feat(reader-registration-block): password, OTP, and verification flows

[miguelpeixe]

All Submissions:

• Have you followed the Newspack Contributing guideline?
• Does your code follow the WordPress' coding standards and VIP Go coding standards?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Changes proposed in this Pull Request:

NPPD-1142

Refactors the Reader Registration block to support unified authentication and account verification flows.

The block will no longer provide 2 actions (sign up or sign in), but rather a single "Continue" button that can register the account or open the auth modal to continue authenticating from there.

If the account is being registered and the block is being used in a gated article that requires verification, the block will present an account verification flow.

Modal after entering email:

Page render if already logged in with an unverified account:

How to test the changes in this Pull Request:

1. Setup a content gate with registration access that doesn't require verification
2. Edit the layout and add a reader registration block
3. In a fresh session, visit a gated article and enter new email
4. Confirm the block renders a success message, refreshes and unlocks the content
5. Edit the gate to require account verification
6. Refresh the article page while logged in with the newly created reader account
7. Confirm you are gated again requiring verification
8. Click Send code and confirm the OTP modal opens
9. Enter the code and confirm that the page refreshes on success and the content is unlocked
10. In a fresh session, enter a new email and confirm the verification step renders in a modal
11. Click "Send code" and confirm you are able to go through

Other information:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes, as applicable?
• Have you successfully ran tests with your changes locally?

[Copilot]

Pull request overview

This PR refactors the Reader Registration block to support a complete authentication flow, including password and OTP authentication for existing users. The changes extract reusable authentication utilities, add new UI states for OTP and password entry, and modify the block to handle returning users differently from new registrations.

Changes:

• Refactored OTP input handling into reusable, exportable functions in otp-input.js
• Created shared authentication utilities in auth-utils.js for OTP, password, and magic link handling
• Added OTP and password authentication UI states to the Reader Registration block
• Updated backend to detect whether existing users need password or OTP authentication

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/reader-activation-auth/otp-input.js	Refactored OTP input initialization into exportable functions for reusability
src/reader-activation-auth/auth-utils.js	New file containing shared authentication utilities (OTP, password, magic link handlers)
src/reader-activation-auth/auth-form.js	Updated to use shared authentication utilities from auth-utils.js
src/blocks/reader-registration/view.js	Implemented authentication flows with OTP and password states; fixed spelling errors
src/blocks/reader-registration/index.php	Added logic to determine authentication method for existing users; removed sign-in link
src/blocks/reader-registration/style.scss	Added styles for OTP and password authentication UI states
src/blocks/reader-registration/edit.js	Removed sign-in link UI from block editor
src/blocks/reader-registration/block.json	Removed signInLabel attribute; updated signedInLabel default

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[thomasguillot]

@miguelpeixe Obrigado!

[dkoo]

This looks great and works well! A couple of questions which may or not be blocking:

1. If you encounter the gate with a Registration block and enter an email address for an account for which you've previously verified by setting a password, you're correctly presented with the password prompt. The only thing that's weird with this is the "Go back" button. Clicking this returns to the first screen of the sign in modal, which feels like part of a different flow. In this scenario, I feel we should either hide the "Go back" button, or alter its behavior so that it simply closes the modal.

2. This probably wouldn't be a problem for new setups, but lots of sites have links with #register_modal to open the auth modal in their content gates. If you encounter the Registration gate after registering but before verifying, you can still see these links but they won't do anything. We're already hiding #signin_modal links with some CSS—can we also hide #register_modal links? Probably just need to add a selector like so:

body.logged-in a[href="#signin_modal"],
body.logged-in a[href="#register_modal"] {

An even better solution for this might be to allow the #register_modal links to open the same OTP verification modal as the Registration block if you're logged into an unverified account, but that might be more effort than it's worth.

[miguelpeixe]

Thank you for the review, @dkoo!

Clicking this returns to the first screen of the sign in modal, which feels like part of a different flow. In this scenario, I feel we should either hide the "Go back" button, or alter its behavior so that it simply closes the modal.

Good point. I removed the "Go back" button when in the verification state, because that would mean to enter an email while authenticated, which makes no sense. I didn't think to do that while authenticating because it's technically fine. Before I make the change, could you share your thoughts @thomasguillot?

If you encounter the Registration gate after registering but before verifying, you can still see these links but they won't do anything.

I think the ideal solution is to use a block compatible with account verification if the publisher enables that requirement. Even if we add support to the #register_modal to open the verification modal, there needs to be appropriate messaging. The reader won't click the "Register" button while logged in, expecting to run an account verification flow. Perhaps another block, similar to the My Account block that @laurelfulford built?

[thomasguillot]

If we're removing the "Go back" button (which I'm fine with), can we make the second Secondary button, a ghost button (Forget password)

[dkoo]

I think the ideal solution is to use a block compatible with account verification if the publisher enables that requirement. Even if we add support to the #register_modal to open the verification modal, there needs to be appropriate messaging. The reader won't click the "Register" button while logged in, expecting to run an account verification flow. Perhaps another block, similar to the My Account block that @laurelfulford built?

Good points, but in the meantime I think we should still at least hide these links for logged-in readers so there's no non-functional UI.

[miguelpeixe]

Thanks, both!

For consistency, in 141a7cc I'm opting to keep the "Go back" button and allow it to close the modal. I changed the verification modal as well, so it also preserves the button. Just like clicking the X, it'll also force a page refresh so it ensures the block renders the verification box after registration. WDYT?

Good points, but in the meantime I think we should still at least hide these links for logged-in readers so there's no non-functional UI.

Updated in 9644618

[dkoo]

This works for me! One thing I did notice is that typing an email into the Registration block then hitting the "enter" key seems to submit the form and bypass the JS handler—might want to double check that since it's an accessibility issue, but I don't think that's new to this PR.

[miguelpeixe]

Thanks, @dkoo! I'll look into the input "enter" key issue

[github-actions]

Hey @miguelpeixe, good job getting this PR merged! 🎉

Now, the needs-changelog label has been added to it.

Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label.

If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label.

Thank you! ❤️

[github-actions]

🎉 This PR is included in version 6.35.0-alpha.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

[github-actions]

🎉 This PR is included in version 6.35.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀