Merge branch 'main' into feature/issue-99/prevent-alley-users-from-ap…

…pearing
alleyinteractive · Oct 25, 2024 · aaa1e79 · aaa1e79
2 parents 9f96109 + a16665f
commit aaa1e79
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 8 deletions.
diff --git a/.github/workflows/all-pr-tests.yml b/.github/workflows/all-pr-tests.yml
@@ -39,6 +39,7 @@ jobs:
         with:
           php-version: '${{ matrix.php }}'
           skip-audit: 'true'
-          skip-wordpress-install: 'true'
           wordpress-version: '${{ matrix.wordpress }}'
           wordpress-multisite: '${{ matrix.multisite }}'
+          skip-core-test-suite: 'true'
+          skip-wordpress-install: 'true'
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 This library adheres to [Semantic Versioning](https://semver.org/) and [Keep a CHANGELOG](https://keepachangelog.com/en/1.0.0/).
 
+## Unreleased
+
+### Fixed
+
+* `login_nonce`: Fixed issue where loading cached version of login page would store invalid nonce.
+
 ## 3.4.0
 
 ### Changed

diff --git a/src/alley/wp/alleyvate/features/class-login-nonce.php b/src/alley/wp/alleyvate/features/class-login-nonce.php
@@ -79,6 +79,15 @@ public static function add_no_store_to_login( $headers ): array {
 	 */
 	public static function action__add_meta_refresh(): void {
 		printf( '<meta http-equiv="refresh" content="%d">', esc_attr( (string) self::NONCE_TIMEOUT ) );
+		?>
+		<script>
+			window.addEventListener('pageshow', (event) => {
+				if (event.persisted) {
+					location.reload();
+				}
+			});
+		</script>
+		<?php
 	}
 
 	/**
@@ -99,16 +108,22 @@ public static function action__add_nonce_to_form(): void {
 	 * @see <https://github.com/WordPress/wordpress-develop/blob/94b70f1ae065f10937c22b2d4b180ceade1ddeee/src/wp-login.php#L482-L495>
 	 */
 	public static function action__add_nonce_life_filter(): void {
-		add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ] );
+		add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ], 10, 2 );
 		add_action( 'login_form', [ __CLASS__, 'action__add_nonce_to_form' ] );
 	}
 
 	/**
 	 * Filter the nonce timeout.
 	 *
+	 * @param int        $nonce_lifetime The lifetime of the nonce in seconds.
+	 * @param string|int $action The nonce action, or -1 if none was provided.
 	 * @return int
 	 */
-	public static function nonce_life_filter(): int {
+	public static function nonce_life_filter( $nonce_lifetime, $action ): int {
+		if ( self::NONCE_ACTION !== $action ) {
+			return $nonce_lifetime;
+		}
+
 		return self::NONCE_TIMEOUT;
 	}
 
@@ -131,14 +146,11 @@ public static function action__pre_validate_login_nonce(): void {
 		 * Nonce life is used to generate the nonce value. If this differs from the form,
 		 * the nonce will not validate.
 		 */
-		add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ] );
+		add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ], 10, 2 );
 
 		$nonce = sanitize_key( $_POST[ self::NONCE_NAME ] ?? '' );
 
-		if (
-			! $nonce ||
-			! wp_verify_nonce( $nonce, self::NONCE_ACTION )
-		) {
+		if ( ! wp_verify_nonce( $nonce, self::NONCE_ACTION ) ) {
 			// This is a login with an invalid nonce. Throw an error.
 			http_response_code( 403 );
 			wp_die( 'Login attempt failed. Please try again.', 'Login Error' );