#35662 closed enhancement (fixed)
Include a refreshed nonce when responding to an authenticated REST API response
Reported by: | adamsilverstein | Owned by: | rachelbaker |
---|---|---|---|
Milestone: | 4.6 | Priority: | normal |
Severity: | normal | Version: | 4.4 |
Component: | REST API | Keywords: | has-patch has-unit-tests commit |
Focuses: | Cc: |
Description
In https://github.com/WP-API/WP-API/issues/2146 @kadamwhite points out that in order for long lived JavaScript applications to remain authenticated. Without this, the nonce localized at load time will expire. My proposal is to add a X-WP-Nonce
header with a new nonce in responses to authenticated requests.
Attachments (9)
Change History (37)
#2
@
9 years ago
- Keywords dev-feedback added
- Milestone changed from Awaiting Review to 4.5
- Owner set to adamsilverstein
- Status changed from new to assigned
In 35662.2.diff Only send the refreshed nonce when the request contains a valid nonce.
#3
@
9 years ago
- Keywords needs-unit-tests added
- code/docblock cleanup
- only send nonce header when logic check passes
#6
@
9 years ago
@welcher thanks for the unit tests! Can you add a .
to the end of your test method Docblocks?
@rmccue any other feedback here?
This ticket was mentioned in Slack in #core by adamsilverstein. View the logs.
9 years ago
#8
@
9 years ago
- Owner changed from adamsilverstein to rmccue
- Status changed from assigned to reviewing
#9
@
9 years ago
Few things:
- Generating nonces for non-logged in users is almost useless. There may be edge cases where this could be used for something, but better to leave that for plugins to enable/set.
- Currently the nonces code block is before the REST API enabled check so it will return a nonce even when the API is disabled. This doesn't seem right?
- Generating a nonce on every request (which will be the same for 12 hours) seems redundant. Perhaps it is better when a client looks for the presence of a new nonce and replaces the current one? As mentioned in the Slack chat, maybe add new nonce only when
wp_verify_nonce()
returns 2. - Consider separating the filter parameters:
$nonce_is_valid
anduser_logged_in
and maybe drop$user_and_nonce
. Plugins don't need to check again why $user_and_nonce is false.
This ticket was mentioned in Slack in #core by jorbin. View the logs.
9 years ago
This ticket was mentioned in Slack in #core-restapi by rmccue. View the logs.
9 years ago
#13
@
9 years ago
@azaozz
Thanks for the feedback.
- Note that we only send the nonce back when the request contains a valid nonce.
- I agree we should only send a nonce back if the api is enabled.
- I like the suggestion of only sending a nonce when the verify nonce returns 2 indicating a nonce with a later expiration is available. It is straightforward to work with this on the client side.
@rmccue is working on a refreshed patch.
This ticket was mentioned in Slack in #core by mike. View the logs.
9 years ago
#15
@
9 years ago
- Milestone changed from 4.5 to Future Release
Punting this to Future Release -- too late for 4.5 beta deadline.
#16
@
8 years ago
- Keywords needs-refresh added
Been a while with no updated patch. Anyone else want to provide a new patch for this?
#17
@
8 years ago
- Keywords needs-refresh removed
- Only sends the header if REST API is active.
- By default, only sends if user is logged in and nonce status is
2
. - Sends nonce status as second parameter in the filter. (
is_user_logged_in()
can be checked by anything hooking in).
Annoyingly, I had to remove the unit test that tests the default functionality (without messing with the filter) because I couldn't figure out how to generate a nonce that is already in status 2
. (Anyone have any ideas here? Might be good for general nonce testing).
#18
follow-up:
↓ 19
@
8 years ago
I believe @aidvu was working on an updated patch that moves this to rest_cookie_check_errors
instead, which is a nicer place for it to live.
Would it be worth introducing a wp_create_outdated_nonce()
or something? Seems like a very niche use case, and only really useful in the unit tests.
#19
in reply to:
↑ 18
@
8 years ago
Replying to rmccue:
I believe @aidvu was working on an updated patch that moves this to
rest_cookie_check_errors
instead, which is a nicer place for it to live.
No opinion here.
Would it be worth introducing a
wp_create_outdated_nonce()
or something? Seems like a very niche use case, and only really useful in the unit tests.
Seems very niche. If we do that, maybe just make it available as a tests helper function — not in core.
#20
@
8 years ago
- Keywords has-unit-tests added
Updated patch as discussed today with @rmccue and @markjaquith at WCEU Contributor Day.
Thanks for all the help. :) It was an awesome experience.
#21
@
8 years ago
- Keywords commit added; dev-feedback removed
- Milestone changed from Future Release to 4.6
Thanks for the effort here, especially working out the updated unit tests @aidvu! I like this placement for the functionality better and can see why it is a little better here. I have a slightly updated patch (added some periods in unit test description blocks and space before single line comments) I will upload when track db cooperates. I ran the unit tests and verified they work as expected.
#22
@
8 years ago
Thanks for cleaning and discussing the stuff with me @adamsilverstein. :) Forgot to mention you up there!
In 35662.diff:
X-WP-Nonce
header with a refreshed nonce when the request is authenticated.Going to update slightly so its only sent when there is an existing nonce.