From 92cc419aad6c4b62fa4af830bd6d0e0aad8cdeeb Mon Sep 17 00:00:00 2001 From: Paulo Pinto Date: Thu, 14 Sep 2023 16:18:23 +0100 Subject: [PATCH] Double-check that the user actually has the meta key --- src/Storage/AuthorizationCodeStorage.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/Storage/AuthorizationCodeStorage.php b/src/Storage/AuthorizationCodeStorage.php index 87d5a6c..5db5153 100644 --- a/src/Storage/AuthorizationCodeStorage.php +++ b/src/Storage/AuthorizationCodeStorage.php @@ -24,6 +24,8 @@ private function getUserIdByCode( $code ) { return null; } + $key = self::META_KEY_PREFIX . '_client_id_' . $code; + $users = get_users( array( // Specifying blog_id does nothing for non-MultiSite installs. But for MultiSite installs, it allows you @@ -31,7 +33,7 @@ private function getUserIdByCode( $code ) { // this plugin is meant to be activated on. 'blog_id' => apply_filters( 'oidc_auth_code_storage_blog_id', get_current_blog_id() ), // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key - 'meta_key' => self::META_KEY_PREFIX . '_client_id_' . $code, + 'meta_key' => $key, // Using a meta_key EXISTS query is not slow, see https://github.com/WordPress/WordPress-Coding-Standards/issues/1871. 'meta_compare' => 'EXISTS', ) @@ -47,7 +49,14 @@ private function getUserIdByCode( $code ) { return null; } - return absint( $users[0]->ID ); + $user = $users[0]; + + // Double-check that the user actually has the meta key. + if ( false === get_user_meta( $user, $key, true ) ) { + return null; + } + + return absint( $user->ID ); } public function getAuthorizationCode( $code ) {