Cannot log in using email address to WordPress.com when submitting a comment (forced to use username)

[philnick206]

Impacted plugin

Jetpack

Quick summary

When attempting to submit a comment as a visitor not logged into WordPress.com on a WordPress.com site, you cannot complete the login process using an email, you must enter a username.

comment.login.issue.mp4

Steps to reproduce

1. Add a comment as non-logged in user
2. Enter email address used by a WordPress.com account
3. Try to login using email to the WordPress.com account

A clear and concise description of what you expected to happen.

Account should be logged in an comment published

What actually happened

Account was not logged in and username had to be used instead

Impact

Some (< 50%)

Available workarounds?

No and the platform is unusable

If the above answer is "Yes...", outline the workaround.

No response

Platform (Simple and/or Atomic)

Simple

Logs or notes

Reported in 8834405-zd-a8c

[github-actions]

Support References

This comment is automatically generated. Please do not edit it.

• 8834405-zen
• p8Slzc-44H-p2#comment-2668

[taipeicoder]

I was not able to reproduce this issue in either Chrome or Safari. Tested both proxied and unproxied.

Screen.Capture.on.2024-10-07.at.11-50-58.mp4

Also tested the user's site and was not able to reproduce the issue. Logging in with e-mail worked as expected.
@philnick206 are you able to reproduce the issue?

[taipeicoder]

I'll re-triage this to High, since using the username is still available as a workaround.

[sejas]

I was able to reproduce the issue. After posting a comment and entering my email to login, I receive the error message: Please log in using your WordPress.com username instead of your email address. This occurs regardless of whether the password is correct or incorrect.
When entering my username and password, I'm able to successfully log in.
It's worth mentioning that I tested it in a simple site and the login URL was siteURL/wp-comments-post.php, and then siteURL/wp-login.php, instead of WP.com site.

Here is the screencast:

loging-username-instead-of-password.webm

I'm starting to take a look to find the root cause.

[jeherve]

Also reported here:
p8Slzc-44H-p2

[sejas]

I tried the same flow on an atomic site and, with the default settings, I'm not asked to login to WPcom, the comment is "posted" for the admin to moderate it.

teting-comment-atomic-site.mp4

Settings:

Simple	Atomic

[sejas]

When sandboxing the simple site, I'm able to login with the email and post a comment without any error. Which make it harder to debug and confirm any possible solution.

test-posting-a-comment-first-in-pro-then-sandbox.mp4

[sejas]

I confirm I'm able to reproduce the issue only when I'm proxied. I can correctly authenticates an post the comment without AutoProxxy.

[taipeicoder]

When sandboxing the simple site, I'm able to login with the email and post a comment without any error.

I confirm I'm able to reproduce the issue only when I'm proxied. I can correctly authenticates an post the comment without AutoProxxy.

To clarify, are you able to reproduce this issue proxied but not on production?

[sejas]

@taipeicoder, yes, that’s correct. I can reproduce this issue only on staging, not in production.

I believe the issue may be related to a mismatch between creation_country and login_country within the suspicious_email_login function. This discrepancy occurs because the country is determined using our proxied IP. Prompting users to log in with their username instead of their email seems to be a “feature” intended to protect against mismatches between registration and posting countries.

I tested it enabling third party cookies and it doesn't affect in the results.

@taipeicoder, @philnick206 , I've created this Diff that could "solve" this issue when proxied. D163234-code

I'll post my findings on p8Slzc-44H-p2

[sejas]

I landed D163234-code and I confirm now I can post a comment and login to my account using my email address. (Proxied and not proxied).

Asking for a username instead of email is not a BUG it's a "Feature". It's a security measure to protect users to login from a foreign country.
See: fbhepr%2Skers%2Sjcpbz%2Sjc%2Qpbagrag%2Szh%2Qcyhtvaf%2Sybt%2Qva%2Qivn%2Qrznvy.cuc%3Se%3Q87132902%23141%2Q148-og

I was not sure if closing this issue since it's a feature, but decided to keep it open since the Loop team seems to be shaping a project related to that screen: p8Slzc-44H-p2#comment-2668

Okay, thanks for the additional context. I’m going to shape a project for the Loop Team to address this.

I moved te issue status to needs-shaping, changed the priority from High to Normal and from Bug to Enhancement.