Skip to content

Commit

Permalink
Eliminate cookie authentication requirement to do frontend validation
Browse files Browse the repository at this point in the history 
Allow passing nonce instead of auth cookie to with amp_validate requests.
  • Loading branch information
@westonruter
westonruter committed May 27, 2018
1 parent 7c0a02d commit 90eff4f
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 4 deletions.
23 changes: 20 additions & 3 deletions includes/validation/class-amp-validation-manager.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1136,13 +1136,31 @@ protected static function output_removed_set( $set ) {
echo implode( ', ', $items ); // WPCS: XSS OK.
}

/**
* Get nonce for performing amp_validate request.
*
* The returned nonce is irrespective of the authenticated user.
*
* @return string Nonce.
*/
public static function get_amp_validate_nonce() {
return wp_hash( self::VALIDATE_QUERY_VAR . (string) wp_nonce_tick(), 'nonce' );
}

/**
* Whether to validate the front end response.
*
* @return boolean Whether to validate.
*/
public static function should_validate_response() {
return self::has_cap() && isset( $_GET[ self::VALIDATE_QUERY_VAR ] ); // WPCS: CSRF ok.
if ( ! isset( $_GET[ self::VALIDATE_QUERY_VAR ] ) ) { // WPCS: CSRF ok.
return false;
}
if ( self::has_cap() ) {
return true;
}
$validate_key = wp_unslash( $_GET[ self::VALIDATE_QUERY_VAR ] ); // WPCS: CSRF ok.
return self::get_amp_validate_nonce() === $validate_key;
}

/**
Expand Down Expand Up @@ -1242,14 +1260,13 @@ public static function validate_after_plugin_activation() {
public static function validate_url( $url ) {
$validation_url = add_query_arg(
array(
self::VALIDATE_QUERY_VAR => 1,
self::VALIDATE_QUERY_VAR => self::get_amp_validate_nonce(),
self::CACHE_BUST_QUERY_VAR => wp_rand(),
),
$url
);

$r = wp_remote_get( $validation_url, array(
'cookies' => wp_unslash( $_COOKIE ), // @todo Passing-along the credentials of the currently-authenticated user prevents this from working in cron.
'sslverify' => false,
'headers' => array(
'Cache-Control' => 'no-cache',
Expand Down
2 changes: 1 addition & 1 deletion tests/test-class-amp-validation-utils.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1083,7 +1083,7 @@ public function test_validate_url() {
$that->assertStringStartsWith(
add_query_arg(
AMP_Validation_Manager::VALIDATE_QUERY_VAR,
1,
'',
$validated_url
),
$url
Expand Down

0 comments on commit 90eff4f

Please sign in to comment.