Increase entropy on AI callback code generation

[Djennez]

Context

The generate() function of

wordpress-seo/src/ai-authorization/application/code-verifier-handler.php

Lines 48 to 54 in 3a310db

	public function generate( string $user_email ): Code_Verifier {
	$random_string = \substr( \str_shuffle( '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' ), 1, 10 );
	$code = \hash( 'sha256', $user_email . $random_string );
	$created_at = $this->date_helper->current_time();
	return new Code_Verifier( $code, $created_at );
	}

is not really random and has a bug in one of its calling-codes. Over here:

wordpress-seo/src/ai-authorization/application/token-manager.php

Line 245 in 3a310db

$code_verifier = $this->code_verifier->generate( $user->ID, $user->user_email );

the user ID is passed as the first argument instead of the user-email. This causes the initial token creation to generate a code based on the user e-mail (which is expected according to the generate() doc) but the refresh token is created based on the user ID (which is "easily" guessable).

Summary

This PR can be summarized in the following changelog entry:

• Increases the security of the AI callback verification method.

Relevant technical choices:

• Replaces the custom pseudo-random string generation with WordPress's wp_generate_password() for a string with more randomness and entropy.
• Fixes one of the callers where the user ID was passed to generate() instead of the user e-mail.

Test instructions

Test instructions for the acceptance test before the PR gets merged

This PR can be acceptance tested by following these steps:

• Make sure that the AI generate and optimize functions work (or keep working after updating to this code).

Relevant test scenarios

• Changes should be tested with the browser console open
• Changes should be tested on different posts/pages/taxonomies/custom post types/custom taxonomies
• Changes should be tested on different editors (Default Block/Gutenberg/Classic/Elementor/other)
• Changes should be tested on different browsers
• Changes should be tested on multisite

Test instructions for QA when the code is in the RC

• QA should use the same steps as above.

QA can test this PR by following these steps:

• N/A

Impact check

This PR affects the following parts of the plugin, which may require extra testing:

Other environments

• This PR also affects Shopify. I have added a changelog entry starting with [shopify-seo], added test instructions for Shopify and attached the Shopify label to this PR.
• This PR also affects Yoast SEO for Google Docs. I have added a changelog entry starting with [yoast-doc-extension], added test instructions for Yoast SEO for Google Docs and attached the Google Docs Add-on label to this PR.

Documentation

• I have written documentation for this change. For example, comments in the Relevant technical choices, comments in the code, documentation on Confluence / shared Google Drive / Yoast developer portal, or other.

Quality assurance

• I have tested this code to the best of my abilities.
• During testing, I had activated all plugins that Yoast SEO provides integrations for.
• I have added unit tests to verify the code works as intended.
• If any part of the code is behind a feature flag, my test instructions also cover cases where the feature flag is switched off.
• I have written this PR in accordance with my team's definition of done.
• I have checked that the base branch is correctly set.
• I have run grunt build:images and commited the results, if my PR introduces new images or SVGs.

Innovation

• No innovation project is applicable for this PR.
• This PR falls under an innovation project. I have attached the innovation label.
• I have added my hours to the WBSO document.

Fixes #

[coveralls]

Pull Request Test Coverage Report for Build be07358b05cc07b95eb3b69e8d693b8ba888796c

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 2 of 2 (100.0%) changed or added relevant lines in 2 files are covered.
• 10 unchanged lines in 1 file lost coverage.
• Overall coverage decreased (-0.5%) to 52.81%

---

Files with Coverage Reduction	New Missed Lines	%
inc/options/class-wpseo-option-tracking-only.php	10	0.0%

Totals
Change from base Build 3a310dbe6d4a85c5bbda3794a81addf981e6174c:	-0.5%
Covered Lines:	32307
Relevant Lines:	61234

---

💛 - Coveralls

[pls78]

CR && Acc: ✅
In another PR we'll move the dependency from the wp_generate_password method into the infrastructure layer