[468] Improves test coverage and reliability#825
[468] Improves test coverage and reliability#825nimesh-xecurify wants to merge 4 commits intoWordPress:masterfrom
Conversation
Adds extensive unit tests across various core functionalities and provider methods to increase overall code coverage. Enhances the test suite's robustness by introducing a redirect interception mechanism and refining cookie-blocking assertions, preventing test termination and ensuring precise verification. Excludes trivial methods from code coverage reports where direct testing is impractical or unnecessary.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
|
Addresses #468 |
nimesh-xecurify
changed the title
There was a problem hiding this comment.
Pull request overview
This PR increases the Two-Factor plugin’s automated test coverage and improves test reliability around redirect/exit behavior and cookie-blocking assertions, while excluding a few trivial methods from coverage reporting.
Changes:
- Added/expanded unit tests for core flows and multiple provider behaviors (Email, TOTP, base Provider).
- Improved test-suite robustness by intercepting redirects to avoid
exit()terminating the test process, and refined assertions around auth-cookie blocking. - Marked trivial/unreachable-to-test methods (e.g., simple output/constructors) with
@codeCoverageIgnore.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
tests/providers/class-two-factor-totp.php |
Adds reflection-based tests for Two_Factor_Totp::pad_secret. |
tests/providers/class-two-factor-provider.php |
Adds tests for provider key/labels/support checks and base uninstall methods. |
tests/providers/class-two-factor-email.php |
Improves email token tests and adds coverage for additional Email provider behaviors. |
tests/class-two-factor-core.php |
Adds redirect interception helper and many new core tests; refines cookie-block assertions. |
providers/class-two-factor-provider.php |
Excludes print_label() from coverage reporting. |
providers/class-two-factor-email.php |
Excludes the Email provider constructor from coverage reporting. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@nimesh-xecurify thank you very much for the PR! Can you check the copilot comments? |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
tests/providers/class-two-factor-email.php:174
- This test extracts the token by matching an English substring from a translatable email message ("verification code below"). That makes the test locale-sensitive and brittle to copy changes; consider capturing the $token via the two_factor_token_email_message filter (it receives $message, $token, $user_id) or matching the token line structurally (e.g., digits between blank lines) instead of depending on the translated sentence.
$pattern = '/verification code below:\n\n(\d+)/';
$content = $GLOBALS['phpmailer']->Body;
$this->assertGreaterThan( 0, preg_match( $pattern, $content, $match ) );
$this->assertTrue( $this->provider->validate_token( $user->ID, $match[1] ) );
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Ensures anonymous functions are properly removed from hooks in tests. Adjusts filter return values and assertions for greater clarity and accuracy. Corrects a minor typo in a test assertion message.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| $user = self::factory()->user->create_and_get(); | ||
|
|
||
| Two_Factor_Core::enable_provider_for_user( $user->ID, 'Two_Factor_Dummy' ); | ||
|
|
||
| $this->assertTrue( Two_Factor_Dummy::is_supported_for_user( $user ) ); |
There was a problem hiding this comment.
Two_Factor_Provider::is_supported_for_user() checks whether the provider is present in Two_Factor_Core::get_supported_providers_for_user(), not whether it has been enabled for the user. Enabling Two_Factor_Dummy here doesn’t affect the assertion, so this test can pass even if enable_provider_for_user() is broken. Consider either (a) renaming/reframing the test to assert default support, or (b) using the two_factor_providers_for_user filter (as in the next test) to explicitly control support, and/or using a provider that’s always registered (Email/TOTP) instead of Dummy (which can be removed when WP_DEBUG is false).
| global $wp_filter; | ||
| $has_plugin_cookie_block = function () { | ||
| global $wp_filter; | ||
| return ! empty( $wp_filter['send_auth_cookies']->callbacks[ PHP_INT_MAX ] ); | ||
| }; |
There was a problem hiding this comment.
$has_plugin_cookie_block() currently returns true for any callback registered at priority PHP_INT_MAX on send_auth_cookies, which could yield false positives if another test/plugin adds a callback at that priority. Since the behavior under test is specifically adding __return_false at PHP_INT_MAX (see class-two-factor-core.php:831), tighten this to check for that callback’s presence at PHP_INT_MAX (or otherwise assert the exact callback) rather than just “non-empty”.
| $this->assertEquals( $user, $authenticated, 'User can authenticate' ); | ||
|
|
||
| // The collect_auth_cookie_tokens is called via hooks during wp_signon. | ||
| // Verify session exists. | ||
| $session_manager = WP_Session_Tokens::get_instance( $user_id ); |
There was a problem hiding this comment.
This test is labeled as verifying collect_auth_cookie_tokens(), but the only assertion checks that a WP session exists after wp_signon(), which can be true even if collect_auth_cookie_tokens() never runs. Also, assertEquals() on WP_User objects can be brittle across WP versions due to extra populated fields. To make the test reliable, consider asserting on the actual side-effect (e.g., via reflection reading/resetting Two_Factor_Core’s private static $password_auth_tokens before/after) and comparing authenticated user IDs instead of full objects.
What?
Improves test coverage and reliability
Fixes #468
How?
Adds extensive unit tests across various core functionalities and provider methods to increase overall code coverage.
Enhances the test suite's robustness by introducing a redirect interception mechanism and refining cookie-blocking assertions, preventing test termination and ensuring precise verification.
Excludes trivial methods from code coverage reports where direct testing is impractical or unnecessary.
Screenshots or screencast
Current Test Coverage
New Test Coverage
Changelog Entry
Usage of AI Tools
Used Claude Code to generate new tests (and fix some existing issues related to code coverage), post manual review at each step.