feat: session hydration

[miguelpeixe]

All Submissions:

• Have you followed the Newspack Contributing guideline?
• Does your code follow the WordPress' coding standards and VIP Go coding standards?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Changes proposed in this Pull Request:

This PR introduces a mechanism to bridge the gap between authentication and the next page load. After login, a short-lived transient binds the newspack-cid cookie to the authenticated user ID, and a new REST endpoint (/reader/session) returns a wp_rest nonce for subsequent authenticated API calls.

This session hydration strategy is used by the reader data store and the newsletter sign-up modal to offer premium newsletters to the signed-in user.

The data store will no longer require a page refresh to sync pending data items, and the newsletter modal refresh endpoint will rely on authentication, simplifying its logic.

How it works:

1. In the backend: any authentication (via Woo checkout registration or auth/registration modal), bind the session's newspack-cid to the $user_id for 2 minutes.
2. In the frontend: detect the auth cookie and request the /reader/session endpoint to fetch a wp_rest nonce
3. Once hydrated (nonce fetched), a triggered event gets picked up by the data store and newsletter modal, so they run their logic

The /reader/session response payload has a filter so components can initialize their state without additional requests. The reader data store leverages that filter to populate stored reader data items for db -> localStorage hydration.

How to test the changes in this Pull Request:

Simple authentication flow

1. In a fresh session, open devtools to inspect network requests
2. Sign in as an existing reader using the auth modal
3. Confirm that after authenticating, a request is made to /reader/session with the following response:

{
    "nonce": "365493a533",
    "reader_data_items": {
        "is_donor": "false",
        "is_former_donor": "true",
        "pageviews": "{\"day\":{\"count\":22,\"start\":1775053485659},\"week\":{\"count\":22,\"start\":1775053485659},\"month\":{\"count\":22,\"start\":1775053485659}}",
        "is_newsletter_subscriber": "true",
        "newsletter_subscribed_lists": "[\"5\"]",
        "active_subscriptions": "[20157]",
        "article_view_per_week": "{\"1772247600000\":{\"3836\":true},\"1774062000000\":{\"4837\":true},\"1774666800000\":{\"4837\":true,\"8597\":true,\"20826\":true}}",
        "article_view_per_month": "{\"1772334000000\":{\"3836\":true},\"1775012400000\":{\"4837\":true,\"8597\":true,\"20826\":true}}",
    }
}

Reader data store hydration

1. In the same session, confirm that the reader data items from the response above are now hydrated to localStorage
2. Also confirm a successful request is made to /reader-data with the nonce as X-WP-Nonce header, syncing local items to the db

Premium newsletters

1. Set up premium newsletters attached to a subscription product
2. Make sure to check the premium lists in the "Present newsletter signup after checkout and registration" section of audience configuration
3. In a fresh session, open the console and run newspackReaderActivation.openNewslettersSignupModal()
4. Confirm the modal doesn't include the premium list(s) and close
5. Go through the modal checkout flow to purchase the subscription that unlocks the lists
6. Confirm that the post-checkout newsletters modal includes the list(s)

Other information:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes, as applicable?
• Have you successfully ran tests with your changes locally?

[Copilot]

Pull request overview

Implements “session hydration” to bridge the gap between authentication and the next page load by fetching a fresh wp_rest nonce (and optionally initial payload) immediately after login, enabling the reader-data store and newsletters modal to update without requiring a refresh.

Changes:

• Backend: add /newspack/v1/reader/session endpoint backed by a short-lived CID→user transient, plus a newspack_session_hydration_response filter for augmenting the response.
• Frontend: add a session hydration module + EVENTS.session, rehydrate reader-data items and use hydrated nonce for syncing, and refresh the newsletters modal on hydration.
• Tests: add unit tests for session hydration, and remove now-obsolete tests related to the removed content-restriction user-id override filter.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
includes/reader-activation/class-session-hydration.php	Adds CID binding + REST endpoint to mint a fresh wp_rest nonce after auth, with response filter.
includes/class-newspack.php	Loads the new session hydration class.
includes/reader-activation/class-reader-data.php	Adds reader-data payload to hydration response; always localizes api_url.
src/reader-activation/session.js	Frontend session hydration fetch + shared nonce storage + event emission.
src/reader-activation/events.js	Adds session event type.
src/reader-activation/index.js	Triggers hydration after detecting auth cookie.
src/reader-activation/store.js	Uses hydrated nonce for sync; listens for hydration event to rehydrate + requeue sync.
includes/reader-activation/class-reader-activation.php	Simplifies newsletters refresh endpoint to rely on current session user; removes prior “override user id” logic.
src/reader-activation-newsletters/newsletters-modal.js	Updates refresh endpoint usage and refreshes modal on hydration event.
includes/content-gate/class-content-restriction-control.php	Removes newspack_content_restriction_control_user_id filter usage.
tests/unit-tests/session-hydration.php	Adds unit tests for CID binding and hydration endpoint behavior.
tests/unit-tests/content-gate/content-gates.php	Removes tests for the removed content-restriction user-id override filter.
tests/unit-tests/content-gate/class-premium-newsletters.php	Removes filter cleanup that no longer applies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dkoo]

@miguelpeixe I like the overall approach here, and I think it provides everything we need to fix the long-standing issue of the newsletter signup modal showing lists for the "wrong" user after a new account registration. However, that testing step is not working for me currently. See more details inline.

More feedback from a Claude code review below.

[github-actions]

Hey @miguelpeixe, good job getting this PR merged! 🎉

Now, the needs-changelog label has been added to it.

Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label.

If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label.

Thank you! ❤️

[github-actions]

🎉 This PR is included in version 6.38.0-alpha.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀