Include calypso_env in the send-login-email payload

[moon0326]

This PR adds calypso_env in the send-login-email request payload. This allow us to have a magic link in different calypso environments. For more information how the backend handles calypso_env, please see D161820-code

Proposed Changes

• Added calypso_env in the send-login-email request payload

Testing Instructions

1. Checkout this branch and open config/development.json
2. Enable "woocommerce/core-profiler-passwordless-auth" feature flag.
3. Run yarn start
4. Open http://calypso.localhost:3000/log-in/jetpack?from=woocommerce-core-profiler
5. Open your browser insepctor.
6. Enter your passwordless account email and click on Continue
7. Search for send-login-email request and confirm the payload contains calypso_env

Pre-merge Checklist

• Has the general commit checklist been followed? (PCYsg-hS-p2)
• Have you written new tests for your changes?
• Have you tested the feature in Simple (P9HQHe-k8-p2), Atomic (P9HQHe-jW-p2), and self-hosted Jetpack sites (PCYsg-g6b-p2)?
• Have you checked for TypeScript, React or other console errors?
• Have you used memoizing on expensive computations? More info in Memoizing with create-selector and Using memoizing selectors and Our Approach to Data
• Have we added the "[Status] String Freeze" label as soon as any new strings were ready for translation (p4TIVU-5Jq-p2)?
• For changes affecting Jetpack: Have we added the "[Status] Needs Privacy Updates" label if this pull request changes what data or activity we track or use (p4TIVU-aUh-p2)?

[github-actions]

Calypso Live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-120280

Jetpack Cloud live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-120280&env=jetpack

Automattic for Agencies live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-120280&env=a8c-for-agencies

[matticbot]

Here is how your PR affects size of JS and CSS bundles shipped to the user's browser:

App Entrypoints (~34 bytes added 📈 [gzipped])

name         parsed_size           gzip_size
entry-login        +85 B  (+0.0%)      +34 B  (+0.0%)

Common code that is always downloaded and parsed every time the app is loaded, no matter which route is used.

Sections (~30 bytes added 📈 [gzipped])

name             parsed_size           gzip_size
jetpack-connect        +85 B  (+0.0%)      +30 B  (+0.0%)

Sections contain code specific for a given set of routes. Is downloaded and parsed only when a particular route is navigated to.

Async-loaded Components (~30 bytes added 📈 [gzipped])

name                      parsed_size           gzip_size
async-load-design-blocks        +85 B  (+0.0%)      +30 B  (+0.0%)

React components that are loaded lazily, when a certain part of UI is displayed for the first time.

Legend

What is parsed and gzip size?

Parsed Size: Uncompressed size of the JS and CSS files. This much code needs to be parsed and stored in memory.
Gzip Size: Compressed size of the JS and CSS files. This much data needs to be downloaded over network.

Generated by performance advisor bot at iscalypsofastyet.com.

[rjchow]

The PR works as described, but I think more context about what this is intended to do would be useful as it relates to the login system and should be scrutinised closely.

The passwordless login works correctly without this PR but redirects to wordpress.com, so I'm inferring that the intent is to allow the changing of the redirect_to on the wpcom login API? I think it would be safer to switch that based on a different client oauth ID so that you can't (for example) login using dev credentials and redirect to prod. I'm not really sure why calypso does not have a dev / staging client oauth ID unlike all the other envs, though

[moon0326]

The PR works as described, but I think more context about what this is intended to do would be useful as it relates to the login system and should be scrutinised closely.

The passwordless login works correctly without this PR but redirects to wordpress.com, so I'm inferring that the intent is to allow the changing of the redirect_to on the wpcom login API? I think it would be safer to switch that based on a different client oauth ID so that you can't (for example) login using dev credentials and redirect to prod. I'm not really sure why calypso does not have a dev / staging client oauth ID unlike all the other envs, though

D161820-code should better reflect the intention of the change.

I think it would be safer to switch that based on a different client oauth ID so that you can't (for example) login using dev credentials and redirect to prod. I'm not really sure why calypso does not have a dev / staging client oauth ID unlike all the other envs, though

It's currently sending all logins to https://wordpress.com/, regardless of the environment you're in (It's already doing what you've described). I don't think it can be exploited just by changing the redirection URL with the current configuration, but I agree that we should restrict the redirection URLs. I think it needs further investigation though.

[rjchow]

I'm inferring that the intent is to allow the changing of the redirect_to on the wpcom login API? I think it would be safer to switch that based on a different client oauth ID so that you can't (for example) login using dev credentials and

Yep ok thanks that PR gives all the necessary information! I think it would be good to include that in the PR description for future passerbys

[moon0326]

Yep ok thanks that PR gives all the necessary information! I think it would be good to include that in the PR description for future passerbys

👍 Done! Sorry for the confusion 🙏

[psealock]

Code looks good! 🚢

[matticbot]

This PR modifies the release build for the following Calypso Apps:

For info about this notification, see here: PCYsg-OT6-p2

• notifications
• wpcom-block-editor

To test WordPress.com changes, run install-plugin.sh $pluginSlug update/send-calypso_env-to-send-login-email-endpoint on your sandbox.