missing parameter: ‘verification_nonce’

[felixarntz]

Bug Description

Sometimes the authentication service returns an error about a missing verification nonce (see https://wordpress.org/support/topic/missing-parameter-verification_nonce/).

This happens whenever site verification has failed for some reason, because when that happens, the user can try to re-do the step again (for which the verification nonce would be required again).

Therefore we need to also send the verification_nonce parameter in the handler where we send verify=true.

---

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

• When redirecting the user back to the proxy to check site verification, a verification_nonce parameter should be sent.
• Failing site verification on the proxy should not result in a missing parameter: 'verification_nonce' error.

Implementation Brief

In

site-kit-wp/includes/Core/Authentication/Authentication.php

Line 435 in 9219d9c

wp_safe_redirect( add_query_arg( 'verify', 'true', $auth_client->get_proxy_setup_url( $code ) ) );

pass a missing_verification string as second parameter to get_proxy_setup_url(), so that it is correctly added by the logic in

site-kit-wp/includes/Core/Authentication/Clients/OAuth_Client.php

Lines 650 to 652 in 9219d9c

	if ( 'missing_verification' === $error_code ) {
	$query_args['verification_nonce'] = wp_create_nonce( 'googlesitekit_verification' );
	}

.

Changelog entry

• Fix bug where the site verification nonce was not sent to the authentication service.

[aaemnnosttv]

IB ✅

This is a bit confusing when you look at it that you would hard code an error code passed to the setup URL. We should be sure to leave a comment to explain why this is necessary, since I think it is likely not very obvious.

[felixarntz]

@aaemnnosttv Sounds good, let's add a comment to clarify.