Alert: This function’s access is marked private. This means it is not intended for use by plugin or theme developers, only in other core functions. It is listed here for completeness.
WC_API_Authentication::check_oauth_timestamp_and_nonce( array $keys, int $timestamp, string $nonce )
Verify that the timestamp and nonce provided with the request are valid. This prevents replay attacks where an attacker could attempt to re-send an intercepted request at a later time.
Description Description
- A timestamp is valid if it is within 15 minutes of now
- A nonce is valid if it has not been used within the last 15 minutes
Parameters Parameters
- $keys
-
(Required)
- $timestamp
-
(Required) the unix timestamp for when the request was made
- $nonce
-
(Required) a unique (for the given user) 32 alphanumeric string, consumer-generated
Source Source
File: includes/legacy/api/v2/class-wc-api-authentication.php
private function check_oauth_timestamp_and_nonce( $keys, $timestamp, $nonce ) {
global $wpdb;
$valid_window = 15 * 60; // 15 minute window
if ( ( $timestamp < time() - $valid_window ) || ( $timestamp > time() + $valid_window ) ) {
throw new Exception( __( 'Invalid timestamp.', 'woocommerce' ), 401 );
}
$used_nonces = maybe_unserialize( $keys['nonces'] );
if ( empty( $used_nonces ) ) {
$used_nonces = array();
}
if ( in_array( $nonce, $used_nonces ) ) {
throw new Exception( __( 'Invalid nonce - nonce has already been used.', 'woocommerce' ), 401 );
}
$used_nonces[ $timestamp ] = $nonce;
// Remove expired nonces
foreach ( $used_nonces as $nonce_timestamp => $nonce ) {
if ( $nonce_timestamp < ( time() - $valid_window ) ) {
unset( $used_nonces[ $nonce_timestamp ] );
}
}
$used_nonces = maybe_serialize( $used_nonces );
$wpdb->update(
$wpdb->prefix . 'woocommerce_api_keys',
array( 'nonces' => $used_nonces ),
array( 'key_id' => $keys['key_id'] ),
array( '%s' ),
array( '%d' )
);
}