Improve nonce handling by rejecting stale values

[mikejolley]

#3766 fixes the cache issue reported in #3757 by disabling caches.

As an alternative, this PR adds some additional logic to the nonce middleware which allows the nonce to be stored within browser localStorage, and some new logic to detect if a nonce is older or newer than the current.

Fixes #3757
Closes #3766

How to test the changes in this Pull Request:

1. Start an incognito window.
2. Add some thing to cart from the products block.
3. Go to cart page.
4. Use browser back button back to the page with products block.
5. Add to cart.

If the add to cart worked, this fix is working. Also check browser localStorage and you should see a new field called storeApiNonce.

Changelog

Prevent "X-WC-Store-API-Nonce is invalid" error when going back to a page with the products block using the browser back button.

[github-actions]

Size Change: +163 B (0%)

Total Size: 1.18 MB

Filename	Size	Change
build/wc-blocks-middleware.js	1.1 kB	+163 B (+17%)	⚠️

ℹ️ View Unchanged

Filename	Size	Change
build/active-filters-frontend.js	8.32 kB	0 B
build/active-filters.js	8.49 kB	0 B
build/all-products-frontend.js	34.7 kB	0 B
build/all-products.js	36.2 kB	0 B
build/all-reviews.js	9.88 kB	0 B
build/atomic-block-components/add-to-cart--atomic-block-components/button.js	3.37 kB	0 B
build/atomic-block-components/add-to-cart--atomic-block-components/image--atomic-block-components/title.js	336 B	0 B
build/atomic-block-components/add-to-cart-frontend.js	9.22 kB	0 B
build/atomic-block-components/add-to-cart.js	7.7 kB	0 B
build/atomic-block-components/button-frontend.js	2.38 kB	0 B
build/atomic-block-components/button.js	837 B	0 B
build/atomic-block-components/category-list-frontend.js	469 B	0 B
build/atomic-block-components/category-list.js	476 B	0 B
build/atomic-block-components/image-frontend.js	1.76 kB	0 B
build/atomic-block-components/image.js	1.23 kB	0 B
build/atomic-block-components/price-frontend.js	1.83 kB	0 B
build/atomic-block-components/price.js	1.85 kB	0 B
build/atomic-block-components/rating-frontend.js	521 B	0 B
build/atomic-block-components/rating.js	525 B	0 B
build/atomic-block-components/sale-badge-frontend.js	859 B	0 B
build/atomic-block-components/sale-badge.js	862 B	0 B
build/atomic-block-components/sku-frontend.js	389 B	0 B
build/atomic-block-components/sku.js	393 B	0 B
build/atomic-block-components/stock-indicator-frontend.js	569 B	0 B
build/atomic-block-components/stock-indicator.js	572 B	0 B
build/atomic-block-components/summary-frontend.js	918 B	0 B
build/atomic-block-components/summary.js	926 B	0 B
build/atomic-block-components/tag-list-frontend.js	467 B	0 B
build/atomic-block-components/tag-list.js	472 B	0 B
build/atomic-block-components/title-frontend.js	1.35 kB	0 B
build/atomic-block-components/title.js	1.21 kB	0 B
build/attribute-filter-frontend.js	18.2 kB	0 B
build/attribute-filter.js	12.5 kB	0 B
build/blocks-checkout.js	50.2 kB	0 B
build/blocks.js	3.49 kB	0 B
build/cart-frontend.js	63.5 kB	0 B
build/cart.js	34.1 kB	0 B
build/checkout-frontend.js	89.3 kB	0 B
build/checkout.js	39.8 kB	0 B
build/editor-rtl.css	14.9 kB	0 B
build/editor.css	14.9 kB	0 B
build/featured-category.js	7.81 kB	0 B
build/featured-product.js	10.1 kB	0 B
build/handpicked-products.js	7.49 kB	0 B
build/price-filter-frontend.js	14.5 kB	0 B
build/price-filter.js	9.93 kB	0 B
build/product-best-sellers.js	7.56 kB	0 B
build/product-categories.js	3.23 kB	0 B
build/product-category.js	8.5 kB	0 B
build/product-new.js	7.74 kB	0 B
build/product-on-sale.js	8.12 kB	0 B
build/product-search.js	3.56 kB	0 B
build/product-tag.js	6.56 kB	0 B
build/product-top-rated.js	7.7 kB	0 B
build/products-by-attribute.js	8.49 kB	0 B
build/reviews-by-category.js	11.9 kB	0 B
build/reviews-by-product.js	13.5 kB	0 B
build/reviews-frontend.js	9.51 kB	0 B
build/single-product-frontend.js	37.9 kB	0 B
build/single-product.js	10.3 kB	0 B
build/style-rtl.css	18.7 kB	0 B
build/style.css	18.6 kB	0 B
build/vendors--atomic-block-components/price-frontend.js	5.73 kB	0 B
build/vendors-style-rtl.css	1.05 kB	0 B
build/vendors-style.css	1.05 kB	0 B
build/vendors.js	431 kB	0 B
build/wc-blocks-data.js	6.98 kB	0 B
build/wc-blocks-registry.js	2.65 kB	0 B
build/wc-payment-method-bacs.js	820 B	0 B
build/wc-payment-method-cheque.js	816 B	0 B
build/wc-payment-method-cod.js	913 B	0 B
build/wc-payment-method-paypal.js	853 B	0 B
build/wc-payment-method-stripe.js	12.2 kB	0 B
build/wc-settings.js	2.4 kB	0 B
build/wc-shared-context.js	1.53 kB	0 B
build/wc-shared-hocs.js	1.68 kB	0 B

_{compressed-size-action}

[opr]

This tests great, nice one Mike. The code looks good to me too.

[opr]

Perhaps add a comment for why we're dividing by 1000 here, without looking at L68 of Assets.php it's not immediately obvious. Not a big deal I think but may be helpful.

[mikejolley]

Thanks, added in 7aa1866

[nerrad]

As noted in my inline comment, I wonder if you can get away with just storing the timestamp in localStorage?

[nerrad]

Any security concerns about storing the nonce value in localStorage? Would we be able to get away with just storing the nonce timestamp (and assume if that hasn't changed that the nonce in the request is okay)?

[mikejolley]

@nerrad I don't think there is a security concern because the nonces are also injected into the page (so readable from JS), and they are to stop CSRF not used as secure tokens or anything. We need both here because the nonce injected on the page is out of date if you go back using the browser button. The new nonce needs to persist somewhere.

[nerrad]

Makes sense, in that case - this gets the 👍 from me (note, I have not tested though...so probably should get confirmed by someone else in testing).

[nerrad]

Makes sense, in that case - this gets the 👍 from me (note, I have not tested though...so probably should get confirmed by someone else in testing).

[ralucaStan]

works as expected on Firefox, Chrome and Safari.