Refresh nonce with heartbeat

[adamsilverstein]

Summary

Refresh the wp-api nonce when a new nonce is available, keeping the nonce fresh and the client authorized. Fixes #2088.

Description

Add a wp_rest nonce to the heartbeat response when in Gutenberg.
Add a JavaScript callback on jQuery( document ) 'heartbeat-tick' which heartbeat triggers. Update the wp-api nonce if it has changed.

How Has This Been Tested?

Verified heartbeat returns nonce.
Verified if nonce is different, logic sets it on root endpoint.

Notes

Wasn't sure about the best place to put the JS callback, feedback appreciated!

[ellatrix]

@adamsilverstein This doesn't solve anything as far as I can see. The way I test it is setting the nonce life to 10 seconds. This is low enough to ensure that by the first heartbeat after page load the nonce will be invalid, so it's just like being away for over 24 hours and coming back to an invalid nonce. With this patch, nothing will be sent back. You'll need to hook into wp_refresh_nonces (see https://github.com/WordPress/wordpress-develop/blob/4.8.2/src/wp-admin/includes/ajax-actions.php#L2794). heartbeat_send is too late.

I wouldn't use jQuery here, we don't want a dependency on jQuery as well. You can just use that native browser API as we don't need to support lower IE versions.

Additionally there are some listing errors.

[adamsilverstein]

@iseulde thanks for testing and the feedback, also for explaining how you tested - I wasn't sure how to do that. I saw wp_refresh_nonces and didn’t realize i had to use it, thanks for clarifying.

I thought I saw jQuery already used, I'll switch that and fix the linting errors. :)

[adamsilverstein]

@iseulde actually for the jquery, I am listening for the event triggered by heartbeat:

jQuery( document ).on( 'heartbeat-tick' ) which is triggered by heartbeat.js using jQuery. Can I listen for the jQuery event using native JS?

[codecov]

Codecov Report

Merging #2790 into master will decrease coverage by <.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #2790      +/-   ##
==========================================
- Coverage   34.43%   34.42%   -0.01%     
==========================================
  Files         196      196              
  Lines        5782     5783       +1     
  Branches     1020     1021       +1     
==========================================
  Hits         1991     1991              
  Misses       3206     3206              
- Partials      585      586       +1

Impacted Files	Coverage Δ
editor/index.js	0% <ø> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a59e2e4...91211d5. Read the comment docs.

[adamsilverstein]

@iseulde I switched the hook to wp_refresh_nonces and verified this actually works correctly - i set my nonce expiration (30 sec) and heartbeat rate (15 sec) low and watched as the nonce expired and got renewed.

Can you please re-test?

[ellatrix]

actually for the jquery, I am listening for the event triggered by heartbeat:

Ah ok, that's unfortunate. :) Do we have proper dependencies set for heartbeat.js?

[adamsilverstein]

Ah ok, that's unfortunate. :) Do we have proper dependencies set for heartbeat.js?

Yes, in script-loader, we add hearbeat with a jQuery dependency:
$scripts->add( 'heartbeat', "/wp-includes/js/heartbeat$suffix.js", array('jquery'), false, 1 );

Is that what you meant?

heartbeat.js has 6 $document.trigger() calls. If we swap out these for wp.hooks, we could remove the jQuery dependency.

[ellatrix]

@adamsilverstein I meant here, in Gutenberg. I don't see a Heartbeat dependency. :)

[adamsilverstein]

I meant here, in Gutenberg. I don't see a Heartbeat dependency. :)

Ah, good point - I was testing on the post page so it must be loading there. i'll check/add the dependency.

[adamsilverstein]

@iseulde I added the heartbeat dependency in 8e6e426 - does this work for you now?

[ellatrix]

@adamsilverstein I fixed the failing tests, and replaced wp.api.endpoints.at(0).get( 'nonce' ), because that's returning undefined. Used the settings object instead.

[adamsilverstein]

replaced wp.api.endpoints.at(0).get( 'nonce' ), because that's returning undefined. Used the settings object instead.

@iseulde Thanks for merging! I think I was testing in trunk and you were maybe on 4.8? The nonce handling changes a little in 4.9 and I don't think this will work since https://core.trac.wordpress.org/changeset/41553 - I am going to open a new PR that will use more flexible code to use the right approach in all cases.

[ellatrix]

Yeah, I'm just on the latest version. :)

[adamsilverstein]

Ok, makes sense and we need it to work there as well, so I'l work on a follow up PR.

[getsource]

I'm having this issue. Is there a different place where it's being tracked?

[adamsilverstein]

@getsource yes, see #9260