feat(reader-activation): registration auth cookie control

includes/class-magic-link.php

@@ -462,7 +462,8 @@ public static function validate_token( $user_id, $client, $token ) {
 	 * @return bool|\WP_Error Whether the user was authenticated or WP_Error.
 	 */
 	private static function authenticate( $user_id, $token ) {
-		if ( \is_user_logged_in() ) {
+		/** Refresh reader session if same reader is already authenticated. */
+		if ( \is_user_logged_in() && \get_current_user_id() !== $user_id ) {
 			return false;
 		}
 
@@ -504,10 +505,6 @@ public static function process_token_request() {
 			return;
 		}
 
-		if ( \is_user_logged_in() ) {
-			return;
-		}
-
 		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
 		if ( isset( $_GET[ self::AUTH_ACTION_RESULT ] ) && 0 === \absint( $_GET[ self::AUTH_ACTION_RESULT ] ) ) {
 			\add_action(

includes/class-reader-activation.php

@@ -23,6 +23,13 @@ final class Reader_Activation {
 	const READER         = 'np_reader';
 	const EMAIL_VERIFIED = 'np_reader_email_verified';
 
+	/**
+	 * Whether the session is authenticating a newly registered reader
+	 *
+	 * @var bool
+	 */
+	private static $is_new_reader_auth = false;
+
 	/**
 	 * Initialize hooks.
 	 */
@@ -238,6 +245,15 @@ public static function auth_cookie_expiration( $length, $user_id, $remember ) {
 				$length = YEAR_IN_SECONDS;
 			}
 		}
+
+		/**
+		 * If the session is authenticating a newly registered reader we want the
+		 * auth cookie to be short lived since the email ownership has not yet been
+		 * verified.
+		 */
+		if ( true === self::$is_new_reader_auth ) {
+			$length = 24 * HOUR_IN_SECONDS;
+		}
 		return $length;
 	}
 
@@ -369,6 +385,7 @@ public static function register_reader( $email, $display_name = '', $authenticat
 			Logger::log( 'Created new reader user with ID ' . $user_id );
 
 			if ( $authenticate ) {
+				self::$is_new_reader_auth = true;
 				self::set_current_reader( $user_id );
 			}
 		}