WordPress.org

Make WordPress Core

Opened 10 months ago

Closed 8 months ago

#46107 closed feature request (fixed)

Scripts: Assign api-fetch nonce with corrected rest_nonce

Reported by: aduth Owned by: aduth
Milestone: 5.2 Priority: high
Severity: normal Version: 5.1
Component: Script Loader Keywords: has-patch commit
Focuses: Cc:
PR Number:

Description

Previously: #45113

Related: https://github.com/WordPress/gutenberg/pull/13451

The above package change for @wordpress/api-fetch will have the affect both that api-fetch will not internally listen for hearbeat.tick actions, but also that the nonce used for requests can be assignable on the created middleware.

Thus, core could use this new mechanism to assign the nonce via an inline script on heartbeat tick, using the corrected rest_nonce property on a heartbeat response which had temporarily been patched in r43939 for the sake of api-fetch compatibility.

The release schedule of @wordpress/api-fetch would be such that it's expected this would need to be fixed in time for WordPress 5.2.

Attachments (3)

46107-update-api-fetch-nonce-assign.diff (1.8 KB) - added by aduth 10 months ago.
46107-update-api-fetch-nonce-assign-2.diff (1.8 KB) - added by aduth 10 months ago.
Add missing semi-colon
46107.diff (1.8 KB) - added by adamsilverstein 8 months ago.

Download all attachments as: .zip

Change History (9)

@aduth
10 months ago

Add missing semi-colon

#1 @adamsilverstein
9 months ago

  • Milestone changed from Awaiting Review to 5.2
  • Version set to 5.1

@aduth Looks good to me!

It would be good to have the expected nonce behavior covered in a test, do you know if we have that already?

#2 @aduth
9 months ago

It would be good to have the expected nonce behavior covered in a test, do you know if we have that already?

I'm not aware of any. Is there precedent for how something like this would be tested? I could imagine one which tests that wp-hooks becomes added as a dependency of wp-api-fetch, but the main behavior here occurs in the browser in response to the heartbeat tick. Is that something which could be done in the QUnit tests? In Gutenberg, I could maybe imagine an end-to-end test forcing wp.heartbeat.connectNow and asserting in one way or another that the nonce used by the apiFetch middleware gets updated. Is there some equivalent we could implement in core? Maybe it ought to just be implemented in Gutenberg? Or as part of some future end-to-end tests implemented in core?

#3 @desrosj
8 months ago

  • Owner set to aduth
  • Priority changed from normal to high
  • Status changed from new to assigned

Spoke with @aduth. This is a must include for 5.2 and he plans on shepherding it.

#4 @adamsilverstein
8 months ago

  • Keywords commit added
  • Owner changed from aduth to adamsilverstein

#5 @adamsilverstein
8 months ago

  • Owner changed from adamsilverstein to aduth

#6 @aduth
8 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 44949:

Scripts: Assign api-fetch nonce with corrected rest_nonce.

As of @wordpress/api-fetch@3.0.0 (introduced in 44812), the apiFetch nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the api-fetch script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed rest-nonce property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of @wordpress/api-fetch.

See https://github.com/WordPress/gutenberg/pull/13451
See #45113

Props adamsilverstein, nerrad .
Fixes #46107 .

Note: See TracTickets for help on using tickets.