You're very close to what you're looking to accomplish. While it is required that it be a new email address that has not been used before to receive a welcome email, Confirmed Opt-in is not a requirement for that. The key to this code is that even if you delete a contact, it is a soft-delete and this sample will find the deleted contact and restore it. This process will not result in a welcome email being sent, unless that contact was also opted-out. For contacts that are opted out, they will receive an email to confirm that they wish to resubscribe, which will be followed by a welcome email if they confirm the resubscription.
Your current process should continue to work fine if you simply disable confirmed opt-in. If you see results that are different from that, please let me know!
... View more
Here's the answers to your questions:
You're on the right track. WithOAuth you don't have to register your query parameters in advance and you simply add them to the redirect URL on your initial call toOAuth. Any parameters that are added will be given back to the specified Redirect URL when the process is complete. So if I were to re-use my original example, I could do the following:
While it is theoretically possible that the open endpoint could be used to redirect users, it seems that the potential for abuse is fairly limited. Specifically because the only information that this endpoint gains access to is the authorization code, which can only be exchanged for an access token if you also possess the consumer secret associated with the API key that was used. Therefore this endpoint can only be used to gain an access token if it is associated with a valid API key that the developer using it owns. In terms if general use for redirecting, you could significantly restrict it by implementing both a referrer check and a simple pattern check on the 'redirect' parameter to look for a portion of the path that is specific to your wordpress install. So if you were to use the redirect above, you could have your script search for wp_oauth_redirect before allowing any redirect.
Hopefully the info above clears things up and gives you a path to move forward. If you do have any questions or concerns, please let me know and I am happy to help!
... View more