Forms: Use JWT for passing the Contact_Form object around

[enejb]

This PR fixes the an issue where forms that are placed inside form different templates and don't get processed as expected.

Fixes FORMS-109

In future PRs we want to remove the non JWT token way of sumitting the form. But we are keeping it still this way so that we don't cause any mid deploy failures.

Proposed changes:

• Add methods for creating a forms instance via jwt string. (encoding and decoding)
• Refactors the contact form submission handler to be able to reconstruct the form instance from the JWT (jetpack_contact_form_jwt) provided in the POST data.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

No

Testing instructions:

Add a form. Does it submit as expected?
Add a form in a widget. Does it submit as expected?

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the update/add-jwt-form-encode-decode branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack update/add-jwt-form-encode-decode

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[Copilot]

Pull Request Overview

This PR implements JWT-based form submission to fix issues where forms placed in different templates don't get processed as expected. The implementation adds JWT encoding/decoding capabilities to the Contact_Form class while maintaining backward compatibility with the existing submission method.

• Adds JWT encoding/decoding methods to Contact_Form class for form instance reconstruction
• Includes a hidden JWT field in form HTML output for submission processing
• Updates form submission handler to prioritize JWT-based form reconstruction over the existing hash-based method

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
class-contact-form.php	Adds JWT encoding/decoding methods and includes JWT token in form output
class-contact-form-plugin.php	Updates submission handler to reconstruct forms from JWT token
Contact_Form_Test.php	Adds comprehensive test for JWT encoding/decoding functionality
composer.json	Adds jetpack-jwt package dependency
changelog files	Documents the changes for both plugin and package

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly:
  • Scheduled release: August 5, 2025
  • Code freeze: August 4, 2025

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 2 files.

File	Coverage	Δ%	Δ Uncovered
projects/packages/forms/src/contact-form/class-contact-form.php	613/1085 (56.50%)	0.72%	1 ❤️‍🩹
projects/packages/forms/src/contact-form/class-contact-form-plugin.php	449/1185 (37.89%)	1.96%	-20 💚

Full summary · PHP report · JS report

[simison]

This might also resolve this issue?

• Forms: required form fields allow empty submission #43028

Forms with required fields were able to submit as empty when placed in templates.

[CGastrell]

This might also resolve this issue?

• Forms: required form fields allow empty submission #43028

Forms with required fields were able to submit as empty when placed in templates.

Seems like there's an issue with the interactivity API context picking up corrupt values (OB output?)

[CGastrell]

All works perfectly! Tested on widgets and template parts, all smooth.

That said, I did push a phan update baseline to fix that check, but there are other checks not going through because some of the libs require php 8.3

Unsure what we should do with that

[simison]

[...] but there are other checks not going through because some of the libs require php 8.3
Unsure what we should do with that

cc @Automattic/jetpack-monorepo for advice

[tbradsha]

The composer lockfile was generated on PHP 8.3+, and the CI expects PHP 8.2 at the moment, so the fix is to run it with PHP 8.2, as done here: 1d87130

[CGastrell]

Works nicely! Let's ship this on Monday!