Suggestion: add features

Hi @carlos978

Thank you for your feedback.

1.) Periodic account password / token check:
I am sorry, but on our end there is no point of checking account passwords or tokens because:

• Although a random password is automatically generated when a new account is created (since a password is required), the social login itself does not use the WordPress account password for authentication. Instead, we authenticate using the data returned by the social media provider’s REST API.
• OAuth access tokens are short-lived and typically expire within a few hours or less. This is not a problem, as we only need them during the authentication process. The next time the user logs in via social login, a new access token will be issued by the provider.
  (If you are referring to app access – e.g., manually revoking the app’s permissions in the social media account, or when it expires over time – then the next time you connect, the provider will automatically display the OAuth consent screen again. You will need to reauthorize the app so it can make requests on behalf of your account. But this is not done by Nextend Social Login. This flow is handled by the provider itself, since the OAuth flow always starts with the redirect to the authorization endpoint of the given provider. )

2.) Account or social network invalidates the login
As mentioned above, there is no active connection between the social media account and the WordPress account. Therefore, the social media provider cannot invalidate the login on your WordPress site. Once you log in using social login, the account behaves just like a traditional email/password login, the only difference is that we retrieve the social media user ID from the provider’s API and check your database for a WordPress account associated with that ID.

If no matching account is found, it means the social media account is not yet linked to a WordPress account. In this case, if the provider returns a verified email address, we attempt to locate a WordPress account with that email and, if one exists, automatically link the social media account to it.

Once the user is logged in, the social login does not perform any further actions or maintain any ongoing connection between the accounts.

3.) Prevent the shortcode from rendering the buttons when the settings are invalid:
I’m sorry, but there is no automated way to verify this. Whether your social media app configuration is valid or not can only be determined when you attempt to connect with an existing social media account. If the configuration is invalid, the request typically fails on the provider’s end, and the provider displays the error directly, meaning the user never returns to your site. Because of this, we ( the plugin ) cannot automatically detect or report such issues based on the response.

This process always requires manual review by a person. In fact, this is the main purpose of our “verification” step, which is a prerequisite for enabling a provider. The social login button will only appear on the frontend of your site once you have successfully completed verification and enabled the provider.

You can only pass the verification step if the provider successfully returns user data after authenticating with your social media account. Each time you change the app credentials within Nextend Social Login, your settings are automatically reverted to the “Not Verified” state, and the social login button will be hidden again.

Therefore, our verification system only confirms that your configuration was valid at the time of verification. If you later change your app settings or if your app becomes disabled ( e.g. by a guidelines violation ) after verification, we cannot detect that automatically, for the reasons mentioned above.

Notes on informing the administrator about potential issues:
We do our best to notify administrators of any problems that can be automatically monitored. For example, we check the OAuth Redirect URL of providers. When you successfully verify a provider’s configuration, it confirms that your settings are correct at that moment, so we store your site’s current redirect URL and continue to monitor it for changes (for instance, if you modify your website’s domain name).
If a change is detected, it could cause a redirect URL mismatch error. In such cases, we display an error message like this on almost all backend pages:

Nextend Social Login detected that your login url changed. You must update the Oauth redirect URIs in the related social applications.

Fix Error - Oauth Redirect URI

But unfortunately, the number of potential issues we can automatically detect is very limited, as most of these require the user to be connected.

Another reason manual review is always necessary is that, even if social login works for you, it doesn’t necessarily mean it will work for other users as well. A common example involves providers where app owner accounts can still log in even if the app lacks certain required permissions. For instance, on Facebook, some scopes require advanced access, which is only granted after Meta approves your Business Review and App Review requests. Until those reviews are completed, external users will not be able to log in, although your app owner, admin, or tester accounts may still be able to.

For this reason, it is strongly recommended to test social login with another account that is not associated with the app owner or admin role.

Best regards,
Laszlo.