[wp-trac] [WordPress Trac] #35662: Include a refreshed nonce when responding to an authenticated REST API response
WordPress Trac
noreply at wordpress.org
Wed Feb 24 01:00:09 UTC 2016
#35662: Include a refreshed nonce when responding to an authenticated REST API
response
------------------------------------+------------------------
Reporter: adamsilverstein | Owner: rmccue
Type: enhancement | Status: reviewing
Priority: normal | Milestone: 4.5
Component: REST API | Version: 4.4
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+------------------------
Comment (by azaozz):
Few things:
- Generating nonces for non-logged in users is almost useless. There may
be edge cases where this could be used for something, but better to leave
that for plugins to enable/set.
- Currently the nonces code block is before the REST API enabled check so
it will return a nonce even when the API is disabled. This doesn't seem
right?
- Generating a nonce on every request (which will be the same for 12
hours) seems redundant. Perhaps it is better when a client looks for the
presence of a new nonce and replaces the current one? As mentioned in the
Slack chat, maybe add new nonce only when `wp_verify_nonce()` returns 2.
- Consider separating the filter parameters: `$nonce_is_valid` and
`user_logged_in` and maybe drop `$user_and_nonce`. Plugins don't need to
check again why $user_and_nonce is false.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35662#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list