The CoinPay OAuth callback should require a stable user identity from the userinfo response before creating a signed session.
Repro path:
- Start the callback with a valid state and authorization code.
- Have the token endpoint return a valid access token.
- Have /api/oauth/userinfo return 200 with profile fields like email/name, but no sub value.
- The callback can still create logicsrc_coinpay_session with sub set to null.
Expected: the callback should fail the OAuth flow and avoid setting a session cookie when userinfo does not provide a subject.
Actual: the callback can continue and sign an authenticated session without a stable user subject.
PR with a focused fix and contract test: #21
The CoinPay OAuth callback should require a stable user identity from the userinfo response before creating a signed session.
Repro path:
Expected: the callback should fail the OAuth flow and avoid setting a session cookie when userinfo does not provide a subject.
Actual: the callback can continue and sign an authenticated session without a stable user subject.
PR with a focused fix and contract test: #21