-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Fetch: Expose nonce on created middleware function #13451
Conversation
lib/client-assets.php
Outdated
@@ -185,10 +185,29 @@ function gutenberg_register_scripts_and_styles() { | |||
gutenberg_register_packages_scripts(); | |||
|
|||
// Inline scripts. | |||
global $wp_scripts; | |||
$wp_scripts->registered['wp-api-fetch']->deps[] = 'wp-hooks'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit awkward in that the inline script has a dependency which the handle upon which it's attached does not. There's a pretty strong guarantee from the preceding lines that this would be registered, but it might be a good idea to have some protections here all the same, either with isset
or by wp_script_is
.
We could also just have wp-api-fetch
continue to depend on wp-hooks
, but I assumed that in the future we might want to have it so that dependencies in core are automatically generated from the packages. Maybe this is thinking too far ahead, or maybe we'd want some filtering to apply to that generated result anyways.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Likely not an issue, but I wonder if removing the dependency on wp-hooks
from api-fetch
runs the risk of breaking plugins that have created a dependency on api-fetch
on the assumption it will also queue up wp-hooks
. Once could argue that's doing it wrong anyways but I mentioned anyways just for consideration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can't realistically hold ourselves hostage to never changing the dependencies of a core script because people aren't declaring their own dependencies correctly 🤷♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a pretty strong guarantee from the preceding lines that this would be registered, but it might be a good idea to have some protections here all the same, either with
isset
or bywp_script_is
.
I decided to be cautious and add a guarded condition in the rebased 65675b4.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me (note I just reviewed, did not test).
lib/client-assets.php
Outdated
@@ -185,10 +185,29 @@ function gutenberg_register_scripts_and_styles() { | |||
gutenberg_register_packages_scripts(); | |||
|
|||
// Inline scripts. | |||
global $wp_scripts; | |||
$wp_scripts->registered['wp-api-fetch']->deps[] = 'wp-hooks'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Likely not an issue, but I wonder if removing the dependency on wp-hooks
from api-fetch
runs the risk of breaking plugins that have created a dependency on api-fetch
on the assumption it will also queue up wp-hooks
. Once could argue that's doing it wrong anyways but I mentioned anyways just for consideration.
I like the simplicity of this approach. |
Trac ticket: https://core.trac.wordpress.org/ticket/46107 |
c133d12
to
65675b4
Compare
…rnmobile/372-enter-key-detection-to-title * 'master' of https://github.com/WordPress/gutenberg: (29 commits) Update for RangeControl documentation (#12564) Plugin: Deprecate gutenberg_load_list_reusable_blocks (#13456) Update the columns attribute in onSelectImages so that if images are removed via the media modal, the columns can't be higher than the new number of images (#13488) Replace the fullscreen "exit" icon with a back arrow (#13403) Include :visited links in button color (#12183) Amazon Kindle block (#13510) Plugin: Deprecate gutenberg_prepare_blocks_for_js (#13457) Add watcher on Linux: change fs to node-watch (#13448) Plugin: Deprecate `gutenberg` theme support (#13458) Datepicker: Add inValidDay support (#12962) Block Switcher: Render disabled button even if multi-selection (#13431) Plugin: Deprecate gutenberg_register_post_types (#13468) Plugin: Deprecate register_tinymce_scripts (#13466) Set minimum of words for RSS excerpt (#13502) Plugin: Deprecate gutenberg_get_block_categories (#13454) Plugin: Deprecate gutenberg_content_block_version (#13469) API Fetch: Expose nonce on created middleware function (#13451) Plugin: Remove list screens integrations (#13459) Plugin: Remove core-defined block detection functions (#13467) Spec Parser: Move generated spec parser to package (#13493) ...
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`. See WordPress/gutenberg#13451 See #45113 Props adamsilverstein, nerrad . Fixes #46107 . git-svn-id: https://develop.svn.wordpress.org/trunk@44949 602fd350-edb4-49c9-b593-d223f7449a82
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`. See WordPress/gutenberg#13451 See #45113 Props adamsilverstein, nerrad . Fixes #46107 . git-svn-id: https://develop.svn.wordpress.org/trunk@44949 602fd350-edb4-49c9-b593-d223f7449a82
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`. See WordPress/gutenberg#13451 See #45113 Props adamsilverstein, nerrad . Fixes #46107 . Built from https://develop.svn.wordpress.org/trunk@44949 git-svn-id: http://core.svn.wordpress.org/trunk@44780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`. See WordPress/gutenberg#13451 See #45113 Props adamsilverstein, nerrad . Fixes #46107 . Built from https://develop.svn.wordpress.org/trunk@44949 git-svn-id: https://core.svn.wordpress.org/trunk@44780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
As of `@wordpress/[email protected]` (introduced in 44812), the `apiFetch` nonce middleware must have its nonce value assigned explicitly, and will no longer listen for heartbeat ticks automatically. This changeset adds an inline script for the default registration of the `api-fetch` script handle to assign the nonce value in response to the heartbeat action. In doing so, it removes the now-unused, misnamed `rest-nonce` property from the heartbeat response, whose original introduction served as temporary compatibility with earlier versions of `@wordpress/api-fetch`. See WordPress/gutenberg#13451 See #45113 Props adamsilverstein, nerrad . Fixes #46107 . git-svn-id: http://develop.svn.wordpress.org/trunk@44949 602fd350-edb4-49c9-b593-d223f7449a82
Related: https://core.trac.wordpress.org/ticket/45113#comment:11
This pull request stemmed from a simple desire to rename the
rest-nonce
heartbeat response value to the core-preferredrest_nonce
. It subsequently turned into a bit more of a refactor of how this nonce is assigned and handled within the API fetch middleware.The proposed changes here avoid having the API Fetch module having any awareness of heartbeat at all, instead using an inline script to create the heartbeat action handler, assigning to the newly-introduced middleware
nonce
property.Note: This will require a change to the equivalent inline script handling in core. (patch)
Testing Instructions:
To simplify testing, I found it useful to create a simple plugin at
wp-content/mu-plugins/nonce-duration.php
to shorten the default lifetime of a nonce dramatically, since otherwise a new nonce won't be included by default with the heartbeat response:Verify that a different nonce is used with API requests which are triggered at least 5 seconds apart with the above patch.