Account Protection: Fix Brute force protection account recovery conflict

[dkmyta]

Fixes #
When the Brute force module reaches a point where a user is blocked and locked out, the recovery process hooks into the same wp_authenticate_user flow that Account Protection currently does for validation the users password. When validation fails a WP_Error object is returned and the BFP method then picks it up and attempts to run check_valid_blocked_user which doesn't currently expect that value and immediately errors out.

Note that a separate issue has been defined separate from this project to address the bug.

Proposed changes:

• Skip our validation process when we detect the Brute force recovery param in the URL string, immediately passing back the current $user object for Brute force to continue the recovery validation and redirection process.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

• https://github.com/Automattic/jetpack-scan-team/issues/1709

Does this pull request change what data or activity we track or use?

• No

Testing instructions:

• Checkout this branch running JT with Protect, Account Protection and Brute Force Protection enabled
• Login in incorrectly enough times to have BFP block your access, along the way ensure the BFP module is functioning correctly without conflict
• Once locked out, follow the recovery process BFP provides when attempting to login
• Remove the new validate_jetpack_protect_recovery check
• Follow the recovery email link and ensure that when you provide your current password that you are blocked from logging in with a The recovery token is not valid for this user. error
• Log out the error and verify that it is in fact from the Password Detection flow: Password validation failed.
• Reapply the check, and attempt to log in once again
• Ensure that validation passes (as long as the token remains valid) and that you are appropriately logged in
• Ensure no regressions in BFP or Account Protection Password Detection functionality are introduced

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the fix/packages/account-protection-bfp-conflict branch.

  • For jetpack-mu-wpcom changes, also add define( 'JETPACK_MU_WPCOM_LOAD_VIA_BETA_PLUGIN', true ); to your wp-config.php file.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack fix/packages/account-protection-bfp-conflict
  

  bin/jetpack-downloader test jetpack-mu-wpcom-plugin fix/packages/account-protection-bfp-conflict
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• 🔴 Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• 🔴 Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

🔴 Action required: Please add missing changelog entries for the following projects: projects/packages/account-protection

Use the Jetpack CLI tool to generate changelog entries by running the following command: jetpack changelog add.
Guidelines: /docs/writing-a-good-changelog-entry.md

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Choose a review path based on your changes:
   • A. Team Review: add the "[Status] Needs Team Review" label
     • For most changes, including minor cross-team impacts.
     • Example: Updating a team-specific component or a small change to a shared library.
   • B. Crew Review: add the "[Status] Needs Review" label
     • For significant changes to core functionality.
     • Example: Major updates to a shared library or complex features.
   • C. Both: Start with Team, then request Crew
     • For complex changes or when you need extra confidence.
     • Example: Refactor affecting multiple systems.
3. Get at least one approval before merging.

Still unsure? Reach out in #jetpack-developers for guidance!

[github-actions]

Code Coverage Summary

Coverage changed in 6 files. Only the first 5 are listed here.

File	Coverage	Δ%	Δ Uncovered
projects/plugins/protect/src/class-rest-controller.php	0/286 (0.00%)	0.00%	41 💔
projects/plugins/jetpack/modules/module-headings.php	210/1022 (20.55%)	0.03%	18 💔
projects/packages/account-protection/src/class-account-protection.php	23/35 (65.71%)	-34.29%	12 💔
projects/plugins/protect/src/class-jetpack-protect.php	0/176 (0.00%)	0.00%	4 💔
projects/plugins/jetpack/_inc/client/security/index.jsx	0/30 (0.00%)	0.00%	1 ❤️‍🩹

7 files are newly checked for coverage. Only the first 5 are listed here.

File	Coverage
projects/plugins/jetpack/_inc/client/components/data/query-account-protection-settings/index.jsx	0/8 (0.00%) 💔
projects/plugins/jetpack/_inc/client/security/account-protection.jsx	0/5 (0.00%) 💔
projects/packages/account-protection/src/class-validation-service.php	16/23 (69.57%) 💚
projects/packages/account-protection/src/class-email-service.php	30/41 (73.17%) 💚
projects/packages/account-protection/src/class-password-detection.php	114/131 (87.02%) 💚

Full summary · PHP report · JS report

_{Add label I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage. to override the failing coverage check.}