[wp-trac] [WordPress Trac] #37569: REST API: refresh expired nonces

WordPress Trac noreply at wordpress.org
Tue Oct 17 09:14:50 UTC 2017


#37569: REST API: refresh expired nonces
-----------------------------------------------+---------------------------
 Reporter:  iseulde                            |       Owner:
     Type:  enhancement                        |      Status:  new
 Priority:  normal                             |   Milestone:  Future
Component:  REST API                           |  Release
 Severity:  normal                             |     Version:  4.4
 Keywords:  needs-docs dev-feedback has-patch  |  Resolution:
                                               |     Focuses:
-----------------------------------------------+---------------------------

Comment (by iseulde):

 I have some concerns with the latest patch.

 It still doesn't solve anything for an expired nonce, as there's a nonce
 check...

 As mentioned in
 [https://core.trac.wordpress.org/timeline?from=2017-04-12T16%3A59%3A59Z&precision=second
 a previous comment], I'm not sure if it's a good idea to roll this into
 the Heartbeat API. The API client might be a better place for it.
 [https://github.com/WordPress/gutenberg/pull/3006#issuecomment-337164660 A
 possible approach] could be to create
 [https://core.trac.wordpress.org/timeline?from=2016-08-04T12%3A17%3A50Z&precision=second
 a separate endpoint] for cookie auth only, either on the REST API root, or
 admin-ajax.php. I feel that setting it on the root would make it more
 official for other clients to adopt. With this endpoint, the client could
 get a new nonce if a request fails because of an invalid nonce. No need
 for Heartbeat. With this new nonce, the client should resend the same
 request (as if nothing happened). To the user of this API, the resolution
 of the promise will just take a bit longer, but it doesn't need to do
 anything.

 A long time ago, I had to do something [https://github.com/iseulde/wp-
 front-end-
 editor/blob/5f790ef58dc6382ba42e4a5eb9202b22f9d710c4/js/fee.js#L13-L43
 similar] for a plugin.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37569#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list