From a5e5b6a672183ddc63a8edb9069804d4dfa967c1 Mon Sep 17 00:00:00 2001
From: Adriaan Zonnenberg <a.zonnenberg@sendy.nl>
Date: Fri, 3 Apr 2026 14:01:32 +0200
Subject: [PATCH] Fix special characters in OAuth secret

Fixes OAuth secret containing URL-unsafe special characters
---
 lib/Modules/OAuth.php | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/Modules/OAuth.php b/lib/Modules/OAuth.php
index 88d70e5..edc2dd7 100644
--- a/lib/Modules/OAuth.php
+++ b/lib/Modules/OAuth.php
@@ -22,8 +22,18 @@ public function initialize_credentials(): void
     {
         if (get_option('sendy_client_id') == '') {
             update_option('sendy_client_id', wp_generate_uuid4());
-            update_option('sendy_client_secret', wp_generate_password(40), false);
+            update_option('sendy_client_secret', wp_generate_password(40, false), false);
             update_option('sendy_hostname', get_site_url());
+
+            return;
+        }
+
+        // Regenerate secrets that contain characters requiring URL-encoding.
+        // Such characters (e.g. #, %) break the OAuth URL even when percent-encoded,
+        // because WordPress's esc_url() can revert %23 to # which browsers treat as a fragment separator.
+        $secret = get_option('sendy_client_secret');
+        if ($secret !== false && $secret !== '' && ! sendy_is_authenticated() && rawurlencode($secret) !== $secret) {
+            update_option('sendy_client_secret', wp_generate_password(40, false), false);
         }
     }
 
@@ -47,7 +57,7 @@ public function reset_credentials_when_access_token_nullified($old_value, $value
 
         if (get_option('sendy_hostname') != get_site_url()) {
             update_option('sendy_client_id', wp_generate_uuid4());
-            update_option('sendy_client_secret', wp_generate_password(40), false);
+            update_option('sendy_client_secret', wp_generate_password(40, false), false);
             update_option('sendy_hostname', get_site_url());
 
             update_option('sendy_refresh_token', null, false);