Ticket #35662: 35662.7.diff

src/wp-includes/rest-api/class-wp-rest-server.php

@@ -260 +260 @@
                  */
                 $enabled = apply_filters( 'rest_enabled', true );
 
+                if ( $enabled ) {
+                        $nonce = null;
+
+                        // Find existing nonce.
+                        if ( isset( $_REQUEST['_wpnonce'] ) ) {
+                                $nonce = $_REQUEST['_wpnonce'];
+                        } elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) {
+                                $nonce = $_SERVER['HTTP_X_WP_NONCE'];
+                        }
+
+                        // Check the nonce.
+                        $nonce_status = wp_verify_nonce( $nonce, 'wp_rest' );
+
+                        /**
+                         * Filter whether the REST API should send a refreshed nonce header in responses to
+                         * authenticated requests that include a valid nonce.
+                         *
+                         * @since 4.5.0
+                         *
+                         * @param bool $rest_send_refreshed_nonce Whether to send a refreshed nonce in the response headers.
+                         *                                        Defaults to true if the user is logged in and the the
+                         *                                        existing request nonce is valid and expires soon.
+                         * @param bool $nonce_status The status of the nonce
+                         */
+                        $rest_send_refreshed_nonce = apply_filters( 'rest_send_refreshed_nonce', is_user_logged_in() && 2 === $nonce_status, $nonce_status );
+                        if ( $rest_send_refreshed_nonce ) {
+                                $this->send_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) );
+                        }
+                }
+
                 /**
                  * Filters whether jsonp is enabled.
                  *

tests/phpunit/tests/rest-api/rest-server.php

@@ -882 +882 @@
         public function filter_wp_rest_server_class() {
                 return 'Spy_REST_Server';
         }
+
+        /**
+         * Testing that the headers are not set for anonymous users.
+         *
+         * @ticket 35662
+         */
+        function test_rest_send_refreshed_nonce_anonymous_user() {
+                // Make the request.
+                $headers = $this->helper_make_request_and_return_headers_for_rest_send_refreshed_nonce_tests();
+
+                // Run the assertions.
+                $this->assertArrayNotHasKey( 'X-WP-Nonce', $headers );
+        }
+
+        /**
+         * Testing the rest_send_refreshed_nonce filter.
+         *
+         * If the nonce is valid and the user is logged in, we're filtering as false so the header is not sent
+         * and vice-versa for the opposite setup.
+         *
+         * @ticket 35662
+         *
+         * @dataProvider data_rest_send_refreshed_nonce_filtered
+         *
+         * @param bool   $has_logged_in_user Will there be a logged in user for this test.
+         * @param string $filter_callback    The callback to be used by the add_filter.
+         * @param bool   $has_key            Should the X-WP-Nonce key be in the sent_headers array.
+         */
+        function test_rest_send_refreshed_nonce_filtered( $has_logged_in_user, $filter_callback, $has_key ) {
+
+                if ( true === $has_logged_in_user ) {
+                        // Creat and set the current user.
+                        $this->helper_setup_user_for_rest_send_refreshed_nonce_tests();
+                }
+
+                // Make the request.
+                add_filter( 'rest_send_refreshed_nonce', $filter_callback );
+
+                $headers = $this->helper_make_request_and_return_headers_for_rest_send_refreshed_nonce_tests();
+
+                remove_filter( 'rest_send_refreshed_nonce', $filter_callback );
+
+                // Run the assertions.
+                if ( true === $has_key ) {
+                        $this->assertArrayHasKey( 'X-WP-Nonce', $headers );
+                } else {
+                        $this->assertArrayNotHasKey( 'X-WP-Nonce', $headers );
+                }
+        }
+
+        /**
+         * Dataprovider to automate the filter tests.
+         *
+         * @return array {
+         *     @type array {
+         *         @type bool   $has_logged_in_user Are we registering a user for the test.
+         *         @type string $filter_callback   The callback passed to the filter.
+         *         @type bool   $has_key           Should the X-WP-Nonce key be in the sent_headers array.
+         *     }
+         * }
+         */
+        function data_rest_send_refreshed_nonce_filtered() {
+                return array(
+                        array( false, '__return_true', true ),
+                        array( true, '__return_false', false ),
+                );
+        }
+
+        /**
+         * Helper to setup a users for the rest_send_refreshed_nonce related tests.
+         */
+        function helper_setup_user_for_rest_send_refreshed_nonce_tests() {
+                // Create and set the current user.
+                $author = self::factory()->user->create( array( 'role' => 'author' ) );
+                wp_set_current_user( $author );
+        }
+
+        /**
+         * Helper to make the request and get the headers for the rest_send_refreshed_nonce related tests.
+         *
+         * @return array
+         */
+        function helper_make_request_and_return_headers_for_rest_send_refreshed_nonce_tests() {
+                $request = new WP_REST_Request( 'GET', '/', array() );
+                $result  = $this->server->serve_request( '/' );
+
+                return $this->server->sent_headers;
+        }
 }