rest_cookie_check_errors() – Checks for errors when using cookie-based authentication.
You appear to be a bot. Output may be restricted
Description
Checks for errors when using cookie-based authentication.
WordPress' built-in cookie authentication is always active for logged in users. However, the API has to check nonces for each request to ensure users are not vulnerable to CSRF.
Usage
$WP_Error|mixed|bool = rest_cookie_check_errors( $result );
Parameters
- $result
- ( WP_Error|mixed ) required – Error from another authentication handler, null if we should handle it, or another value if not.
Returns
WP_Error|mixed|bool WP_Error if the cookie is invalid, the $result, otherwise true.
Source
File name: wordpress/wp-includes/rest-api.php
Lines:
1 to 43 of 43
function rest_cookie_check_errors( $result ) { if ( ! empty( $result ) ) { return $result; } global $wp_rest_auth_cookie; /* * Is cookie authentication being used? (If we get an auth * error, but we're still logged in, another authentication * must have been used). */ if ( true !== $wp_rest_auth_cookie && is_user_logged_in() ) { return $result; } // Determine if there is a nonce. $nonce = null; if ( isset( $_REQUEST['_wpnonce'] ) ) { $nonce = $_REQUEST['_wpnonce']; } elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) { $nonce = $_SERVER['HTTP_X_WP_NONCE']; } if ( null === $nonce ) { // No nonce at all, so act as if it's an unauthenticated request. wp_set_current_user( 0 ); return true; } // Check the nonce. $result = wp_verify_nonce( $nonce, 'wp_rest' ); if ( ! $result ) { return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie check failed' ), array( 'status' => 403 ) ); } // Send a refreshed nonce in header. rest_get_server()->send_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) ); return true; }