autologin after content unlock

[xecdev]

This PR implements #96. Added a new AJAX endpoint to log in a user who unlocks content automatically.

Test plan:

• Install the plugin
• Unlock the content, then check the sticky header to confirm it has switched to the logged-in state.

Summary by CodeRabbit

• New Features

  • Added dynamic sticky header updates following successful payment that refresh without requiring a full page reload.
  • Implemented automatic wallet address detection and population following verified payment transactions.

• Improvements

  • Enhanced internal data handling consistency across templates and server operations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

This PR introduces a sticky header AJAX refresh after content unlock and standardizes variable naming across PHP classes and templates. After successful unlock, the client-side code marks the user as logged in and fetches a server-rendered sticky header. Backend enhancements include a new AJAX handler for sticky header retrieval and extended database queries to populate wallet addresses during payment verification.

Changes

Cohort / File(s)	Summary
Sticky Header AJAX Feature assets/js/paywalled-content.js, includes/class-paybutton-ajax.php, templates/public/sticky-header.php	Adds client-side AJAX call to fetch and replace sticky header after successful unlock; implements new get_sticky_header() AJAX handler with nonce verification; updates sticky header template to use renamed wallet address variable.
Payment Verification Enhancement includes/class-paybutton-ajax.php	Extends mark_payment_successful() database query to fetch pb_paywall_user_wallet_address and auto-populates wallet address into PayButton_State when server-verified.
Admin Wallet Address Variable Renaming includes/class-paybutton-admin.php, templates/admin/paybutton-generator.php, templates/admin/paywall-settings.php	Standardizes wallet address variable naming from admin_wallet_address / admin_address to paybutton_admin_wallet_address across admin configuration and templates.
User Profile & Data Row Variable Renaming includes/class-paybutton-public.php, templates/admin/content.php, templates/admin/customers.php, templates/public/profile.php	Renames loop variables and data accessors from $row to $paybutton_row and rows to paybutton_rows for consistency; updates user wallet address variable to paybutton_user_wallet_address across public and admin templates.

Sequence Diagram

sequenceDiagram
    participant Client as Browser Client
    participant JS as paywalled-content.js
    participant Server as WordPress Server
    participant AJAX as AJAX Handler
    participant Template as Sticky Header Template
    
    Client->>Server: POST Unlock Payment
    Server->>Server: Process Payment & Verify
    Server->>Client: Success Response
    
    JS->>JS: Mark User as Logged In (isLoggedIn)
    
    JS->>AJAX: AJAX POST paybutton_get_sticky_header
    AJAX->>AJAX: Verify Nonce
    AJAX->>Template: Render Sticky Header with Wallet Address
    Template->>AJAX: Return HTML
    AJAX->>Client: Success Response with HTML
    
    JS->>Client: Replace Sticky Header DOM Element
    Note over Client: Header Updated Without Page Reload

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• AJAX handler implementation (get_sticky_header() method): Verify nonce validation, error handling, and template rendering logic
• Database query modification in mark_payment_successful(): Confirm new field selection and wallet address auto-population logic
• Client-side AJAX call: Review state management and DOM replacement flow
• Variable renaming consistency: Spot-check that all renamed variables are correctly updated across multiple template files (templates/admin/*, templates/public/*)

Possibly related PRs

• Secure “Login via Cashtab” Flow (Server-Verified Login Tokens) #90: Modifies AJAX and client unlock flows to support server-verified wallet/login state and token-based validation in parallel with these sticky header changes.
• add prefix to global variables #97: Implements the same wallet address and data variable renaming pattern (admin_wallet_address → paybutton_admin_wallet_address, user_wallet_address → paybutton_user_wallet_address) across classes and templates.
• Secure “Content Unlocking” Flow (Server-Verified Login Tokens) #93: Modifies paywall unlock flow and payment verification in includes/class-paybutton-ajax.php alongside client-side unlock behavior.

Suggested labels

enhancement (behind the scenes)

Poem

🐰 A header refreshes without a reload,
Wallet addresses renamed, a consistent code!
AJAX whispers fetch fresh state,
User logged in—no more wait!
Payment unlocks the sticky display! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'autologin after content unlock' clearly summarizes the main change: implementing automatic login functionality after a user unlocks content.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/auto-login-after-content-unlock

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[Klakurka]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

assets/js/paywalled-content.js (1)

76-91: Consider adding error handling for the AJAX call.

The sticky header refresh functionality works well, but there's no error handling if the AJAX request fails. Users won't receive feedback if the header fails to update.

Apply this diff to add error handling:

         jQuery.post(
             PaywallAjax.ajaxUrl,
             {
                 action: 'paybutton_get_sticky_header',
                 security: PaywallAjax.nonce
             },
             function(resp) {
                 if (resp && resp.success && resp.data && resp.data.html) {
                     var $header = jQuery('#cashtab-sticky-header');
                     if ($header.length) {
                         // Replace the whole header with the freshly rendered one
                         $header.replaceWith(resp.data.html);
                     }
                 }
             }
-        );
+        ).fail(function() {
+            console.warn('Failed to refresh sticky header. The page may need to be reloaded.');
+        });

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bf6750b and 80193b0.

📒 Files selected for processing (10)

• assets/js/paywalled-content.js (1 hunks)
• includes/class-paybutton-admin.php (1 hunks)
• includes/class-paybutton-ajax.php (5 hunks)
• includes/class-paybutton-public.php (2 hunks)
• templates/admin/content.php (1 hunks)
• templates/admin/customers.php (2 hunks)
• templates/admin/paybutton-generator.php (2 hunks)
• templates/admin/paywall-settings.php (1 hunks)
• templates/public/profile.php (1 hunks)
• templates/public/sticky-header.php (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

assets/js/paywalled-content.js (1)

assets/js/paybutton-paywall-cashtab-login.js (1)

• isLoggedIn (2-2)

includes/class-paybutton-public.php (1)

includes/class-paybutton-state.php (2)

• PayButton_State (4-279)
• get_address (139-150)

includes/class-paybutton-ajax.php (1)

includes/class-paybutton-state.php (2)

• get_address (139-150)
• set_address (97-134)

🪛 PHPMD (2.15.0)

includes/class-paybutton-ajax.php

625-625: Avoid unused local variables such as '$paybutton_user_wallet_address'. (undefined)

(UnusedLocalVariable)

🔇 Additional comments (18)

includes/class-paybutton-public.php (2)

166-169: LGTM! Consistent variable naming.

The rename from user_wallet_address to paybutton_user_wallet_address improves clarity and reduces potential naming conflicts. The template data key is correctly updated to match.

---

283-298: LGTM! Consistent variable naming in profile shortcode.

The variable renames (paybutton_user_wallet_address, paybutton_rows) align with the naming conventions introduced across the PR. The database query and template data passing are updated consistently.

templates/admin/paybutton-generator.php (1)

6-25: LGTM! Consistent variable naming.

The rename to paybutton_admin_wallet_address aligns with the naming standardization across the codebase.

includes/class-paybutton-admin.php (1)

207-207: LGTM! Template data key updated.

The key rename to paybutton_admin_wallet_address correctly aligns with the template variable changes in paywall-settings.php.

templates/admin/paywall-settings.php (1)

20-21: LGTM! Template variable updated.

The template correctly uses the renamed paybutton_admin_wallet_address variable, matching the data key passed from the admin class.

assets/js/paywalled-content.js (1)

70-74: LGTM! Good defensive programming.

The check for typeof isLoggedIn !== 'undefined' before setting it prevents potential reference errors if the login script hasn't loaded.

templates/public/sticky-header.php (2)

6-10: LGTM! Consistent variable naming.

The template correctly uses paybutton_admin_wallet_address for the admin wallet check, aligning with the naming standardization.

---

42-42: LGTM! Consistent variable naming.

The conditional correctly uses paybutton_user_wallet_address to determine whether to show login or logged-in UI.

templates/admin/content.php (1)

40-55: LGTM! Consistent variable naming in loop.

The foreach loop variable rename to paybutton_row and introduction of paybutton_permalink improve clarity. All array access is updated consistently.

templates/public/profile.php (2)

9-10: LGTM! Consistent variable naming.

The wallet address display correctly uses paybutton_user_wallet_address, aligning with the naming standardization.

---

14-22: LGTM! Consistent variable naming in content list.

The template correctly uses paybutton_rows and paybutton_row for the unlocked content list, with proper object property access ($paybutton_row->post_id).

templates/admin/customers.php (2)

24-59: LGTM! Variable naming refactor maintains functionality.

The refactoring from $row to $paybutton_row with consistent prefixing is clean and maintains all existing functionality. The object-style property access is appropriate for the data structure being iterated.

---

101-137: LGTM! Array-style access refactor is correct.

The refactoring correctly uses array-style access ($paybutton_row['key']) for the customers data structure, which differs appropriately from the object-style access in the first loop. All data access patterns are consistent and properly escaped.

includes/class-paybutton-ajax.php (5)

53-56: LGTM! Proper AJAX hook registration.

The new sticky header endpoint is correctly registered for both authenticated and unauthenticated users, following the same pattern as other AJAX handlers in this class.

---

314-314: LGTM! Query extended to support auto-login.

The query now selects pb_paywall_user_wallet_address in addition to id, which is necessary for the auto-login feature implemented below. This is a minimal and appropriate change.

---

345-349: LGTM! Auto-login logic is secure and well-implemented.

The auto-login feature correctly extracts the wallet address from the server-verified database row and sets it in the user's state only if they're not already logged in. The security is sound because:

1. The row was inserted by the cryptographically signed webhook in payment_trigger()
2. The unlock_token was validated in ajax_validate_unlock_tx()
3. The wallet address matches the one provided in the AJAX request (verified in the WHERE clause)

This ensures the wallet address originates from a legitimate payment transaction, not user input.

---

410-410: LGTM! Appropriate phpcs ignore for core WordPress hook.

The phpcs ignore comment is correctly used for the the_content filter, which is a core WordPress hook. The inline explanation makes the intent clear.

---

616-634: The static analysis hint is a false positive; the variable is used in the template, but current indentation is already correct.

The get_sticky_header() method is functionally sound:

• Nonce verification is proper
• Template existence check with appropriate error handling
• The $paybutton_user_wallet_address variable is correctly used in the included template (templates/public/sticky-header.php, line 42), confirming the PHPMD warning is a false positive

The method body is already properly indented (8 spaces) consistent with WordPress coding standards, so no indentation changes are needed. The file also has a trailing newline after the closing brace.