc/src/test/java/org/wordpress/android/fluxc/store/ReactNativeStoreWPAPITest.kt b/libs/fluxc/src/test/java/org/wordpress/android/fluxc/store/ReactNativeStoreWPAPITest.kt
@@ -6,6 +6,7 @@ import com.android.volley.VolleyError
 import org.junit.Before
 import org.junit.Test
 import org.junit.runner.RunWith
+import okhttp3.Credentials
 import org.mockito.kotlin.any
 import org.mockito.kotlin.inOrder
 import org.mockito.kotlin.mock
@@ -45,7 +46,6 @@ class ReactNativeStoreWPAPITest {
     private val wpApiRestClient = mock<ReactNativeWPAPIRestClient>()
     private val discoveryWPAPIRestClient = mock<DiscoveryWPAPIRestClient>()
     private val nonceRestClient = mock<NonceRestClient>()
-
     private lateinit var store: ReactNativeStore
     private lateinit var site: SiteModel
 
@@ -495,11 +495,93 @@ class ReactNativeStoreWPAPITest {
         assertEquals(UNKNOWN, errorType)
     }
 
-    private suspend fun ReactNativeWPAPIRestClient.getRequest(url: String, nonce: String? = null) =
-        getRequest(url, paramMap, ReactNativeFetchResponse::Success, ReactNativeFetchResponse::Error, nonce)
+    //
+    // Application password tests
+    //
+
+    @Test
+    fun `site with application password uses Basic auth for GET request`() = test {
+        site.apiRestUsernamePlain = "user"
+        site.apiRestPasswordPlain = "pass"
+        val appPasswordAuthHeader = Credentials.basic("user", "pass")
+
+        val fetchUrl = "${site.wpApiRestUrl}/$restPath"
+        val successResponse = mock<Success>()
+        val expectedHeaders = mapOf("Authorization" to appPasswordAuthHeader)
+        whenever(
+            wpApiRestClient.getRequest(
+                fetchUrl, paramMap, ::Success, ::Error,
+                null, true, expectedHeaders
+            )
+        ).thenReturn(successResponse)
+
+        val actualResponse = store.executeGetRequest(site, restPathWithParams)
+        assertEquals(successResponse, actualResponse)
+        verify(nonceRestClient, never()).getNonce(any<SiteModel>())
+        verify(nonceRestClient, never()).requestNonce(any())
+    }
+
+    @Test
+    fun `site with application password uses Basic auth for POST request`() = test {
+        site.apiRestUsernamePlain = "user"
+        site.apiRestPasswordPlain = "pass"
+        val appPasswordAuthHeader = Credentials.basic("user", "pass")
+
+        val postUrl = "${site.wpApiRestUrl}/$restPath"
+        val successResponse = mock<Success>()
+        val expectedHeaders = mapOf("Authorization" to appPasswordAuthHeader)
+        whenever(
+            wpApiRestClient.postRequest(
+                postUrl, bodyMap, ::Success, ::Error,
+                null, expectedHeaders
+            )
+        ).thenReturn(successResponse)
+
+        val actualResponse = store.executePostRequest(site, restPathWithParams, bodyMap)
+        assertEquals(successResponse, actualResponse)
+        verify(nonceRestClient, never()).getNonce(any<SiteModel>())
+        verify(nonceRestClient, never()).requestNonce(any())
+    }
+
+    @Test
+    fun `site with application password does not retry nonce on 401`() = test {
+        site.apiRestUsernamePlain = "user"
+        site.apiRestPasswordPlain = "pass"
+        val appPasswordAuthHeader = Credentials.basic("user", "pass")
+
+        val fetchUrl = "${site.wpApiRestUrl}/$restPath"
+        val unauthorizedResponse = errorResponse(StatusCode.UNAUTHORIZED_401)
+        val expectedHeaders = mapOf("Authorization" to appPasswordAuthHeader)
+        whenever(
+            wpApiRestClient.getRequest(
+                fetchUrl, paramMap, ::Success, ::Error,
+                null, true, expectedHeaders
+            )
+        ).thenReturn(unauthorizedResponse)
+
+        val actualResponse = store.executeGetRequest(site, restPathWithParams)
+        assertEquals(unauthorizedResponse, actualResponse)
+        verify(nonceRestClient, never()).getNonce(any<SiteModel>())
+        verify(nonceRestClient, never()).requestNonce(any())
+    }
 
-    private suspend fun ReactNativeWPAPIRestClient.postRequest(url: String, nonce: String? = null) =
-        postRequest(url, bodyMap, ReactNativeFetchResponse::Success, ReactNativeFetchResponse::Error, nonce)
+    private suspend fun ReactNativeWPAPIRestClient.getRequest(
+        url: String,
+        nonce: String? = null,
+        headers: Map<String, String> = emptyMap()
+    ) = getRequest(
+        url, paramMap, ReactNativeFetchResponse::Success,
+        ReactNativeFetchResponse::Error, nonce, true, headers
+    )
+
+    private suspend fun ReactNativeWPAPIRestClient.postRequest(
+        url: String,
+        nonce: String? = null,
+        headers: Map<String, String> = emptyMap()
+    ) = postRequest(
+        url, bodyMap, ReactNativeFetchResponse::Success,
+        ReactNativeFetchResponse::Error, nonce, headers
+    )
 
     private fun errorResponse(statusCode: Int): ReactNativeFetchResponse = Error(mock()).apply {
         error.volleyError = VolleyError(NetworkResponse(statusCode, null, false, 0L, null))
