From 9cfd68bde3317dd77f49aaca38c6b5b7066dc99c Mon Sep 17 00:00:00 2001 From: Travis Weston <anubisthejackle@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:20:56 -0400 Subject: [PATCH 1/7] WIP: issue-70 From 86222d11c460b1410e0bb5ac1e30f4841dc39e8d Mon Sep 17 00:00:00 2001 From: Travis Weston <anubisthejackle@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:24:32 -0400 Subject: [PATCH 2/7] Remove unneccessary check. wp_verify_nonce validates empty nonce value --- src/alley/wp/alleyvate/features/class-login-nonce.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/alley/wp/alleyvate/features/class-login-nonce.php b/src/alley/wp/alleyvate/features/class-login-nonce.php index 0761b466..57f80810 100644 --- a/src/alley/wp/alleyvate/features/class-login-nonce.php +++ b/src/alley/wp/alleyvate/features/class-login-nonce.php @@ -135,10 +135,7 @@ public static function action__pre_validate_login_nonce(): void { $nonce = sanitize_key( $_POST[ self::NONCE_NAME ] ?? '' ); - if ( - ! $nonce || - ! wp_verify_nonce( $nonce, self::NONCE_ACTION ) - ) { + if ( ! wp_verify_nonce( $nonce, self::NONCE_ACTION ) ) { // This is a login with an invalid nonce. Throw an error. http_response_code( 403 ); wp_die( 'Login attempt failed. Please try again.', 'Login Error' ); From 63ac7e1c3e74bef89c9d7a1404458228005e6779 Mon Sep 17 00:00:00 2001 From: Travis Weston <anubisthejackle@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:27:48 -0400 Subject: [PATCH 3/7] Add refresh if page persisted --- .../alleyvate/features/class-login-nonce.php | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/src/alley/wp/alleyvate/features/class-login-nonce.php b/src/alley/wp/alleyvate/features/class-login-nonce.php index 57f80810..e89208c7 100644 --- a/src/alley/wp/alleyvate/features/class-login-nonce.php +++ b/src/alley/wp/alleyvate/features/class-login-nonce.php @@ -79,6 +79,15 @@ public static function add_no_store_to_login( $headers ): array { */ public static function action__add_meta_refresh(): void { printf( '<meta http-equiv="refresh" content="%d">', esc_attr( (string) self::NONCE_TIMEOUT ) ); + ?> + <script> + window.addEventListener('pageshow', (event) => { + if (event.persisted) { + location.reload(); + } + }); + </script> + <?php } /** @@ -99,16 +108,22 @@ public static function action__add_nonce_to_form(): void { * @see <https://github.com/WordPress/wordpress-develop/blob/94b70f1ae065f10937c22b2d4b180ceade1ddeee/src/wp-login.php#L482-L495> */ public static function action__add_nonce_life_filter(): void { - add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ] ); + add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ], 10, 2 ); add_action( 'login_form', [ __CLASS__, 'action__add_nonce_to_form' ] ); } /** * Filter the nonce timeout. * + * @param int $nonce_lifetime The lifetime of the nonce in seconds. + * @param string|int $action The nonce action, or -1 if none was provided. * @return int */ - public static function nonce_life_filter(): int { + public static function nonce_life_filter( $nonce_lifetime, $action ): int { + if ( self::NONCE_ACTION !== $action ) { + return $nonce_lifetime; + } + return self::NONCE_TIMEOUT; } @@ -131,7 +146,7 @@ public static function action__pre_validate_login_nonce(): void { * Nonce life is used to generate the nonce value. If this differs from the form, * the nonce will not validate. */ - add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ] ); + add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ], 10, 2 ); $nonce = sanitize_key( $_POST[ self::NONCE_NAME ] ?? '' ); From 714062a35fc80b9e5a7c55c2be46ed8d971455c8 Mon Sep 17 00:00:00 2001 From: Travis Weston <anubisthejackle@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:27:58 -0400 Subject: [PATCH 4/7] Ready for review From 8838aa0928d2a462b301beda961bc1f21ae513c9 Mon Sep 17 00:00:00 2001 From: Travis Weston <anubisthejackle@users.noreply.github.com> Date: Wed, 16 Oct 2024 14:50:17 -0400 Subject: [PATCH 5/7] Add changelog record --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b1e3ca4..9fa69310 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ This library adheres to [Semantic Versioning](https://semver.org/) and [Keep a CHANGELOG](https://keepachangelog.com/en/1.0.0/). +## Unreleased + +### Fixed + +* `login_nonce`: Fixed issue where loading cached version of login page would store invalid nonce. + ## 3.4.0 ### Changed From 7586c8e4e17e652a16765127a6296f03c56aec24 Mon Sep 17 00:00:00 2001 From: Sean Fisher <srtfisher@gmail.com> Date: Wed, 16 Oct 2024 16:07:35 -0400 Subject: [PATCH 6/7] Skip core --- .github/workflows/all-pr-tests.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/all-pr-tests.yml b/.github/workflows/all-pr-tests.yml index 8b163f59..9b022a08 100644 --- a/.github/workflows/all-pr-tests.yml +++ b/.github/workflows/all-pr-tests.yml @@ -39,6 +39,7 @@ jobs: with: php-version: '${{ matrix.php }}' skip-audit: 'true' - skip-wordpress-install: 'true' wordpress-version: '${{ matrix.wordpress }}' wordpress-multisite: '${{ matrix.multisite }}' + skip-core-test-suite: 'true' + skip-wordpress-install: 'true' From e89935a73b527476dc98ce6b8f40b25541fbab64 Mon Sep 17 00:00:00 2001 From: Sean Fisher <srtfisher@gmail.com> Date: Wed, 16 Oct 2024 16:11:28 -0400 Subject: [PATCH 7/7] Testing CI