Alert: This function’s access is marked private. This means it is not intended for use by plugin or theme developers, only in other core functions. It is listed here for completeness.

WC_REST_Authentication::check_oauth_timestamp_and_nonce( stdClass $user, int $timestamp, string $nonce )

Verify that the timestamp and nonce provided with the request are valid. This prevents replay attacks where an attacker could attempt to re-send an intercepted request at a later time.

Description
- Parameters
- Return
- Source
Related
- Used By
User Contributed Notes

Description Description

A timestamp is valid if it is within 15 minutes of now.
A nonce is valid if it has not been used within the last 15 minutes.

Parameters Parameters

$user: (Required) User data.
$timestamp: (Required) The unix timestamp for when the request was made.
$nonce: (Required) A unique (for the given user) 32 alphanumeric string, consumer-generated.

Top ↑

Return Return

(bool|WP_Error)

Top ↑

Source Source

File: includes/class-wc-rest-authentication.php

	private function check_oauth_timestamp_and_nonce( $user, $timestamp, $nonce ) {
		global $wpdb;

		$valid_window = 15 * 60; // 15 minute window.

		if ( ( $timestamp < time() - $valid_window ) || ( $timestamp > time() + $valid_window ) ) {
			return new WP_Error( 'woocommerce_rest_authentication_error', __( 'Invalid timestamp.', 'woocommerce' ), array( 'status' => 401 ) );
		}

		$used_nonces = maybe_unserialize( $user->nonces );

		if ( empty( $used_nonces ) ) {
			$used_nonces = array();
		}

		if ( in_array( $nonce, $used_nonces, true ) ) {
			return new WP_Error( 'woocommerce_rest_authentication_error', __( 'Invalid nonce - nonce has already been used.', 'woocommerce' ), array( 'status' => 401 ) );
		}

		$used_nonces[ $timestamp ] = $nonce;

		// Remove expired nonces.
		foreach ( $used_nonces as $nonce_timestamp => $nonce ) {
			if ( $nonce_timestamp < ( time() - $valid_window ) ) {
				unset( $used_nonces[ $nonce_timestamp ] );
			}
		}

		$used_nonces = maybe_serialize( $used_nonces );

		$wpdb->update(
			$wpdb->prefix . 'woocommerce_api_keys',
			array( 'nonces' => $used_nonces ),
			array( 'key_id' => $user->key_id ),
			array( '%s' ),
			array( '%d' )
		);

		return true;
	}

Expand full source code Collapse full source code

Top ↑

Used By Used By

Used By
Used By	Description
includes/class-wc-rest-authentication.php: WC_REST_Authentication::perform_oauth_authentication()	Perform OAuth 1.0a “one-legged” (http://oauthbible.com/#oauth-10a-one-legged) authentication for non-SSL requests.

Top ↑

User Contributed Notes User Contributed Notes

You must log in before being able to contribute a note or feedback.

Dev Resources

WC_REST_Authentication::check_oauth_timestamp_and_nonce( stdClass $user, int $timestamp, string $nonce )

Contents

Description Description

Parameters Parameters

Return Return

Source Source

User Contributed Notes User Contributed Notes

WC_REST_Authentication::check_oauth_timestamp_and_nonce( stdClass $user, int $timestamp, string $nonce )

Contents

Description #Description

Parameters #Parameters

Return #Return

Source #Source

Related #Related

Used By #Used By

User Contributed Notes #User Contributed Notes

Description Description

Parameters Parameters

Return Return

Source Source

Related Related

Used By Used By

User Contributed Notes User Contributed Notes