Add the masked stored state (transient value) when OAuth Connect validation fails (#4806)

* Add the masked stored state (transient value) when validation fails

Author: diegocurbelo

changelog.txt

@@ -17,6 +17,7 @@
 * Fix - Disable express checkout when Amazon Pay is disabled and the only method
 * Fix - Don't allow WP-Cron jobs to detach payment methods on staging sites
 * Update - Add minimum transaction amounts for BRL, INR, NZD, THB, CZK, HUF, AED, MYR, PLN, RON
+* Dev - Add additional context data to the OAuth connect flow verbose debug logging mode
 
 = 10.1.0 - 2025-11-11 =
 * Dev - Remove unused `shouldShowPaymentRequestButton` parameter and calculations from backend

includes/connect/class-wc-stripe-connect.php

@@ -95,7 +95,8 @@ public function connect_oauth( $state, $code, $type = 'connect', $mode = 'live'
 			// The state parameter is used to protect against CSRF.
 			// It's a unique, randomly generated, opaque, and non-guessable string that is sent when starting the
 			// authentication request and validated when processing the response.
-			if ( get_transient( 'wcs_stripe_connect_state_' . $mode ) !== $state ) {
+			$stored_state = get_transient( 'wcs_stripe_connect_state_' . $mode );
+			if ( $stored_state !== $state ) {
 				if ( WC_Stripe_Helper::is_verbose_debug_mode_enabled() ) {
 					WC_Stripe_Logger::error(
 						'OAuth: Invalid state received from the WCC server',
@@ -105,6 +106,7 @@ public function connect_oauth( $state, $code, $type = 'connect', $mode = 'live'
 							'connect_type'           => $type,
 							'state'                  => self::redact_string( $state ),
 							'code'                   => self::redact_string( $code ),
+							'stored_state'           => false === $stored_state ? 'false' : self::redact_string( $stored_state ),
 						]
 					);
 				}
@@ -196,16 +198,22 @@ public function maybe_handle_redirect() {
 				}
 
 				if ( $is_verbose_debug_mode_enabled ) {
-					WC_Stripe_Logger::debug(
-						'OAuth: Account connected successfully, reloading the page to clear URL parameters',
-						[
-							'current_stripe_api_key' => WC_Stripe_API::get_masked_secret_key(),
-							'connect_mode'           => $mode,
-							'connect_type'           => $type,
-							'connect_response'       => self::redact_sensitive_data( $response ),
-							'redirect_url'           => self::redact_sensitive_data( $redirect_url ),
-						]
-					);
+					$log_data = [
+						'current_stripe_api_key' => WC_Stripe_API::get_masked_secret_key(),
+						'connect_mode'           => $mode,
+						'connect_type'           => $type,
+						'state'                  => self::redact_string( $state ),
+						'code'                   => self::redact_string( $code ),
+						'nonce'                  => self::redact_string( $nonce ),
+						'connect_response'       => self::redact_sensitive_data( $response ),
+						'redirect_url'           => self::redact_sensitive_data( $redirect_url ),
+					];
+
+					if ( ! is_wp_error( $response ) ) {
+						WC_Stripe_Logger::debug( 'OAuth: Account connected successfully', $log_data );
+					} else {
+						WC_Stripe_Logger::error( 'OAuth: Account connection failed', $log_data );
+					}
 				}
 
 				wp_safe_redirect( esc_url_raw( $redirect_url ) );

readme.txt

@@ -127,5 +127,6 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 * Fix - Disable express checkout when Amazon Pay is disabled and the only method
 * Fix - Don't allow WP-Cron jobs to detach payment methods on staging sites
 * Update - Add minimum transaction amounts for BRL, INR, NZD, THB, CZK, HUF, AED, MYR, PLN, RON
+* Dev - Add additional context data to the OAuth connect flow verbose debug logging mode
 
 [See changelog for full details across versions](https://raw.githubusercontent.com/woocommerce/woocommerce-gateway-stripe/trunk/changelog.txt).