Make WordPress Core

Changeset 37905


Ignore:
Timestamp:
06/29/2016 03:00:54 AM (8 years ago)
Author:
rachelbaker
Message:

REST API: Include a refreshed nonce in a X-WP-Nonce header when responding to an authenticated request.

Props adamsilverstein, welcher, markjaquith, aidvu.
Fixes #35662.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api.php

    r37544 r37905  
    549549 * @since 4.4.0
    550550 *
    551  * @global mixed $wp_rest_auth_cookie
    552  *
    553  * @param WP_Error|mixed $result Error from another authentication handler, null if we should handle it,
    554  *                               or another value if not.
     551 * @global mixed          $wp_rest_auth_cookie
     552 * @global WP_REST_Server $wp_rest_server      REST server instance.
     553 *
     554 * @param WP_Error|mixed $result Error from another authentication handler,
     555 *                               null if we should handle it, or another value
     556 *                               if not.
    555557 * @return WP_Error|mixed|bool WP_Error if the cookie is invalid, the $result, otherwise true.
    556558 */
     
    560562    }
    561563
    562     global $wp_rest_auth_cookie;
     564    global $wp_rest_auth_cookie, $wp_rest_server;
    563565
    564566    /*
     
    593595    }
    594596
     597    // Send a refreshed nonce in header.
     598    $wp_rest_server->send_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) );
     599
    595600    return true;
    596601}
  • trunk/tests/phpunit/tests/rest-api/rest-server.php

    r37903 r37905  
    2424        // Remove our temporary spy server
    2525        $GLOBALS['wp_rest_server'] = null;
     26        unset( $_REQUEST['_wpnonce'] );
    2627
    2728        parent::tearDown();
     
    894895        return 'Spy_REST_Server';
    895896    }
     897
     898    /**
     899     * Refreshed nonce should not be present in header when an invalid nonce is passed for logged in user.
     900     *
     901     * @ticket 35662
     902     */
     903    public function test_rest_send_refreshed_nonce_invalid_nonce() {
     904        $this->helper_setup_user_for_rest_send_refreshed_nonce_tests();
     905
     906        $_REQUEST['_wpnonce'] = 'random invalid nonce';
     907
     908        $headers = $this->helper_make_request_and_return_headers_for_rest_send_refreshed_nonce_tests();
     909
     910        $this->assertArrayNotHasKey( 'X-WP-Nonce', $headers );
     911    }
     912
     913    /**
     914     * Refreshed nonce should be present in header when a valid nonce is
     915     * passed for logged in/anonymous user and not present when nonce is not
     916     * passed.
     917     *
     918     * @ticket 35662
     919     *
     920     * @dataProvider data_rest_send_refreshed_nonce
     921     *
     922     * @param bool $has_logged_in_user Will there be a logged in user for this test.
     923     * @param bool $has_nonce          Are we passing the nonce.
     924     */
     925    public function test_rest_send_refreshed_nonce( $has_logged_in_user, $has_nonce ) {
     926        if ( true === $has_logged_in_user ) {
     927            $this->helper_setup_user_for_rest_send_refreshed_nonce_tests();
     928        }
     929
     930        if ( $has_nonce ) {
     931            $_REQUEST['_wpnonce'] = wp_create_nonce( 'wp_rest' );
     932        }
     933
     934        $headers = $this->helper_make_request_and_return_headers_for_rest_send_refreshed_nonce_tests();
     935
     936        if ( $has_nonce ) {
     937            $this->assertArrayHasKey( 'X-WP-Nonce', $headers );
     938        } else {
     939            $this->assertArrayNotHasKey( 'X-WP-Nonce', $headers );
     940        }
     941    }
     942
     943    /**
     944     * @return array {
     945     *     @type array {
     946     *         @type bool $has_logged_in_user Are we registering a user for the test.
     947     *         @type bool $has_nonce          Is the nonce passed.
     948     *     }
     949     * }
     950     */
     951    function data_rest_send_refreshed_nonce() {
     952        return array(
     953            array( true, true ),
     954            array( true, false ),
     955            array( false, true ),
     956            array( false, false ),
     957        );
     958    }
     959
     960    /**
     961     * Helper to setup a users and auth cookie global for the
     962     * rest_send_refreshed_nonce related tests.
     963     */
     964    protected function helper_setup_user_for_rest_send_refreshed_nonce_tests() {
     965        $author = self::factory()->user->create( array( 'role' => 'author' ) );
     966        wp_set_current_user( $author );
     967
     968        global $wp_rest_auth_cookie;
     969
     970        $wp_rest_auth_cookie = true;
     971    }
     972
     973    /**
     974     * Helper to make the request and get the headers for the
     975     * rest_send_refreshed_nonce related tests.
     976     *
     977     * @return array
     978     */
     979    protected function helper_make_request_and_return_headers_for_rest_send_refreshed_nonce_tests() {
     980        $request = new WP_REST_Request( 'GET', '/', array() );
     981        $result  = $this->server->serve_request( '/' );
     982
     983        return $this->server->sent_headers;
     984    }
    896985}
Note: See TracChangeset for help on using the changeset viewer.