Skip to content

Fix OAuth session collision overwriting admin identity#213

Draft
tyoung-patreon wants to merge 4 commits intomasterfrom
fix/oauth-session-collision
Draft

Fix OAuth session collision overwriting admin identity#213
tyoung-patreon wants to merge 4 commits intomasterfrom
fix/oauth-session-collision

Conversation

@tyoung-patreon
Copy link
Copy Markdown

@tyoung-patreon tyoung-patreon commented Apr 2, 2026
edited
Loading

Problem

https://www.patreondevelopers.com/t/admin-display-name-nickname-changing-when-patreon-members-join/11295

The OAuth callback in createOrLogInUserFromPatreon() links the incoming Patreon identity to whoever is currently logged into WordPress — not necessarily the user who started the flow. If an admin is logged in when a different Patreon account completes OAuth in the same browser, the admin's Patreon identity and display name get overwritten.

Additionally, updatePatreonUser() writes Patreon names into WordPress's built-in user_firstname/user_lastname meta keys, silently replacing the user's WordPress profile name.

Fix

  • Add a one-time nonce to the OAuth state parameter, verified on callback before linking to a logged-in user. Mismatches fall through to the standard lookup/create path.
  • Rename user_firstname/user_lastname to patreon_user_firstname/patreon_user_lastname so Patreon sync doesn't collide with WordPress profile fields.

Test plan

  • Admin connects own Patreon account — identity links correctly, WP display name unchanged
  • Admin logged in + different Patreon account completes OAuth in same browser — admin's patreon_user_id is NOT overwritten
  • Patron logs in via Patreon (not logged into WP) — correct user created/found
  • Patreon First/Last name fields display correctly in user profile; WP First/Last name fields are not overwritten by Patreon sync
  • Nonce expiration (>10 min delay) — falls through to lookup/create path instead of linking
  • Direct-unlock and post-unlock flows work for both logged-in and logged-out users

Tanner Young and others added 4 commits April 2, 2026 13:46
@claude
feat: add OAuth flow nonce generation and verification helpers
4bea87a 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
feat: embed OAuth flow nonce in state parameter at all flow initiatio…
2943bef 
…n points

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
feat: verify OAuth flow nonce before linking Patreon identity to logg…
9b3d61b 
…ed-in user

Prevents same-browser session collision where an OAuth callback overwrites
the logged-in admin's Patreon identity with a different patron's data.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
fix: use Patreon-specific meta keys for patron names
8de180b 
Rename user_firstname/user_lastname to patreon_user_firstname/patreon_user_lastname
so that syncing Patreon profile data does not silently overwrite the WordPress
user's display name and profile fields.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tyoung-patreon