during my examination of the plugin code I have found some bugs and some shortcomings:
- The Unlink identity action is not properly clearing the 'identity provider' user meta field.
The API call to unlink identity is not returning the required identity->source->name property and thus generates PHP warning and the unlinked identity provider is not removed from the list of providers in user meta. You can clearly see this issue by looking at the success message: 'You have successfully unlinked your account.'
On the other hand the API is returning the list of currently linked providers, so this info can be used to simply update the user meta field and also to guess the name of the currently unlinked provider for the success message.
The same approach to update 'identity provider' user meta can also be used in the Link identity action.
- Logging in with new social identity to already linked account is not handled correctly.
Consider this situation: User has already linked one or more social accounts in his profile, linking to existing account by verified email is enabled and this user now logs in with new social identity where he has registered the same email address as in other social networks.
In this situation the API generates and returns new identity token and also new user token. The plugin now checks if verified email is already used by existing user and then simply overwrites meta data for this user with both new tokens.
But this is wrong, because all already linked social accounts to the old user token are lost.
The correct way is to check if user has already a user token, call the API to relink the new identity to existing user (by existing user token), possibly call the API to delete this emptied user and finally add new provider to the list of providers in user meta.
Naturally the API request functions have to be modified to support PUT and DELETE methods and POST data field.
- Adding an option to completely disable user creation on social login when user registration is not allowed on the site.
This is useful on sites where user accounts are already created and the site owner doesn't want to allow users to create new accounts by social login (especially when registration is disabled in WordPress settings). Only linking from user profiles is allowed.
This could be accomplished by the plugin itself or letting users to handle this by 'oa_social_login_action_before_user_insert' hook.
In the latter case a new 3rd argument $user_token has to be added to the action call, as it is crucial to call the API to delete the newly created user and its linked social identity. Otherwise the new social identity cannot be used later when user wants to link his social account in the user profile.
In either case the plugin should inform the user that the registration is disabled and he needs to use the linking functionality. Using a redirect to URL: wp-login.php?registration=disabled&social=true (that already shows 'Registration Disabled' error message) and adding new info message by 'wp_login_errors' hook is one suitable solution.
- PHP warning for undefined variable '$css_theme_uri' in Render link form function.
This is just a minor issue in 'oa_social_login_link_css' filter call.
I have already solved all these issues so if you are interested I can provide you my code modifications.
Anyway thanks for such a great social integration plugin and service.