Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Try: Return error when session is missing for REST nonce refresh #67812

Open
wants to merge 2 commits into
base: trunk
Choose a base branch
from

Conversation

Mamaduka
Copy link
Member

@Mamaduka Mamaduka commented Dec 11, 2024

What?

Fixes #36118.
Fixes #42400.

This PR updates the apiFetch nonce endpoint to return an error when the session token is missing. It also avoids infinite loops when apiFetch tries to refresh the nonces.

Why?

The endpoint always refreshes to nonce even when the session has expired. The wp_create_nonce doesn't do any validation and always returns a token value.

Testing Instructions

  1. Open a post or page.
  2. Add an Image block.
  3. Select an image.
  4. Temporarily renames wordpress_logged_in_* cookie via DevTools.
  5. Refresh the editor and observer Networks tab.
  6. Confirm that the browser doesn't make infinite requests.

Testing Instructions for Keyboard

Same.

Screenshots or screencast

CleanShot 2024-12-11 at 11 19 50

@azaozz
Copy link
Contributor

azaozz commented Dec 17, 2024

I'm a bit wary about making these changes. All the logged-in/authentication functions are "pluggable" (replaceable). There may be other authentication methods implemented on some sites that may be using other/different cookies or not using cookies at all.

Seems that directly using wp_get_session_token() which uses wp_parse_auth_cookie() under the hood may not work properly in these cases. Seems ideally this should be using is_user_logged_in()? If it doesn't work as expected it should be fixed, see: #13509 (comment).

Copy link

github-actions bot commented Dec 17, 2024

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @jonnynews.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Unlinked contributors: jonnynews.

Co-authored-by: Mamaduka <[email protected]>
Co-authored-by: azaozz <[email protected]>
Co-authored-by: getsource <[email protected]>
Co-authored-by: skorasaurus <[email protected]>
Co-authored-by: ryanboswell <[email protected]>
Co-authored-by: mboynes <[email protected]>
Co-authored-by: desrosj <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

function gutenberg_ajax_rest_nonce() {
$token = wp_get_session_token();
if ( empty( $token ) ) {
wp_send_json_error( null, rest_authorization_required_code() );
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
wp_send_json_error( null, rest_authorization_required_code() );
$error = new WP_Error(
'rest_unable_get_access_token',
__( 'Sorry, unable to get session token.' ),
array( 'status' => rest_authorization_required_code() )
);
wp_die( $error );

I love to see a wp_die and wp_error combo here. wp_die is clever enough to use _ajax_wp_die_handler if it is admin ajax request.

Copy link
Contributor

@azaozz azaozz Dec 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love to see a...

Any particular reason why this piece of code should be different/inconsistent with most other AJAX responses from admin-ajax? Don't think introducing inconsistencies is a good idea, sorry :)

Also, as mentioned above I think this code may introduce edge cases as it is only checking the default cookies and not using the proper functionality to determine if a user is logged in?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wp_send_json_error uses wp_die internally.

See: https://developer.wordpress.org/reference/functions/wp_send_json/.

Copy link
Contributor

@azaozz azaozz Dec 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, let me reformulate the question: why not use wp_send_json_error() as most other WP code but use wp_die() directly with a new WP_Error instance? What advantages does that bring? Are the advantages worth it the change/inconsistency? (And other in the same line of thought) :)

BTW if a new WP_Error instance is needed for some reason it seems it can be passed to wp_send_json_error().

@azaozz
Copy link
Contributor

azaozz commented Jan 1, 2025

Disclaimer: I've not done WP auth debugging in a while, so correct me if I misread logic somewhere.

Based on my tests, the is_user_logged_in or determine_current_user seems to work correctly when only the LOGGED_IN_COOKIE isn't valid. However, it will repeatedly fail to verify nonce in rest_cookie_check_errors.

Here's the simplified logic flow:

  • determine_current_user calls the wp_validate_auth_cookie callback, which returns a user ID.
  • determine_current_user calls the wp_validate_logged_in_cookie callback, which returns early since the previous callback already authenticates the user, and there's no need for logged-in cookie validation. This is also mentioned in the PHP doc block.

@Mamaduka Thanks for your response on the issue. Thinking perhaps is may be better to continue here as this is mostly implementation related. Feel free to move this back to the issue if needed :)

I haven't looked at this in a while too, may be missing something.

Sue, lets look at this step by step. The determine_current_user filter is used in WP to get the logged-in user ID, or false if the current user is not logged in. There are three callbacks to it in core (other may be added by plugins):

  1. wp_validate_auth_cookie() uses wp_parse_auth_cookie() that looks directly for $_COOKIE[ SECURE_AUTH_COOKIE ] (or $_COOKIE[ AUTH_COOKIE ]if the site is not ssl).
  2. wp_validate_logged_in_cookie() again uses wp_parse_auth_cookie() but looks at $_COOKIE[ LOGGED_IN_COOKIE ] after some restrictions. Note that both SECURE_AUTH_COOKIE and LOGGED_IN_COOKIE are set together at the same time and have the same content (the user ID) and expiration time. Been wondering if it is at all possible to have one without having the other, but unfortunately cannot remember. Seems not possible.
  3. wp_validate_application_password() uses wp_authenticate_application_password() that as far as I see does not use or set the above mentioned cookies.

My concern here is how would the code in this PR work in the cases where a WP user has logged in with an application password (i.e. using their Google, Apple, etc. password). Also thinking it would be really good to add some tests for that :)

@Mamaduka
Copy link
Member Author

Mamaduka commented Jan 6, 2025

@azaozz, thanks for the feedback. I'm also hesitant to touch the existing logic for determine_current_user. I'm sure some installations might rely on this behavior, especially with "old" logic like this.

I've got an alternative solution that relies less on implementation details. The AJAX action will try to verify the refreshed nonce immediately and return an error if verification is unsuccessful. See the proposed patch below.

My concern here is how would the code in this PR work in the cases where a WP user has logged in with an application password (i.e. using their Google, Apple, etc. password).

If I remember correctly, application password auths don't rely on cookie auth for REST API and roll out their solutions. Again, I've not touched this area in a while, so I might be wrong :)

diff --git lib/compat/wordpress-6.8/ajax-actions.php lib/compat/wordpress-6.8/ajax-actions.php
index 24388b7f3b9..e7f827c1104 100644
--- lib/compat/wordpress-6.8/ajax-actions.php
+++ lib/compat/wordpress-6.8/ajax-actions.php
@@ -9,14 +9,15 @@
  * Handles renewing the REST API nonce via AJAX.
  *
  * @since 5.3.0
- * @since 6.8.0 Returns error when session token is missing.
+ * @since 6.8.0 Returns an error if a refreshed nonce isn't valid.
  */
 function gutenberg_ajax_rest_nonce() {
-	$token = wp_get_session_token();
-	if ( empty( $token ) ) {
+	$nonce  = wp_create_nonce( 'wp_rest' );
+	$result = wp_verify_nonce( $nonce, 'wp_rest' );
+	if ( ! $result ) {
 		wp_send_json_error( null, rest_authorization_required_code() );
 	}
 
-	exit( wp_create_nonce( 'wp_rest' ) );
+	exit( $nonce );
 }
 add_action( 'wp_ajax_rest-nonce', 'gutenberg_ajax_rest_nonce', 0 );

@getsource
Copy link
Member

I haven't done testing here, but I really like the elegance of this solution.

@Mamaduka Mamaduka force-pushed the try/rest-nonce-send-eror branch from 9a4c70b to 23b50f3 Compare January 8, 2025 08:02
@Mamaduka
Copy link
Member Author

Mamaduka commented Jan 8, 2025

Applied my proposal #67812 (comment), but for some reason, it doesn't work in practice.

The same nonce correctly fails verification in rest_cookie_check_errors but passes in AJAX callback. I feel like I'm missing something obvious in the logic 😓

This can be reproduced by doing step 4 from the testing instructions and then using the following snippet:

add_action( 'init', function() {
	$nonce  = wp_create_nonce( 'wp_rest' );
	$result = wp_verify_nonce( $nonce, 'wp_rest' );

	wp_die( $result );
} );

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
REST API Interaction Related to REST API [Type] Bug An existing feature does not function as intended
Projects
None yet
4 participants