WordPress.org

Make WordPress Core

Opened 10 months ago

Closed 5 months ago

#40422 closed enhancement (fixed)

REST API JavaScript Client: refresh nonce when a new nonce is available

Reported by: adamsilverstein Owned by: adamsilverstein
Milestone: 4.9 Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords: has-patch commit
Focuses: javascript Cc:

Description

Since [37905] the REST API returns a fresh wp_rest nonce in the headers of (authenticated) requests. The JavaScript client uses nonces for (cookie based) authenticated requests and should keep its internal nonce up to date with the returned nonce. This will be especially useful for long-running JavaScript applications that need to make authenticated requests.

Attachments (3)

40422.diff (2.9 KB) - added by adamsilverstein 10 months ago.
40422.2.diff (2.8 KB) - added by adamsilverstein 10 months ago.
40422.3.diff (2.9 KB) - added by adamsilverstein 5 months ago.

Download all attachments as: .zip

Change History (18)

#1 @adamsilverstein
10 months ago

In 40422.diff :

  • Track nonce at the endpoint level.
  • Update nonce when a new nonce is returned.

#2 follow-up: @rmccue
10 months ago

This is useful if you're sending API endpoint requests constantly, but not if you just leave the tab open in the background, which still needs heartbeat.

(Also, your patch still has a console.log call in it. :) )

#3 @adamsilverstein
10 months ago

  • Milestone changed from Awaiting Review to 4.8

in 40422.2.diff removed the console log.

#4 in reply to: ↑ 2 @adamsilverstein
10 months ago

Replying to rmccue:

This is useful if you're sending API endpoint requests constantly, but not if you just leave the tab open in the background, which still needs heartbeat.

Right, it is up the developer to decide to poll the API, this just picks up the refreshed nonce if available.

(Also, your patch still has a console.log call in it. :) )

removed :)

This ticket was mentioned in Slack in #core by obenland. View the logs.


9 months ago

#7 @obenland
9 months ago

  • Milestone changed from 4.8 to Future Release

#8 @adamsilverstein
9 months ago

  • Type changed from defect (bug) to enhancement

#9 @adamsilverstein
9 months ago

  • Keywords has-patch needs-testing added; needs-patch removed
  • Owner set to adamsilverstein
  • Status changed from new to assigned

This should be good to go early in 4.9, could use some additional testing for validation.

This ticket was mentioned in Slack in #core-restapi by rmccue. View the logs.


9 months ago

This ticket was mentioned in Slack in #core by adamsilverstein. View the logs.


7 months ago

#12 @adamsilverstein
7 months ago

  • Milestone changed from Future Release to 4.9

This ticket was mentioned in Slack in #core-restapi by rmccue. View the logs.


7 months ago

#14 @adamsilverstein
5 months ago

  • Keywords commit added; needs-testing removed

#15 @adamsilverstein
5 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 41553:

REST API JS Client: Improve nonce handling, refresh stale nonce on sync.

Keep the nonce used for cookie based authentication fresh by pulling in and using any new nonce supplied in the response headers.

  • Enable passing nonce to init so each api/endpoint can use a unique nonce.
  • Store nonce for endpoint on endpointModel.
  • New model helper nonce() retrieves a model's routeModel nonce.
  • When a response header contains a nonce that doesn't match the stored nonce, replace it.

Fixes #40422.

Note: See TracTickets for help on using tickets.