-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Try: Return error when session is missing for REST nonce refresh #67812
base: trunk
Are you sure you want to change the base?
Conversation
I'm a bit wary about making these changes. All the logged-in/authentication functions are "pluggable" (replaceable). There may be other authentication methods implemented on some sites that may be using other/different cookies or not using cookies at all. Seems that directly using wp_get_session_token() which uses wp_parse_auth_cookie() under the hood may not work properly in these cases. Seems ideally this should be using is_user_logged_in()? If it doesn't work as expected it should be fixed, see: #13509 (comment). |
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Unlinked AccountsThe following contributors have not linked their GitHub and WordPress.org accounts: @jonnynews. Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases. If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.
To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
function gutenberg_ajax_rest_nonce() { | ||
$token = wp_get_session_token(); | ||
if ( empty( $token ) ) { | ||
wp_send_json_error( null, rest_authorization_required_code() ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wp_send_json_error( null, rest_authorization_required_code() ); | |
$error = new WP_Error( | |
'rest_unable_get_access_token', | |
__( 'Sorry, unable to get session token.' ), | |
array( 'status' => rest_authorization_required_code() ) | |
); | |
wp_die( $error ); |
I love to see a wp_die and wp_error combo here. wp_die is clever enough to use _ajax_wp_die_handler if it is admin ajax request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I love to see a...
Any particular reason why this piece of code should be different/inconsistent with most other AJAX responses from admin-ajax? Don't think introducing inconsistencies is a good idea, sorry :)
Also, as mentioned above I think this code may introduce edge cases as it is only checking the default cookies and not using the proper functionality to determine if a user is logged in?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The wp_send_json_error
uses wp_die
internally.
See: https://developer.wordpress.org/reference/functions/wp_send_json/.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, let me reformulate the question: why not use wp_send_json_error() as most other WP code but use wp_die() directly with a new WP_Error
instance? What advantages does that bring? Are the advantages worth it the change/inconsistency? (And other in the same line of thought) :)
BTW if a new WP_Error
instance is needed for some reason it seems it can be passed to wp_send_json_error()
.
@Mamaduka Thanks for your response on the issue. Thinking perhaps is may be better to continue here as this is mostly implementation related. Feel free to move this back to the issue if needed :) I haven't looked at this in a while too, may be missing something. Sue, lets look at this step by step. The
My concern here is how would the code in this PR work in the cases where a WP user has logged in with an application password (i.e. using their Google, Apple, etc. password). Also thinking it would be really good to add some tests for that :) |
@azaozz, thanks for the feedback. I'm also hesitant to touch the existing logic for I've got an alternative solution that relies less on implementation details. The AJAX action will try to verify the refreshed nonce immediately and return an error if verification is unsuccessful. See the proposed patch below.
If I remember correctly, application password auths don't rely on cookie auth for REST API and roll out their solutions. Again, I've not touched this area in a while, so I might be wrong :) diff --git lib/compat/wordpress-6.8/ajax-actions.php lib/compat/wordpress-6.8/ajax-actions.php
index 24388b7f3b9..e7f827c1104 100644
--- lib/compat/wordpress-6.8/ajax-actions.php
+++ lib/compat/wordpress-6.8/ajax-actions.php
@@ -9,14 +9,15 @@
* Handles renewing the REST API nonce via AJAX.
*
* @since 5.3.0
- * @since 6.8.0 Returns error when session token is missing.
+ * @since 6.8.0 Returns an error if a refreshed nonce isn't valid.
*/
function gutenberg_ajax_rest_nonce() {
- $token = wp_get_session_token();
- if ( empty( $token ) ) {
+ $nonce = wp_create_nonce( 'wp_rest' );
+ $result = wp_verify_nonce( $nonce, 'wp_rest' );
+ if ( ! $result ) {
wp_send_json_error( null, rest_authorization_required_code() );
}
- exit( wp_create_nonce( 'wp_rest' ) );
+ exit( $nonce );
}
add_action( 'wp_ajax_rest-nonce', 'gutenberg_ajax_rest_nonce', 0 ); |
I haven't done testing here, but I really like the elegance of this solution. |
9a4c70b
to
23b50f3
Compare
Applied my proposal #67812 (comment), but for some reason, it doesn't work in practice. The same nonce correctly fails verification in This can be reproduced by doing step 4 from the testing instructions and then using the following snippet: add_action( 'init', function() {
$nonce = wp_create_nonce( 'wp_rest' );
$result = wp_verify_nonce( $nonce, 'wp_rest' );
wp_die( $result );
} ); |
23b50f3
to
ad8c299
Compare
Flaky tests detected in ad8c299. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/12784216313
|
What?
Fixes #36118.
Fixes #42400.
This PR updates the
apiFetch
nonce endpoint to return an error when the session token is missing. It also avoids infinite loops when apiFetch tries to refresh the nonces.Why?
The endpoint always refreshes to nonce even when the session has expired. The
wp_create_nonce
doesn't do any validation and always returns a token value.Testing Instructions
wordpress_logged_in_*
cookie via DevTools.Testing Instructions for Keyboard
Same.
Screenshots or screencast