test(e2e): restore cross-domain SSO spec

[superdav42]

Summary

• add a CI hosts entry for sso-test.ultimate-multisite.test so Cypress can reach wp-env on the existing port while preserving a mapped-domain Host header
• update the SSO setup fixture to map sso-test.ultimate-multisite.test:PORT directly in the domain mapping table
• re-enable 060-sso-cross-domain.spec.js and align the redirect-loop SSO spec with the same mapped hostname

Resolves #1322

Verification

• php -l tests/e2e/cypress/fixtures/setup-sso-test.php
• node --check tests/e2e/cypress/integration/060-sso-cross-domain.spec.js
• node --check tests/e2e/cypress/integration/065-sso-redirect-loop.spec.js
• git diff --check origin/main...HEAD

Not run locally: full Cypress/wp-env spec, because this environment is missing installed npm dependencies and requires Docker/wp-env.

---

aidevops.sh v3.20.36 plugin for OpenCode v1.16.2 with gpt-5.5

Summary by CodeRabbit

• Tests
  • Enabled cross-domain SSO tests in CI and updated E2E specs to validate SSO across mapped hostnames and adjust redirect expectations to the main-site origin
  • Improved test setup and assertions for mapped-domain SSO flows, including cookie/domain handling and broader domain-match checks
• Chores
  • CI E2E workflow now ensures the mapped test hostname resolves locally before running tests

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a CI hosts entry for sso-test.ultimate-multisite.test, updates the SSO test fixture to use that mapped hostname (with optional port) for DB lookups and cache invalidation, re-enables and updates the cross-domain Cypress spec to use the mapped hostname, and aligns the redirect-loop spec's cookie domain to the mapped host.

Changes

Cross-domain SSO hostname mapping

Layer / File(s)	Summary
CI environment hosts mapping .github/workflows/e2e.yml	Workflow step appends /etc/hosts entry for sso-test.ultimate-multisite.test → 127.0.0.1 and verifies resolution with getent hosts.
Test fixture domain mapping configuration tests/e2e/cypress/fixtures/setup-sso-test.php	Fixture constructs mapped domain using sso-test.ultimate-multisite.test (optionally with port), expands DB domain-mapping lookup to include hostname-with-port, hostname-without-port, and 127.0.0.1:PORT, and invalidates cache entries for the hostname and IP variants.
Cross-domain SSO spec enablement and verification tests/e2e/cypress/integration/060-sso-cross-domain.spec.js	Removes describe.skip to enable the suite, updates header/text and URL constants to use sso-test.ultimate-multisite.test:8889, tightens redirect-trigger assertions to expect 302 with sso=login, and changes post-SSO expectations to land on the main-site origin rather than asserting subsite path.
SSO redirect-loop spec cookie domain alignment tests/e2e/cypress/integration/065-sso-redirect-loop.spec.js	Introduce mappedDomainHost/mappedDomainUrl constants and set wu_sso_denied cookie domain to mappedDomainHost instead of a hardcoded IP.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Ultimate-Multisite/ultimate-multisite#1323: Previously skipped the cross-domain spec due to wp-env port/domain-mapping; this PR re-enables it via hostname mapping.
• Ultimate-Multisite/ultimate-multisite#366: Related redirect-loop handling and wu_sso_denied cookie behavior that these tests exercise.
• Ultimate-Multisite/ultimate-multisite#1203: Addresses redirect-loop/throttling logic relevant to SSO redirect tests.

Suggested labels

testing, origin:interactive

Poem

🐰 I hopped through hosts, a tiny guide,
Mapping sso-test to localhost with pride,
Cookies settled on the mapped domain,
Cypress chased redirects down the lane,
Tests now wake where hostname rules the tide.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objective: re-enabling the cross-domain SSO spec test that was previously skipped.
Linked Issues check	✅ Passed	The PR implements all required changes: adds /etc/hosts entry in workflow, updates fixture to map the hostname, re-enables 060-sso-cross-domain.spec.js, and aligns 065-sso-redirect-loop.spec.js to use the mapped hostname.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the issue #1322 objectives: the workflow hosts entry, fixture domain mapping, and spec test files with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue-1322-hosts-entry

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/e2e/cypress/fixtures/setup-sso-test.php`:
- Around line 54-57: This file is missing the required ABSPATH guard; add the
standard PHP entry guard at the top of the file by inserting defined('ABSPATH')
|| exit; as the very first executable line to prevent direct web access. Locate
the fixture file (setup-sso-test.php) and ensure the guard appears before any DB
mutation or references (e.g., before usage of $wpdb and the $table assignment
for 'wu_domain_mappings') so the script exits immediately if ABSPATH is not
defined.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: da60512b-bd95-4791-b8bc-642304b3339a

📥 Commits

Reviewing files that changed from the base of the PR and between 20c8ed4 and 6764ee0.

📒 Files selected for processing (4)

• .github/workflows/e2e.yml
• tests/e2e/cypress/fixtures/setup-sso-test.php
• tests/e2e/cypress/integration/060-sso-cross-domain.spec.js
• tests/e2e/cypress/integration/065-sso-redirect-loop.spec.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add an ABSPATH entry guard before this mutation fixture executes.

Line 54 onward mutates DB/settings, but this file is missing the required defined('ABSPATH') || exit; gate at file start. That leaves direct execution risk in environments where test files are web-reachable.

🔧 Proposed fix

 <?php
+defined('ABSPATH') || exit;
 /**
  * Set up the SSO e2e test environment.

As per coding guidelines, “Every PHP file must start with defined('ABSPATH') || exit;”.

🧰 Tools

🪛 GitHub Check: Code Quality Checks

[warning] 56-56:
Expected 1 space before comment text but found 4; use block comment if you need indentation

---

[warning] 55-55:
Expected 1 space before comment text but found 4; use block comment if you need indentation

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/e2e/cypress/fixtures/setup-sso-test.php` around lines 54 - 57, This
file is missing the required ABSPATH guard; add the standard PHP entry guard at
the top of the file by inserting defined('ABSPATH') || exit; as the very first
executable line to prevent direct web access. Locate the fixture file
(setup-sso-test.php) and ensure the guard appears before any DB mutation or
references (e.g., before usage of $wpdb and the $table assignment for
'wu_domain_mappings') so the script exits immediately if ABSPATH is not defined.

Source: Coding guidelines

[superdav42]

CI repair feedback routed to issue #1322

This worker PR had terminal failed CI checks. The check details have been appended
to the linked issue body so the next worker can address them.

Terminal failed checks:

• PHP 8.3: failure — check URL

Closed by deterministic merge pass (pulse-merge.sh).

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/e2e/cypress/integration/060-sso-cross-domain.spec.js (1)

14-122: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix indentation: use tabs instead of spaces.

The file uses spaces for indentation throughout, but the coding guidelines require tabs for all .js files. This violates the WordPress ESLint configuration standard for this project.

As per coding guidelines: "indentation must be tabs" for **/*.js files.

🔧 Suggested approach

Run your editor's "Convert Spaces to Tabs" command, or use a script to convert all leading spaces to tabs. Most editors have a built-in command for this (e.g., VS Code: "Convert Indentation to Tabs").

For example, you can use the following command to convert spaces to tabs:

# This is just an example command - run it locally, not in the sandbox
sed -i 's/^  /\t/g; s/^\t  /\t\t/g; s/^\t\t  /\t\t\t/g' tests/e2e/cypress/integration/060-sso-cross-domain.spec.js

Or configure your editor to use tabs for .js files in this project.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/e2e/cypress/integration/060-sso-cross-domain.spec.js` around lines 14 -
122, The file uses spaces for indentation but project style requires tabs;
update leading indentation throughout this test file (e.g., the top-level const
declarations, the before() hook, and each it() block including nested callbacks
like the cy.request/.then and cy.visit sections) to use tabs instead of spaces
so it conforms to the WordPress ESLint rules for .js files; run your editor or a
conversion tool to replace leading space runs with equivalent tabs and re-check
the file (060-sso-cross-domain.spec.js) so functions/hooks such as before, it,
cy.request, and cy.visit are indented with tabs.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/e2e/cypress/integration/060-sso-cross-domain.spec.js`:
- Around line 89-99: The test name/comments in 060-sso-cross-domain.spec.js
should be clarified to state it verifies the wp-env main-origin handoff
behavior, and you should add a post-SSO verification that the mapped domain
remains authenticated: after the existing assertions that the browser landed on
mainSiteUrl with /wp-admin/ and `#wpadminbar`, navigate to
`${mappedDomainUrl}/wp-admin/` and assert you land on the admin UI (URL includes
`/wp-admin/`) and `#wpadminbar` exists without being redirected back into the
SSO flow; update the spec title/comment to mention "wp-env main-origin handoff"
or add the mapped-domain check to cover cross-domain authentication.

---

Outside diff comments:
In `@tests/e2e/cypress/integration/060-sso-cross-domain.spec.js`:
- Around line 14-122: The file uses spaces for indentation but project style
requires tabs; update leading indentation throughout this test file (e.g., the
top-level const declarations, the before() hook, and each it() block including
nested callbacks like the cy.request/.then and cy.visit sections) to use tabs
instead of spaces so it conforms to the WordPress ESLint rules for .js files;
run your editor or a conversion tool to replace leading space runs with
equivalent tabs and re-check the file (060-sso-cross-domain.spec.js) so
functions/hooks such as before, it, cy.request, and cy.visit are indented with
tabs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cb7342bb-bd31-4c18-8d49-00722b8b8b26

📥 Commits

Reviewing files that changed from the base of the PR and between 6764ee0 and e7c84b5.

📒 Files selected for processing (2)

• tests/e2e/cypress/integration/060-sso-cross-domain.spec.js
• tests/e2e/cypress/integration/065-sso-redirect-loop.spec.js

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/e2e/cypress/integration/065-sso-redirect-loop.spec.js

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the SSO redirect and return URL logic to understand expected final destination

# 1. Find get_sso_redirect_to implementation (referenced in context snippet 4)
echo "=== Checking get_sso_redirect_to implementation ==="
rg -n -A 20 'function get_sso_redirect_to' --type=php

# 2. Find get_sso_return_url implementation (referenced in context snippet 4)
echo -e "\n=== Checking get_sso_return_url implementation ==="
rg -n -A 20 'function get_sso_return_url' --type=php

# 3. Check if there's any SSO flow documentation or comments about expected behavior
echo -e "\n=== Checking for SSO flow documentation ==="
rg -n -C 3 'SSO.*flow|redirect.*chain|return.*main.*site' --type=php inc/sso/

# 4. Look for any existing tests or specs that verify SSO landing page
echo -e "\n=== Checking other SSO-related test expectations ==="
rg -n 'mappedDomain|mainSite.*url.*should' tests/e2e/cypress/integration/ --type=js

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 8240

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Show 060 spec around line 60-130 ==="
nl -ba tests/e2e/cypress/integration/060-sso-cross-domain.spec.js | sed -n '60,140p'

echo -e "\n=== Inspect SSO main-site-logged-in handling ==="
rg -n "handle_main_site_logged_in_user|unwrap_sso_handoff_url|is_cross_domain_url|get_sso_redirect_to|get_sso_return_url" inc/sso/class-sso.php

echo -e "\n=== Show surrounding code for get_sso_return_url + get_sso_redirect_to ==="
nl -ba inc/sso/class-sso.php | sed -n '1040,1145p'

echo -e "\n=== Show surrounding code for handle_main_site_logged_in_user ==="
rg -n "function handle_main_site_logged_in_user" -n inc/sso/class-sso.php
line=$(rg -n "function handle_main_site_logged_in_user" inc/sso/class-sso.php | head -n1 | cut -d: -f1)
start=$((line-40)); end=$((line+120))
nl -ba inc/sso/class-sso.php | sed -n "${start},${end}p"

echo -e "\n=== Show unwrap_sso_handoff_url implementation ==="
rg -n "function unwrap_sso_handoff_url" inc/sso/class-sso.php
line=$(rg -n "function unwrap_sso_handoff_url" inc/sso/class-sso.php | head -n1 | cut -d: -f1)
start=$((line-40)); end=$((line+120))
nl -ba inc/sso/class-sso.php | sed -n "${start},${end}p'

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 183

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Show 060 spec around line 60-140 (with line numbers) ==="
awk '{printf "%6d\t%s\n", NR, $0}' tests/e2e/cypress/integration/060-sso-cross-domain.spec.js | sed -n '60,140p'

echo -e "\n=== Inspect SSO main-site-logged-in handling (function names) ==="
rg -n "handle_main_site_logged_in_user|unwrap_sso_handoff_url|is_cross_domain_url|get_sso_redirect_to|get_sso_return_url" inc/sso/class-sso.php

echo -e "\n=== Show surrounding code for get_sso_return_url + get_sso_redirect_to ==="
awk '{printf "%6d\t%s\n", NR, $0}' inc/sso/class-sso.php | sed -n '1040,1145p'

echo -e "\n=== Show surrounding code for handle_main_site_logged_in_user ==="
line=$(rg -n "function handle_main_site_logged_in_user" inc/sso/class-sso.php | head -n1 | cut -d: -f1)
start=$((line-40)); end=$((line+140))
awk '{printf "%6d\t%s\n", NR, $0}' inc/sso/class-sso.php | sed -n "${start},${end}p"

echo -e "\n=== Show surrounding code for unwrap_sso_handoff_url ==="
line=$(rg -n "function unwrap_sso_handoff_url" inc/sso/class-sso.php | head -n1 | cut -d: -f1)
start=$((line-40)); end=$((line+120))
awk '{printf "%6d\t%s\n", NR, $0}' inc/sso/class-sso.php | sed -n "${start},${end}p"

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 20729

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Inspect SSO redirect/attach flow entrypoints ==="
rg -n "handle_auth_redirect|auth_redirect|sso=login|sso_verify|redirect_to|return_url" inc/sso/class-sso.php

echo -e "\n=== Show handle_auth_redirect (or nearest match) ==="
pos=$(rg -n "function handle_auth_redirect|function handle_.*auth_redirect|auth_redirect\(" inc/sso/class-sso.php | head -n1 | cut -d: -f1)
if [ -n "${pos:-}" ]; then
  start=$((pos-60)); end=$((pos+220))
  awk '{printf "%6d\t%s\n", NR, $0}' inc/sso/class-sso.php | sed -n "${start},${end}p"
fi

echo -e "\n=== Inspect assets/js/sso.js for where it navigates/redirects after verification ==="
rg -n "return_url|redirect_to|window\.location|location\.href|wp-admin|sso_verify" assets/js/sso.js inc/sso -S || true
ls -la assets/js || true
if [ -f assets/js/sso.js ]; then
  awk '{printf "%6d\t%s\n", NR, $0}' assets/js/sso.js | sed -n '1,220p'
fi

echo -e "\n=== Check cookie-less token consumption endpoint(s) ==="
rg -n "handle_cookie_less_sso_token|wu_sso_token" inc/sso/class-sso.php inc/sso -S

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 40810

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Show full handle_cookie_less_sso_token implementation (inc/sso/class-sso.php 1128+) ==="
awk '{printf "%6d\t%s\n", NR, $0}' inc/sso/class-sso.php | sed -n '1100,1185p'

echo -e "\n=== Show is_sso_token / redirect helpers around 1140-1170 if present ==="
rg -n "handle_cookie_less_sso_token|get_current_url|redirect_to|wu_sso_token|wp_safe_redirect" inc/sso/class-sso.php | head -n 50

Repository: Ultimate-Multisite/ultimate-multisite

Length of output: 6631

---

Clarify what the SSO test validates (wp-env main-origin handoff) and strengthen mapped-domain assertions.

The SSO implementation redirects based on return_url/redirect_to: when the user is already logged in on the main site, handle_main_site_logged_in_user() redirects with a cookie-less token and a redirect_to param, and handle_cookie_less_sso_token() consumes wu_sso_token and then wp_safe_redirect()s to redirect_to (defaulting to admin_url). In wp-env, that can legitimately result in the final landing URL being the main site's origin (as the spec comment already describes), so the end-state assertions on /wp-admin/ + #wpadminbar are consistent with “SSO-authenticated session exists” even if the browser ends up back on mainSiteUrl.

What’s missing for “cross-domain authentication” coverage is a direct post-SSO check that the mapped domain stays authenticated (e.g., after the final step, revisit ${mappedDomainUrl}/wp-admin/ and assert you land on the admin UI without being re-triggered into login/SSO). Update the test name/comments to reflect the wp-env handoff behavior, or add the mapped-domain verification as above.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/e2e/cypress/integration/060-sso-cross-domain.spec.js` around lines 89 -
99, The test name/comments in 060-sso-cross-domain.spec.js should be clarified
to state it verifies the wp-env main-origin handoff behavior, and you should add
a post-SSO verification that the mapped domain remains authenticated: after the
existing assertions that the browser landed on mainSiteUrl with /wp-admin/ and
`#wpadminbar`, navigate to `${mappedDomainUrl}/wp-admin/` and assert you land on
the admin UI (URL includes `/wp-admin/`) and `#wpadminbar` exists without being
redirected back into the SSO flow; update the spec title/comment to mention
"wp-env main-origin handoff" or add the mapped-domain check to cover
cross-domain authentication.

[superdav42]

Permission check failed for this PR (HTTP unknown from collaborator permission API). Unable to determine if @superdav42 is a maintainer or external contributor. A maintainer must review and merge this PR manually. This is a fail-closed safety measure — the pulse will not auto-merge until the permission API succeeds.

---

aidevops.sh v3.20.40 plugin for OpenCode v1.16.2 with gpt-5.5 spent 1m and 32,332 tokens on this as a headless worker.

[superdav42]

Correction: the previous “Permission check failed” notice was posted by a supervisor gate invocation error, not by an actual collaborator-permission API failure.

• Author permission: verified collaborator (superdav42).
• Current blocker: workflow-file/base-branch merge guard; automatic squash merge was refused by repository policy.
• Next action: maintainer/manual merge path if this workflow-related PR is still intended.

---

aidevops.sh v3.20.40 plugin for OpenCode v1.16.2 with gpt-5.5 spent 4m and 74,570 tokens on this as a headless worker. Overall, 4h 45m since this issue was created.