[HACK] Add auto-login universal link for debug builds

[kidinov]

Description

Adds support for a universal link that allows automatic login using application password credentials in debug builds. This is useful for developer and testing workflows.

URL Format:

https://woocommerce.com/mobile/auto-login?site=<encoded_site_url>&user=<username>&password=<app_password>

Example (with placeholder credentials):

adb shell "am start -a android.intent.action.VIEW -d 'https://woocommerce.com/mobile/auto-login?site=https%3A%2F%2Fexample.com&user=testuser&password=xxxx-xxxx-xxxx-xxxx'"

Behavior:

• Debug builds only (intent filter in debug manifest)
• If already logged in, navigates directly to main screen
• On success, navigates to main screen
• On error, shows toast and opens login screen

Do not merge, as I am not sure how valuable this is for anyone so I firstly would like to ask

Test Steps

1. Install debug build
2. Clear app data to ensure logged out state
3. Run the adb command above with valid site credentials
4. Verify the app logs in and navigates to the main screen

• I have considered if this change warrants release notes and have added them to RELEASE-NOTES.txt if necessary. Use the "[Internal]" label for non-user-facing changes.

[dangermattic]

	2 Errors
🚫	Please add tests for class AutoLoginHandler (or add unit-tests-exemption label to ignore this).
🚫	This PR is tagged with status: do not merge label(s).

Generated by 🚫 Danger

[wpmobilebot]

📲 You can test the changes from this Pull Request in WooCommerce-Wear Android by scanning the QR code below to install the corresponding build.

	App Name	WooCommerce-Wear Android
	Platform	⌚️ Wear OS
	Flavor	Jalapeno
	Build Type	Debug
	Commit	6114afb
	Direct Download	woocommerce-wear-prototype-build-pr15062-6114afb.apk

[wpmobilebot]

📲 You can test the changes from this Pull Request in WooCommerce Android by scanning the QR code below to install the corresponding build.

	App Name	WooCommerce Android
	Platform	📱 Mobile
	Flavor	Jalapeno
	Build Type	Debug
	Commit	6114afb
	Direct Download	woocommerce-prototype-build-pr15062-6114afb.apk

[Copilot]

Pull request overview

This PR adds a debug-only auto-login feature via universal link to streamline developer and testing workflows. The feature allows automatic login using application password credentials through a specially formatted URL.

Key Changes:

• Adds AutoLoginHandler to process auto-login requests and validate credentials
• Adds AutoLoginActivity to handle the universal link intent and coordinate the login flow
• Registers the auto-login deep link in the debug manifest with intent filter

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
AutoLoginHandler.kt	Core logic for parsing credentials from URI, validating site/user eligibility, and managing login state
AutoLoginActivity.kt	Activity that handles the auto-login universal link intent and navigates to appropriate screens based on success/failure
AndroidManifest.xml	Registers the auto-login activity with intent filter for woocommerce.com/mobile/auto-login path (debug builds only)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The fold operation on eligibilityResult doesn't return a value in the onFailure branch. This will cause a compilation error because the outer fold expects a return value.

Add return@withContext before the AutoLoginResult.Error:

onFailure = { exception ->
    WooLog.e(WooLog.T.LOGIN, "AutoLoginHandler: Failed to check user eligibility", exception)
    return@withContext AutoLoginResult.Error("Failed to verify user: ${exception.message}")
}

Suggested change

	AutoLoginResult.Error("Failed to verify user: ${exception.message}")
	return@withContext AutoLoginResult.Error("Failed to verify user: ${exception.message}")

[Copilot]

The fold operation on fetchSiteResult doesn't return a value in the onFailure branch. This will cause a compilation error.

Add return@withContext before the AutoLoginResult.Error:

onFailure = { exception ->
    WooLog.e(WooLog.T.LOGIN, "AutoLoginHandler: Failed to fetch site", exception)
    return@withContext AutoLoginResult.Error("Failed to connect to site: ${exception.message}")
}

Suggested change

	AutoLoginResult.Error("Failed to connect to site: ${exception.message}")
	return@withContext AutoLoginResult.Error("Failed to connect to site: ${exception.message}")

[Copilot]

Credentials (username and password) are being logged or could be exposed in error messages. Even though this is a debug-only feature, credentials should not be logged. The current implementation doesn't directly log credentials, but if any of the underlying repository methods log the parameters, sensitive information could be exposed.

Consider adding a comment or documentation noting that the underlying repository methods should not log credentials, or sanitize error messages to ensure they don't inadvertently include sensitive data.

[Copilot]

The autoVerify="true" attribute on the intent filter is unnecessary for this debug-only feature and could cause confusion. Auto-verification is used for App Links to verify domain ownership via a Digital Asset Links file, which is not needed for a debug testing tool.

Consider removing android:autoVerify="true" from the intent filter:

<intent-filter>

Suggested change

	<intent-filter android:autoVerify="true">
	<intent-filter>

[malinajirka]

@kidinov This seems like a valid point, wdyt?

[Copilot]

The login function doesn't return a value in all code paths. When eligibilityResult.fold succeeds and the user is eligible, AutoLoginResult.Success is created but not returned. This will cause a compilation error.

Add return@withContext before AutoLoginResult.Success to fix this:

return@withContext AutoLoginResult.Success

Suggested change

	AutoLoginResult.Success
	return@withContext AutoLoginResult.Success

[malinajirka]

It looks good to me overall, however, I'm not sure whether it's a good idea to have it. Especially, if we decide to stop doing smoke tests before each release, I think there is a value in going through the login flow during development. If we had to login after each change, that would be too much hassle, but we need to login just when we are testing something specific. Having said all that, I'm good with merging it.

[malinajirka]

@kidinov This seems like a valid point, wdyt?