fix(login): show proper error for invalid password reset links

[superdav42]

Summary

• Fixes password reset flow when using Ultimate Multisite login element for custom login pages
• Invalid or expired reset links now show proper error messages instead of silently redirecting
• Fixed a bug where hash_equals compared the same value to itself (always true)

Changes

• Added is_wp_error() check after check_password_reset_key() in Login_Form_Element
• Redirect to lost password page with appropriate error code (invalid_key/expired_key)
• Clear the invalid reset cookie before redirecting
• Added WordPress core error codes (invalid_key, expired_key) to error messages array

Test plan

• Visit a password reset URL with an invalid key (e.g., ?action=rp&key=invalid&login=user)
• Verify it redirects to the lost password page with error message
• Verify the error message says "Your password reset link appears to be invalid"
• Test with an expired key and verify "expired" message appears

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Improved password reset validation to reliably detect and handle invalid or expired reset requests
  • Enhanced error messages for password reset failures with expanded error code support
  • Users attempting password reset with invalid or expired links now receive clearer feedback

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This change enhances password reset functionality by adding underscore-prefixed error-code mappings for consistency and implementing robust WP_Error-based validation with explicit error handling, cookie cleanup, and user redirection for invalid or expired reset keys.

Changes

Cohort / File(s)	Summary
Password Reset Error Mappings inc/checkout/class-checkout-pages.php	Adds two new error-code mappings: invalid_key and expired_key, mirroring existing invalidkey and expiredkey messages for password reset validation.
Password Reset Key Validation inc/ui/class-login-form-element.php	Replaces flawed comparison logic with robust is_wp_error() check on check_password_reset_key() result. On error, redirects to lost password URL with error parameter, clears reset cookie, and exits. Preserves existing key-match comparison if key is valid.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 With whiskers twitched and keys aligned,
Error codes in pairs we find,
Invalid states now clearly signed,
Cookies cleared, redirects refined!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: fixing the password reset flow to show proper errors for invalid reset links.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1ddcfc1 and e7842a8.

📒 Files selected for processing (2)

• inc/checkout/class-checkout-pages.php
• inc/ui/class-login-form-element.php

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: cypress (8.2, chrome)
• GitHub Check: Build Plugin for Testing
• GitHub Check: cypress (8.1, chrome)

🔇 Additional comments (2)

inc/checkout/class-checkout-pages.php (1)

207-208: LGTM! Error code mappings align with WordPress core conventions.

These underscore-prefixed variants ('invalid_key', 'expired_key') properly mirror the existing error messages and align with WordPress core's error code naming conventions used by check_password_reset_key().

inc/ui/class-login-form-element.php (1)

608-635: Excellent addition of explicit error handling for invalid/expired reset keys.

This properly addresses the silent failure issue by:

• Detecting when check_password_reset_key() returns a WP_Error
• Redirecting users to the lost password page with the appropriate error code ('invalid_key' or 'expired_key')
• Clearing the invalid reset cookie before redirecting (following security best practices with expired timestamp and proper flags)

The error codes align with WordPress core's check_password_reset_key() return values and the new error message mappings added in the checkout pages class.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password