[wp-trac] [WordPress Trac] #37569: REST API: refresh expired nonces
WordPress Trac
noreply at wordpress.org
Tue Oct 17 09:14:50 UTC 2017
#37569: REST API: refresh expired nonces
-----------------------------------------------+---------------------------
Reporter: iseulde | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future
Component: REST API | Release
Severity: normal | Version: 4.4
Keywords: needs-docs dev-feedback has-patch | Resolution:
| Focuses:
-----------------------------------------------+---------------------------
Comment (by iseulde):
I have some concerns with the latest patch.
It still doesn't solve anything for an expired nonce, as there's a nonce
check...
As mentioned in
[https://core.trac.wordpress.org/timeline?from=2017-04-12T16%3A59%3A59Z&precision=second
a previous comment], I'm not sure if it's a good idea to roll this into
the Heartbeat API. The API client might be a better place for it.
[https://github.com/WordPress/gutenberg/pull/3006#issuecomment-337164660 A
possible approach] could be to create
[https://core.trac.wordpress.org/timeline?from=2016-08-04T12%3A17%3A50Z&precision=second
a separate endpoint] for cookie auth only, either on the REST API root, or
admin-ajax.php. I feel that setting it on the root would make it more
official for other clients to adopt. With this endpoint, the client could
get a new nonce if a request fails because of an invalid nonce. No need
for Heartbeat. With this new nonce, the client should resend the same
request (as if nothing happened). To the user of this API, the resolution
of the promise will just take a bit longer, but it doesn't need to do
anything.
A long time ago, I had to do something [https://github.com/iseulde/wp-
front-end-
editor/blob/5f790ef58dc6382ba42e4a5eb9202b22f9d710c4/js/fee.js#L13-L43
similar] for a plugin.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37569#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list