Bug Summary
The sponsor synchronization workflow grants sponsor privileges by matching GitHub usernames rather than immutable GitHub account identifiers.
If a sponsored username is later recycled, sponsor privileges can be incorrectly assigned to a different user.
Describe the bug
The sponsor synchronization job updates users using:
github_login
instead of an immutable GitHub identifier.
GitHub usernames can change over time and may eventually become available for reuse.
If a sponsored account changes its username and another user later claims the original username, the synchronization process can mistakenly grant sponsor privileges to the wrong account.
To Reproduce
- User A sponsors the project.
- Sponsor synchronization marks User A as a sponsor.
- User A changes their GitHub username.
- A different GitHub account later acquires the original username.
- Sponsor synchronization runs again.
- Observe that sponsor status may be assigned to the new owner of the recycled username.
Expected behavior
Sponsor synchronization should use immutable GitHub account identifiers.
Sponsor status should remain tied to the original GitHub account.
Actual behavior
Sponsor status is matched using github_login.
Additional context
Affected file:
src/app/api/sponsors/sync/route.ts
Potential impact:
- unauthorized sponsor privileges
- incorrect access levels
- sponsor-only feature exposure
- account ownership confusion
Bug Summary
The sponsor synchronization workflow grants sponsor privileges by matching GitHub usernames rather than immutable GitHub account identifiers.
If a sponsored username is later recycled, sponsor privileges can be incorrectly assigned to a different user.
Describe the bug
The sponsor synchronization job updates users using:
github_login
instead of an immutable GitHub identifier.
GitHub usernames can change over time and may eventually become available for reuse.
If a sponsored account changes its username and another user later claims the original username, the synchronization process can mistakenly grant sponsor privileges to the wrong account.
To Reproduce
Expected behavior
Sponsor synchronization should use immutable GitHub account identifiers.
Sponsor status should remain tied to the original GitHub account.
Actual behavior
Sponsor status is matched using github_login.
Additional context
Affected file:
src/app/api/sponsors/sync/route.ts
Potential impact: