From ff29f952647787cdfee431178887dd4553eb3171 Mon Sep 17 00:00:00 2001
From: dwindown <dwinx.ramz@gmail.com>
Date: Wed, 5 Nov 2025 00:42:11 +0700
Subject: [PATCH] fix: Use wp_authenticate + wp_set_auth_cookie +
 wp_set_current_user for proper session

---
 admin-spa/src/App.tsx           | 11 +++--
 admin/index.php                 | 84 ---------------------------------
 includes/Api/AuthController.php | 30 ++++++------
 3 files changed, 20 insertions(+), 105 deletions(-)
 delete mode 100644 admin/index.php

diff --git a/admin-spa/src/App.tsx b/admin-spa/src/App.tsx
index 5e45b9c..5423d18 100644
--- a/admin-spa/src/App.tsx
+++ b/admin-spa/src/App.tsx
@@ -461,11 +461,12 @@ function AuthWrapper() {
     );
   }
 
-  if (window.WNW_CONFIG?.standaloneMode && !isAuthenticated) {
-    // Redirect to WordPress login with return URL
-    const returnUrl = encodeURIComponent(window.location.href);
-    window.location.href = `/wp-login.php?redirect_to=${returnUrl}`;
-    return null;
+  if (window.WNW_CONFIG?.standaloneMode && !isAuthenticated && location.pathname !== '/login') {
+    return <Navigate to="/login" replace />;
+  }
+
+  if (location.pathname === '/login' && isAuthenticated) {
+    return <Navigate to="/" replace />;
   }
 
   return (
diff --git a/admin/index.php b/admin/index.php
deleted file mode 100644
index 389ab67..0000000
--- a/admin/index.php
+++ /dev/null
@@ -1,84 +0,0 @@
-<?php
-/**
- * WooNooW Standalone Admin Entry Point
- * 
- * Minimal WordPress bootstrap - no theme, no plugins bloat.
- * This file provides a clean, fast admin interface without wp_head/wp_footer.
- * 
- * @package WooNooW
- */
-
-// Load WordPress core only (no theme, no plugins)
-define( 'WP_USE_THEMES', false );
-define( 'WOONOOW_STANDALONE_ADMIN', true );
-
-// Load WordPress
-require_once( __DIR__ . '/../../../../wp-load.php' );
-
-// Check if user is logged in and has permissions
-$is_authenticated = is_user_logged_in() && current_user_can( 'manage_woocommerce' );
-
-// Get nonce for REST API
-$nonce = wp_create_nonce( 'wp_rest' );
-$rest_url = rest_url( 'woonoow/v1' );
-$wp_admin_url = admin_url( 'admin.php?page=woonoow' );
-
-// Get current user data if authenticated
-$current_user = null;
-if ( $is_authenticated ) {
-	$user = wp_get_current_user();
-	$current_user = [
-		'id'     => $user->ID,
-		'name'   => $user->display_name,
-		'email'  => $user->user_email,
-		'avatar' => get_avatar_url( $user->ID ),
-	];
-}
-
-// Get asset URLs
-$plugin_url = plugins_url( '', dirname( __FILE__ ) );
-$asset_url = $plugin_url . '/admin-spa/dist';
-$css_url = $asset_url . '/app.css';
-$js_url = $asset_url . '/app.js';
-
-// Add cache busting
-$version = defined( 'WP_DEBUG' ) && WP_DEBUG ? time() : '1.0.0';
-$css_url .= '?ver=' . $version;
-$js_url .= '?ver=' . $version;
-?>
-<!DOCTYPE html>
-<html lang="<?php echo esc_attr( get_locale() ); ?>">
-<head>
-	<meta charset="UTF-8">
-	<meta name="viewport" content="width=device-width, initial-scale=1.0">
-	<meta name="robots" content="noindex, nofollow">
-	<title>WooNooW Admin</title>
-	
-	<!-- WooNooW Assets Only - NO wp_head() -->
-	<link rel="stylesheet" href="<?php echo esc_url( $css_url ); ?>">
-</head>
-<body class="woonoow-standalone">
-	<div id="woonoow-admin-app"></div>
-	
-	<script>
-	// Minimal config - no WordPress bloat
-	window.WNW_CONFIG = {
-		restUrl: <?php echo wp_json_encode( $rest_url ); ?>,
-		nonce: <?php echo wp_json_encode( $nonce ); ?>,
-		standaloneMode: true,
-		wpAdminUrl: <?php echo wp_json_encode( $wp_admin_url ); ?>,
-		isAuthenticated: <?php echo $is_authenticated ? 'true' : 'false'; ?>,
-		currentUser: <?php echo wp_json_encode( $current_user ); ?>,
-		locale: <?php echo wp_json_encode( get_locale() ); ?>,
-		siteUrl: <?php echo wp_json_encode( home_url() ); ?>,
-		siteName: <?php echo wp_json_encode( get_bloginfo( 'name' ) ); ?>
-	};
-	</script>
-	
-	<script type="module" src="<?php echo esc_url( $js_url ); ?>"></script>
-	
-	<?php
-	// NO wp_footer() - we don't want theme/plugin scripts
-	?>
-</body>
-</html>
diff --git a/includes/Api/AuthController.php b/includes/Api/AuthController.php
index 6a49ee2..6f70b3e 100644
--- a/includes/Api/AuthController.php
+++ b/includes/Api/AuthController.php
@@ -31,20 +31,8 @@ class AuthController {
 			], 400 );
 		}
 		
-		// Use wp_signon to properly authenticate and set cookies (same as wp-login.php)
-		$credentials = [
-			'user_login'    => $username,
-			'user_password' => $password,
-			'remember'      => true,
-		];
-		
-		$user = wp_signon( $credentials, is_ssl() );
-		
-		// Debug logging
-		if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
-			error_log( '[AuthController::login] wp_signon result: ' . ( is_wp_error( $user ) ? 'ERROR' : 'SUCCESS' ) );
-			error_log( '[AuthController::login] User ID: ' . ( is_wp_error( $user ) ? 'N/A' : $user->ID ) );
-		}
+		// Authenticate user (same as wp-login.php)
+		$user = wp_authenticate( $username, $password );
 		
 		if ( is_wp_error( $user ) ) {
 			return new WP_REST_Response( [
@@ -55,14 +43,24 @@ class AuthController {
 		
 		// Check if user has WooCommerce permissions
 		if ( ! user_can( $user, 'manage_woocommerce' ) ) {
-			// Logout if no permission
-			wp_logout();
 			return new WP_REST_Response( [
 				'success' => false,
 				'message' => __( 'You do not have permission to access this area', 'woonoow' ),
 			], 403 );
 		}
 		
+		// CRITICAL: Set auth cookie AND current user (as per WordPress best practices)
+		// This ensures session is properly established for both standalone and wp-admin
+		wp_set_auth_cookie( $user->ID, true, is_ssl() );
+		wp_set_current_user( $user->ID );
+		
+		// Debug logging
+		if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+			error_log( '[AuthController::login] Login successful for user ID: ' . $user->ID );
+			error_log( '[AuthController::login] Current user ID: ' . get_current_user_id() );
+			error_log( '[AuthController::login] Cookies set: ' . ( headers_sent() ? 'Headers already sent!' : 'OK' ) );
+		}
+		
 		// Return user data and new nonce
 		return new WP_REST_Response( [
 			'success' => true,