WordPress Version: .27
/**
* Checks for errors when using cookie-based authentication.
*
* WordPress' built-in cookie authentication is always active
* for logged in users. However, the API has to check nonces
* for each request to ensure users are not vulnerable to CSRF.
*
* @since 4.4.0
*
* @global mixed $wp_rest_auth_cookie
* @global WP_REST_Server $wp_rest_server REST server instance.
*
* @param WP_Error|mixed $result Error from another authentication handler,
* null if we should handle it, or another value
* if not.
* @return WP_Error|mixed|bool WP_Error if the cookie is invalid, the $result, otherwise true.
*/
function rest_cookie_check_errors($result)
{
if (!empty($result)) {
return $result;
}
global $wp_rest_auth_cookie, $wp_rest_server;
/*
* Is cookie authentication being used? (If we get an auth
* error, but we're still logged in, another authentication
* must have been used).
*/
if (true !== $wp_rest_auth_cookie && is_user_logged_in()) {
return $result;
}
// Determine if there is a nonce.
$nonce = null;
if (isset($_REQUEST['_wpnonce'])) {
$nonce = $_REQUEST['_wpnonce'];
} elseif (isset($_SERVER['HTTP_X_WP_NONCE'])) {
$nonce = $_SERVER['HTTP_X_WP_NONCE'];
}
if (null === $nonce) {
// No nonce at all, so act as if it's an unauthenticated request.
wp_set_current_user(0);
return true;
}
// Check the nonce.
$result = wp_verify_nonce($nonce, 'wp_rest');
if (!$result) {
add_filter('rest_send_nocache_headers', '__return_true', 20);
return new WP_Error('rest_cookie_invalid_nonce', __('Cookie nonce is invalid'), array('status' => 403));
}
// Send a refreshed nonce in header.
$wp_rest_server->send_header('X-WP-Nonce', wp_create_nonce('wp_rest'));
return true;
}