From 18aa1028ae463818621220e96c7c1e2300f2b310 Mon Sep 17 00:00:00 2001 From: Robert O'Rourke <23417+roborourke@users.noreply.github.com> Date: Thu, 19 Mar 2026 11:29:36 +0000 Subject: [PATCH 1/3] Refactor authentication logic and cache handling I think there are some errors in the caching here that this aims to fix, like putting the expiry in the group parameter. Mainly I'm seeking to fix an edge case where auth0 can "resume" a session but no account record has been created in the db so it keeps logging users out on every page request. --- src/Actions/Authentication.php | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/Actions/Authentication.php b/src/Actions/Authentication.php index f6fb41c94..ff14c3cdf 100644 --- a/src/Actions/Authentication.php +++ b/src/Actions/Authentication.php @@ -70,7 +70,7 @@ public function createAccountConnection(WP_User $wpUser, string $connection): vo if (null === $found) { set_transient($cacheKey, $wpUser->ID, 120); - wp_cache_set($cacheKey, $found, 120); + wp_cache_set($cacheKey, $wpUser->ID, '', 120); $database->insertRow($table, [ 'user' => $wpUser->ID, @@ -100,7 +100,8 @@ public function deleteAccountConnections(int $userId): ?array if ($connections) { $database->deleteRow($table, ['user' => $userId, 'site' => $network, 'blog' => $blog], ['%d', '%s', '%s']); - wp_cache_flush(); + $cacheKey = 'auth0_account_' . hash('sha256', $connections[0] . '::' . $network . '!' . $blog); + wp_cache_delete($cacheKey); return $connections; } @@ -399,7 +400,18 @@ public function onInit(): void $sub = $session->user['sub'] ?? null; if (null !== $sub) { - $match = $this->getAccountByConnection($sub); + $sub = sanitize_text_field($session->user['sub'] ?? ''); + $email = sanitize_text_field($session->user['email'] ?? ''); + $verified = $session->user['email_verified'] ?? null; + $match = $this->resolveIdentity(sub: $sub, email: $email, verified: $verified); + + // Create missing account record, can be missing when resuming a session + // or registering on auth0 for an existing WP user. + if (! $match instanceof WP_User && $verified) { + $this->createAccountConnection($wordpress, $sub); + + return; + } if (! $match instanceof WP_User || $match->ID !== $wordpress->ID) { $this->getSdk()->clear(); From d803bd74e4ca515568cdd545af9b7c4643b8f2fd Mon Sep 17 00:00:00 2001 From: Robert O'Rourke <23417+roborourke@users.noreply.github.com> Date: Thu, 19 Mar 2026 11:43:07 +0000 Subject: [PATCH 2/3] Clear authentication transient after deleting user data --- src/Actions/Authentication.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Actions/Authentication.php b/src/Actions/Authentication.php index ff14c3cdf..b083ca12d 100644 --- a/src/Actions/Authentication.php +++ b/src/Actions/Authentication.php @@ -101,6 +101,7 @@ public function deleteAccountConnections(int $userId): ?array if ($connections) { $database->deleteRow($table, ['user' => $userId, 'site' => $network, 'blog' => $blog], ['%d', '%s', '%s']); $cacheKey = 'auth0_account_' . hash('sha256', $connections[0] . '::' . $network . '!' . $blog); + delete_transient($cacheKey); wp_cache_delete($cacheKey); return $connections; From 434d887253bc5edb141e911ddbfc7a8decc3ed6a Mon Sep 17 00:00:00 2001 From: Robert O'Rourke <23417+roborourke@users.noreply.github.com> Date: Thu, 19 Mar 2026 11:45:44 +0000 Subject: [PATCH 3/3] Update account creation condition to include email check --- src/Actions/Authentication.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Actions/Authentication.php b/src/Actions/Authentication.php index b083ca12d..acc46268b 100644 --- a/src/Actions/Authentication.php +++ b/src/Actions/Authentication.php @@ -408,7 +408,7 @@ public function onInit(): void // Create missing account record, can be missing when resuming a session // or registering on auth0 for an existing WP user. - if (! $match instanceof WP_User && $verified) { + if (! $match instanceof WP_User && $email === $wordpress->user_email && $verified) { $this->createAccountConnection($wordpress, $sub); return;