Store callback URL hash per-user instead of site-wide

Fixes multi-user scenario where only the first user to trigger the URL
change detection would re-register callback URLs. Now each user
independently detects the change via their own user meta hash and
re-registers on their next "Generate with AI" click.

Also improves multisite: since wp_usermeta is network-wide, users
switching between sites automatically detect the different REST API
endpoints and re-register with the correct callback URLs.

Author: chrisdavidmiles

src/ai/authorization/application/token-manager.php

@@ -218,8 +218,8 @@ public function token_request( WP_User $user ): void {
 
 		$this->request_handler->handle( new Request( '/token/request', $request_body ) );
 
-		// Store a hash of the callback URL to detect future site URL changes.
-		\update_option( 'yoast_ai_generator_callback_url_hash', \md5( $callback_url ), true );
+		// Store a per-user hash of the callback URL to detect future site URL changes.
+		$this->user_helper->update_meta( $user->ID, '_yoast_wpseo_ai_generator_callback_url_hash', \md5( $callback_url ) );
 
 		// The callback saves the metadata. Because that is in another session, we need to delete the current cache here. Or we may get the old token.
 		\wp_cache_delete( $user->ID, 'user_meta' );
@@ -315,7 +315,7 @@ public function has_token_expired( string $jwt ): bool {
 	 */
 	public function get_or_request_access_token( WP_User $user ): string {
 		// If the site URL has changed since callback URLs were registered, delete stale tokens.
-		if ( $this->have_callback_urls_changed() ) {
+		if ( $this->have_callback_urls_changed( $user ) ) {
 			$this->user_helper->delete_meta( $user->ID, '_yoast_wpseo_ai_generator_access_jwt' );
 			$this->user_helper->delete_meta( $user->ID, '_yoast_wpseo_ai_generator_refresh_jwt' );
 		}
@@ -350,18 +350,21 @@ public function get_or_request_access_token( WP_User $user ): string {
 	 *
 	 * Detects site URL changes (e.g., migrating from a staging URL to a production domain)
 	 * that would leave stale callback URLs registered with the Yoast AI service.
-	 * Uses a hash so the stored value is immune to wp search-replace operations.
+	 * Uses a per-user hash so each user independently detects the change and re-registers.
+	 * The hash is immune to wp search-replace operations.
 	 *
 	 * When no hash is stored (first run after upgrade), returns true to force a fresh
 	 * token_request(). This ensures existing sites with stale callback URLs self-heal
 	 * without manual intervention.
 	 *
+	 * @param WP_User $user The current user.
+	 *
 	 * @return bool Whether the callback URLs may have changed.
 	 */
-	private function have_callback_urls_changed(): bool {
-		$registered_hash = \get_option( 'yoast_ai_generator_callback_url_hash', '' );
+	private function have_callback_urls_changed( WP_User $user ): bool {
+		$registered_hash = $this->user_helper->get_meta( $user->ID, '_yoast_wpseo_ai_generator_callback_url_hash', true );
 
-		if ( $registered_hash === '' ) {
+		if ( ! \is_string( $registered_hash ) || $registered_hash === '' ) {
 			return true;
 		}
 

tests/Unit/AI/Authorization/Application/Token_Manager/Abstract_Token_Manager_Test.php

@@ -113,13 +113,13 @@ protected function setUp(): void {
 		$this->urls                     = Mockery::mock( WordPress_URLs::class );
 		$this->url_helper               = Mockery::mock( Url_Helper::class );
 
-		// Default: have_callback_urls_changed() returns false by providing a matching hash.
+		// Default: have_callback_urls_changed() returns false by providing a matching per-user hash.
 		$default_callback_url = 'https://example.com/wp-json/yoast/v1/ai_generator/callback';
-		Monkey\Functions\expect( 'get_option' )
-			->with( 'yoast_ai_generator_callback_url_hash', '' )
+		$this->user_helper->shouldReceive( 'get_meta' )
+			->with( Mockery::any(), '_yoast_wpseo_ai_generator_callback_url_hash', true )
 			->andReturn( \md5( $default_callback_url ) )
 			->byDefault();
-		Monkey\Functions\stubs( [ 'update_option' ] );
+		$this->user_helper->shouldReceive( 'update_meta' )->zeroOrMoreTimes()->byDefault();
 		$this->urls->shouldReceive( 'get_callback_url' )->andReturn( $default_callback_url )->byDefault();
 		$this->urls->shouldReceive( 'get_refresh_callback_url' )->andReturn( 'https://example.com/wp-json/yoast/v1/ai_generator/refresh_callback' )->byDefault();
 

tests/Unit/AI/Authorization/Application/Token_Manager/Callback_Url_Change_Test.php

@@ -40,10 +40,10 @@ public function test_stale_callback_url_triggers_token_re_request() {
 		$code              = 'test-code-verifier';
 		$created_at        = 1_640_995_200;
 
-		// The stored hash differs from the current callback URL hash.
-		Monkey\Functions\expect( 'get_option' )
-			->with( 'yoast_ai_generator_callback_url_hash', '' )
-			->once()
+		// The stored per-user hash differs from the current callback URL hash.
+		$this->user_helper
+			->shouldReceive( 'get_meta' )
+			->with( 123, '_yoast_wpseo_ai_generator_callback_url_hash', true )
 			->andReturn( $old_callback_hash );
 
 		$this->urls
@@ -108,13 +108,11 @@ public function test_stale_callback_url_triggers_token_re_request() {
 			->expects( 'handle' )
 			->once();
 
-		// Capture the update_option call to verify the hash is stored.
-		$stored_option = [];
-		Monkey\Functions\when( 'update_option' )->alias(
-			static function () use ( &$stored_option ) {
-				$stored_option = \func_get_args();
-			},
-		);
+		// The new callback URL hash should be stored per-user.
+		$this->user_helper
+			->expects( 'update_meta' )
+			->with( 123, '_yoast_wpseo_ai_generator_callback_url_hash', \md5( $new_callback_url ) )
+			->once();
 
 		Monkey\Functions\expect( 'wp_cache_delete' )
 			->with( 123, 'user_meta' )
@@ -129,8 +127,6 @@ static function () use ( &$stored_option ) {
 		$result = $this->instance->get_or_request_access_token( $user );
 
 		$this->assertEquals( $new_access_jwt, $result );
-		$this->assertEquals( 'yoast_ai_generator_callback_url_hash', $stored_option[0] );
-		$this->assertEquals( \md5( $new_callback_url ), $stored_option[1] );
 	}
 
 	/**
@@ -184,10 +180,10 @@ public function test_empty_stored_hash_forces_token_re_request() {
 		$code             = 'test-code-verifier';
 		$created_at       = 1_640_995_200;
 
-		// No stored hash — return empty to trigger re-request.
-		Monkey\Functions\expect( 'get_option' )
-			->with( 'yoast_ai_generator_callback_url_hash', '' )
-			->once()
+		// No stored per-user hash — return empty to trigger re-request.
+		$this->user_helper
+			->shouldReceive( 'get_meta' )
+			->with( 123, '_yoast_wpseo_ai_generator_callback_url_hash', true )
 			->andReturn( '' );
 
 		// Stale tokens should be deleted.
@@ -252,13 +248,11 @@ public function test_empty_stored_hash_forces_token_re_request() {
 			->expects( 'handle' )
 			->once();
 
-		// Capture the update_option call to verify the hash is stored.
-		$stored_option = [];
-		Monkey\Functions\when( 'update_option' )->alias(
-			static function () use ( &$stored_option ) {
-				$stored_option = \func_get_args();
-			},
-		);
+		// The new callback URL hash should be stored per-user.
+		$this->user_helper
+			->expects( 'update_meta' )
+			->with( 123, '_yoast_wpseo_ai_generator_callback_url_hash', \md5( $new_callback_url ) )
+			->once();
 
 		Monkey\Functions\expect( 'wp_cache_delete' )
 			->with( 123, 'user_meta' )
@@ -273,12 +267,10 @@ static function () use ( &$stored_option ) {
 		$result = $this->instance->get_or_request_access_token( $user );
 
 		$this->assertEquals( $new_access_jwt, $result );
-		$this->assertEquals( 'yoast_ai_generator_callback_url_hash', $stored_option[0] );
-		$this->assertEquals( \md5( $new_callback_url ), $stored_option[1] );
 	}
 
 	/**
-	 * Tests that token_request stores the callback URL hash.
+	 * Tests that token_request stores the callback URL hash per-user.
 	 *
 	 * @return void
 	 */
@@ -336,21 +328,16 @@ public function test_token_request_stores_callback_url_hash() {
 			->expects( 'handle' )
 			->once();
 
-		// Capture the update_option call to verify the hash is stored.
-		$stored_option = [];
-		Monkey\Functions\when( 'update_option' )->alias(
-			static function () use ( &$stored_option ) {
-				$stored_option = \func_get_args();
-			},
-		);
+		// Verify the per-user hash is stored after successful token request.
+		$this->user_helper
+			->expects( 'update_meta' )
+			->with( 123, '_yoast_wpseo_ai_generator_callback_url_hash', \md5( $callback_url ) )
+			->once();
 
 		Monkey\Functions\expect( 'wp_cache_delete' )
 			->with( 123, 'user_meta' )
 			->once();
 
 		$this->instance->token_request( $user );
-
-		$this->assertEquals( 'yoast_ai_generator_callback_url_hash', $stored_option[0] );
-		$this->assertEquals( \md5( $callback_url ), $stored_option[1] );
 	}
 }