Account Protection: Add password detection flow

[dkmyta]

Description

Add the password detection flow as described in the designs.

TODOs:

• Add tests - https://github.com/Automattic/jetpack-scan-team/issues/1669
• Enable module by default and remove strict mode settings:
  • https://github.com/Automattic/jetpack-scan-team/issues/1674
  • https://github.com/Automattic/jetpack-scan-team/issues/1675
• Update flow to account for rollout plan changes - https://github.com/Automattic/jetpack-scan-team/issues/1676

Reliant on:

• Jetpack: Add Account Protection security settings #40938
• Protect: Add Account Protection settings #40942

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

• https://github.com/Automattic/jetpack-scan-team/issues/1639
• p1HpG7-vsU-p2

Does this pull request change what data or activity we track or use?

• No

Testing instructions:

• Checkout this branch
• Run Jurassic Tube
• Install and activate either Jetpack or Protect and enable the Account Protection settings
• Log out and proceed to the wp-login.php form an attempt to log in
  • Note that the validation mechanism here has been forced to detect all attempts as fails
• Ensure that after the validation fails you are redirected to wp-login.php?action=password-detection and that the initial state of the page is styled as per designs and you are presented relevant details and options
• Verify that clicking the Proceed without updating button redirects you to /wp-admin and that you now logged in
• Verify that clicking the Create new password button updates the content accordingly and that the email action is triggered only once on the initial render (disabled by setting and a checking a transient)
  • Note that the email action is not yet hooked up to the new endpoint and does not actually perform anything yet
• Ensure that the Resend email action dynamically updates the UI with status details and that the email function is triggered
• Ensure no regressions are introduced to core functionality and that the functionality only applies when the toggle is enabled
• Review the package code responsible for each task

Screen capture

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the add/packages/account-protection-password-detection-flow branch.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack add/packages/account-protection-password-detection-flow
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• 🔴 Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Choose a review path based on your changes:
   • A. Team Review: add the "[Status] Needs Team Review" label
     • For most changes, including minor cross-team impacts.
     • Example: Updating a team-specific component or a small change to a shared library.
   • B. Crew Review: add the "[Status] Needs Review" label
     • For significant changes to core functionality.
     • Example: Major updates to a shared library or complex features.
   • C. Both: Start with Team, then request Crew
     • For complex changes or when you need extra confidence.
     • Example: Refactor affecting multiple systems.
3. Get at least one approval before merging.

Still unsure? Reach out in #jetpack-developers for guidance!

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen semi-continuously (PCYsg-Jjm-p2).
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly. The next release is scheduled for February 4, 2025 (scheduled code freeze on February 4, 2025).

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

---

Protect plugin:

• Next scheduled release: none scheduled.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[ArSn]

Some small comments / notes, but nothing that keeps us from merging this. I was also able to test this, contrary to that other PR (which I will try again now).

[ArSn]

It is actually live by now :)

[ArSn]

you might also want to check the common index that is available now. However if we're just going to return true in both cases, we could also combine them. The idea was to adjust the messaging based on what hits, I think (tell the user specifically if it is a common or compromised one) - that being said, most common passwords are also compromised by their nature

[ArSn]

should all these texts be translateable? i.e. using esc_html__ functions et. al.?

[ArSn]

I wonder if we really need a nonce in this case, because we're not updating any data?

[ArSn]

I think this PR does a bit more than that? :)

[dkmyta]

Merging as is, and will add follow-ups to address the items highlighted.