WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#40422 closed enhancement (fixed)

REST API JavaScript Client: refresh nonce when a new nonce is available

Reported by: adamsilverstein Owned by: adamsilverstein
Milestone: 4.9 Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords: has-patch commit
Focuses: javascript Cc:

Description

Since [37905] the REST API returns a fresh wp_rest nonce in the headers of (authenticated) requests. The JavaScript client uses nonces for (cookie based) authenticated requests and should keep its internal nonce up to date with the returned nonce. This will be especially useful for long-running JavaScript applications that need to make authenticated requests.

Attachments (3)

40422.diff (2.9 KB) - added by adamsilverstein 3 years ago.
40422.2.diff (2.8 KB) - added by adamsilverstein 3 years ago.
40422.3.diff (2.9 KB) - added by adamsilverstein 3 years ago.

Download all attachments as: .zip

Change History (18)

#1 @adamsilverstein
3 years ago

In 40422.diff :

  • Track nonce at the endpoint level.
  • Update nonce when a new nonce is returned.

#2 follow-up: @rmccue
3 years ago

This is useful if you're sending API endpoint requests constantly, but not if you just leave the tab open in the background, which still needs heartbeat.

(Also, your patch still has a console.log call in it. :) )

#3 @adamsilverstein
3 years ago

  • Milestone changed from Awaiting Review to 4.8

in 40422.2.diff removed the console log.

#4 in reply to: ↑ 2 @adamsilverstein
3 years ago

Replying to rmccue:

This is useful if you're sending API endpoint requests constantly, but not if you just leave the tab open in the background, which still needs heartbeat.

Right, it is up the developer to decide to poll the API, this just picks up the refreshed nonce if available.

(Also, your patch still has a console.log call in it. :) )

removed :)

This ticket was mentioned in Slack in #core by obenland. View the logs.


3 years ago

#7 @obenland
3 years ago

  • Milestone changed from 4.8 to Future Release

#8 @adamsilverstein
3 years ago

  • Type changed from defect (bug) to enhancement

#9 @adamsilverstein
3 years ago

  • Keywords has-patch needs-testing added; needs-patch removed
  • Owner set to adamsilverstein
  • Status changed from new to assigned

This should be good to go early in 4.9, could use some additional testing for validation.

This ticket was mentioned in Slack in #core-restapi by rmccue. View the logs.


3 years ago

This ticket was mentioned in Slack in #core by adamsilverstein. View the logs.


3 years ago

#12 @adamsilverstein
3 years ago

  • Milestone changed from Future Release to 4.9

This ticket was mentioned in Slack in #core-restapi by rmccue. View the logs.


3 years ago

#14 @adamsilverstein
3 years ago

  • Keywords commit added; needs-testing removed

#15 @adamsilverstein
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 41553:

REST API JS Client: Improve nonce handling, refresh stale nonce on sync.

Keep the nonce used for cookie based authentication fresh by pulling in and using any new nonce supplied in the response headers.

  • Enable passing nonce to init so each api/endpoint can use a unique nonce.
  • Store nonce for endpoint on endpointModel.
  • New model helper nonce() retrieves a model's routeModel nonce.
  • When a response header contains a nonce that doesn't match the stored nonce, replace it.

Fixes #40422.

Note: See TracTickets for help on using tickets.