Orange Theory Hack // USERNAME-REWRITE
>> NODE: ctrlaltcorp.dev
>> AUTHOR: HOTCHIP
>> TIME: [20220914-0000]
Orange Theory Hack // USERNAME-REWRITE
"feature" nobody asked for.
I cracked open the Orange Theory API back in 2022 and found a forgotten lane of code: staff-only username updates. Normally it’s locked to in-studio terminals, left the door wide open. Why can users update their username?
I made this code to append class counts automatically-someone once ran nightly Google Scripts against it. Me, it was me.
I asked if this was a bug. The Corp® said: “Not a bug, a feature.”
So I wrote my own client that would:
- Auth with Cognito.
- Pull the member UUID straight out of the JWT.
- Query class totals from the
/member/membersendpoint. - Push the update back via a PUT request.
A nightly trigger runs, and the username updates like clockwork. For example: Stephen B 452 increments with every class.
The constraints? Max username length is 18 characters, but on-screen truncation hits around 12–14. The class count eats 3–4 digits, so I kept it slim: First Name + Last Initial + Count.
Here's the core Google Apps Script function that performs the update:
function setUsernameWithClassCount() {
var memberToken;
if (!authLatestToken) {
memberToken = getAuthToken();
} else {
memberToken = authLatestToken;
}
let memberUUID = parseJwt(memberToken);
var memberEndpoint = `https://api.orangetheory.co/member/members/${memberUUID.username}`;
var params = {
method: "PUT",
followRedirects: true,
headers: {
'Authorization': `Bearer ${memberToken}`
},
payload: JSON.stringify({
"userName": newUsernameStart + memberClassTotal()
})
}
var response = UrlFetchApp.fetch(memberEndpoint, params);
var data = JSON.parse(response.getContentText());
if(data.code === 'SUCCESS'){
Logger.log(data.code + ` Your New username is ${data.data.userName}`);
}else{
throw new Error(JSON.stringify(data));
}
}
It still works. The Corp® left it live. You can view the full script on GitHub.
Call it a bug, a feature, or just legacy code nobody wanted to kill.
>> END OF TRANSMISSION >> STATUS: WORKED AS DESIGNED
- HotChip