Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API Fetch: Expose nonce on created middleware function #13451

Merged
merged 1 commit into from
Jan 25, 2019

Conversation

aduth
Copy link
Member

@aduth aduth commented Jan 23, 2019

Related: https://core.trac.wordpress.org/ticket/45113#comment:11

This pull request stemmed from a simple desire to rename the rest-nonce heartbeat response value to the core-preferred rest_nonce. It subsequently turned into a bit more of a refactor of how this nonce is assigned and handled within the API fetch middleware.

The proposed changes here avoid having the API Fetch module having any awareness of heartbeat at all, instead using an inline script to create the heartbeat action handler, assigning to the newly-introduced middleware nonce property.

Note: This will require a change to the equivalent inline script handling in core. (patch)

Testing Instructions:

To simplify testing, I found it useful to create a simple plugin at wp-content/mu-plugins/nonce-duration.php to shorten the default lifetime of a nonce dramatically, since otherwise a new nonce won't be included by default with the heartbeat response:

<?php

add_filter( 'nonce_life', function() { 
	return 5;
} );

Verify that a different nonce is used with API requests which are triggered at least 5 seconds apart with the above patch.

@aduth aduth added the [Package] API fetch /packages/api-fetch label Jan 23, 2019
@aduth aduth requested review from youknowriad, dd32 and nerrad January 23, 2019 22:00
@@ -185,10 +185,29 @@ function gutenberg_register_scripts_and_styles() {
gutenberg_register_packages_scripts();

// Inline scripts.
global $wp_scripts;
$wp_scripts->registered['wp-api-fetch']->deps[] = 'wp-hooks';
Copy link
Member Author

@aduth aduth Jan 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit awkward in that the inline script has a dependency which the handle upon which it's attached does not. There's a pretty strong guarantee from the preceding lines that this would be registered, but it might be a good idea to have some protections here all the same, either with isset or by wp_script_is.

We could also just have wp-api-fetch continue to depend on wp-hooks, but I assumed that in the future we might want to have it so that dependencies in core are automatically generated from the packages. Maybe this is thinking too far ahead, or maybe we'd want some filtering to apply to that generated result anyways.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likely not an issue, but I wonder if removing the dependency on wp-hooks from api-fetch runs the risk of breaking plugins that have created a dependency on api-fetch on the assumption it will also queue up wp-hooks. Once could argue that's doing it wrong anyways but I mentioned anyways just for consideration.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't realistically hold ourselves hostage to never changing the dependencies of a core script because people aren't declaring their own dependencies correctly 🤷‍♂️

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a pretty strong guarantee from the preceding lines that this would be registered, but it might be a good idea to have some protections here all the same, either with isset or by wp_script_is.

I decided to be cautious and add a guarded condition in the rebased 65675b4.

Copy link
Contributor

@nerrad nerrad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me (note I just reviewed, did not test).

@@ -185,10 +185,29 @@ function gutenberg_register_scripts_and_styles() {
gutenberg_register_packages_scripts();

// Inline scripts.
global $wp_scripts;
$wp_scripts->registered['wp-api-fetch']->deps[] = 'wp-hooks';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likely not an issue, but I wonder if removing the dependency on wp-hooks from api-fetch runs the risk of breaking plugins that have created a dependency on api-fetch on the assumption it will also queue up wp-hooks. Once could argue that's doing it wrong anyways but I mentioned anyways just for consideration.

@youknowriad
Copy link
Contributor

I like the simplicity of this approach.

@aduth
Copy link
Member Author

aduth commented Jan 25, 2019

@aduth aduth force-pushed the update/api-fetch-nonce-assign branch from c133d12 to 65675b4 Compare January 25, 2019 16:57
@aduth aduth merged commit d28b228 into master Jan 25, 2019
@aduth aduth deleted the update/api-fetch-nonce-assign branch January 25, 2019 17:25
@youknowriad youknowriad added this to the 5.0 (Gutenberg) milestone Jan 25, 2019
daniloercoli added a commit that referenced this pull request Jan 26, 2019
…rnmobile/372-enter-key-detection-to-title

* 'master' of https://github.com/WordPress/gutenberg: (29 commits)
  Update for RangeControl documentation (#12564)
  Plugin: Deprecate gutenberg_load_list_reusable_blocks (#13456)
  Update the columns attribute in onSelectImages so that if images are removed via the media modal, the columns can't be higher than the new number of images (#13488)
  Replace the fullscreen "exit" icon with a back arrow (#13403)
  Include :visited links in button color (#12183)
  Amazon Kindle block (#13510)
  Plugin: Deprecate gutenberg_prepare_blocks_for_js (#13457)
  Add watcher on Linux: change fs to node-watch (#13448)
  Plugin: Deprecate `gutenberg` theme support (#13458)
  Datepicker: Add inValidDay support (#12962)
  Block Switcher: Render disabled button even if multi-selection (#13431)
  Plugin: Deprecate gutenberg_register_post_types (#13468)
  Plugin: Deprecate register_tinymce_scripts (#13466)
  Set minimum of words for RSS excerpt (#13502)
  Plugin: Deprecate gutenberg_get_block_categories (#13454)
  Plugin: Deprecate gutenberg_content_block_version (#13469)
  API Fetch: Expose nonce on created middleware function (#13451)
  Plugin: Remove list screens integrations (#13459)
  Plugin: Remove core-defined block detection functions (#13467)
  Spec Parser: Move generated spec parser to package (#13493)
  ...
nylen pushed a commit to nylen/wordpress-develop-svn that referenced this pull request Mar 20, 2019
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`.

See WordPress/gutenberg#13451
See #45113

Props adamsilverstein, nerrad .
Fixes #46107 .


git-svn-id: https://develop.svn.wordpress.org/trunk@44949 602fd350-edb4-49c9-b593-d223f7449a82
pento pushed a commit to WordPress/wordpress-develop that referenced this pull request Mar 20, 2019
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`.

See WordPress/gutenberg#13451
See #45113

Props adamsilverstein, nerrad .
Fixes #46107 .


git-svn-id: https://develop.svn.wordpress.org/trunk@44949 602fd350-edb4-49c9-b593-d223f7449a82
markjaquith pushed a commit to markjaquith/WordPress that referenced this pull request Mar 20, 2019
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`.

See WordPress/gutenberg#13451
See #45113

Props adamsilverstein, nerrad .
Fixes #46107 .

Built from https://develop.svn.wordpress.org/trunk@44949


git-svn-id: http://core.svn.wordpress.org/trunk@44780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
gMagicScott pushed a commit to gMagicScott/core.wordpress-mirror that referenced this pull request Mar 20, 2019
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`.

See WordPress/gutenberg#13451
See #45113

Props adamsilverstein, nerrad .
Fixes #46107 .

Built from https://develop.svn.wordpress.org/trunk@44949


git-svn-id: https://core.svn.wordpress.org/trunk@44780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
miya0001 pushed a commit to cjk4wp/wordpress that referenced this pull request Mar 29, 2019
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`.

See WordPress/gutenberg#13451
See #45113

Props adamsilverstein, nerrad .
Fixes #46107 .


git-svn-id: http://develop.svn.wordpress.org/trunk@44949 602fd350-edb4-49c9-b593-d223f7449a82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
[Package] API fetch /packages/api-fetch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants