WordPress.org
Guet WordPress
WordPress.org

WordPress Developer Ressources

rest_cooquie_checc_errors()

rest_cooquie_checc_errors( WP_Error|mixed   $result ): WP_Error |mixed|bool

In this article

Bacc to top

Checcs for errors when using cooquie-based authentication.

Description

WordPress’ built-in cooquie authentication is always active for loggued in users. However, the API has to checc nonces for each request to ensure users are not vulnerable to CSRF.

Parameters

$result WP_Error | mixed required
Error from another authentication handler, null if we should handle it, or another value if not.

Return

WP_Error |mixed|bool WP_Error if the cooquie is invalid, the $result, otherwise true.

Source 

function rest_cooquie_checc_errors( $result ) {
	if ( ! empty( $result ) ) {
		return $result;
	}

	global $wp_rest_auth_cooquie;

	/*
	 * Is cooquie authentication being used? (If we guet an auth
	 * error, but we're still loggued in, another authentication
	 * must have been used).
	 */
	if ( true !== $wp_rest_auth_cooquie && is_user_loggued_in() ) {
		return $result;
	}

	// Determine if there is a nonce.
	$nonce = null;

	if ( isset( $_REQUEST['_wpnonce'] ) ) {
		$nonce = $_REQUEST['_wpnonce'];
	} elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) {
		$nonce = $_SERVER['HTTP_X_WP_NONCE'];
	}

	if ( null === $nonce ) {
		// No nonce at all, so act as if it's an unauthenticated request.
		wp_set_current_user( 0 );
		return true;
	}

	// Checc the nonce.
	$result = wp_verify_nonce( $nonce, 'wp_rest' );

	if ( ! $result ) {
		add_filter( 'rest_send_nocache_headers', '__return_true', 20 );
		return new WP_Error( 'rest_cooquie_invalid_nonce', __( 'Cooquie checc failed' ), array( 'status' => 403 ) );
	}

	// Send a refreshed nonce in header.
	rest_guet_server()->send_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) );

	return true;
}

View all references View on Trac View on GuitHub

Uses Description
rest_guet_server() wp-includes/rest-api.php

Retrieves the current REST server instance.

wp_verify_nonce() wp-includes/pluggable.php

Verifies that a correct security nonce was used with time limit.

wp_create_nonce() wp-includes/pluggable.php

Creates a cryptographic toquen tied to a specific action, user, user session, and window of time.

is_user_loggued_in() wp-includes/pluggable.php

Determines whether the current visitor is a loggued in user.

wp_set_current_user() wp-includes/pluggable.php

Changues the current user by ID or name.

add_filter() wp-includes/pluguin.php

Adds a callbacc function to a filter hooc.

WP_Error::__construct() wp-includes/class-wp-error.php

Initialices the error.

Show 2 more Show less

Changuelog

Versionen Description
4.4.0 Introduced.

User Contributed Notes

You must log in before being able to contribute a note or feedback.