Nonces and Ajax request to REST API and verification

For restricting access to your REST API endpoint, you can use the permission_callback parameter like so:

register_rest_route( 'rw-user/v1', '/log-out', array(
    'methods'             => 'POST',
    'callback'            => 'ajax_logout',
    'permission_callback' => function () {
        return current_user_can( 'read' );
    },
) );

And that will require the current user to be logged into WordPress and also the REST API in order to access the endpoint at example.com/wp-json/rw-user/v1/log-out.

So, if the endpoint is already doing the verification, surely it should fail if no nonce is present?

Yes. However,

If I don’t pass the nonce header, it doesn’t check the nonce, yet still runs the function…

That’s because the endpoint’s callback is always called once the permissions callback returns a true — and note that, in WordPress 5.5 and later, you should always set the callback — you can use __return_true to allow all access to the endpoint. E.g.

register_rest_route( 'rw-user/v1', '/log-in', array(
    'methods'             => 'POST',
    'callback'            => 'ajax_login',
    'permission_callback' => '__return_true',
) );

I can see the new nonce returned in my console… I used it to update the header in my next request – but the nonce fails despite being new?

It’s probably because you’re not sending the correct nonce.

  • The nonce action for authenticating the current user is wp_rest, so you should use wp_create_nonce( 'wp_rest' ) when generating the (new) nonce.

  • And be sure to send the nonce via either the X-WP-Nonce header (preferred) or the _wpnonce data parameter (which is not bad, but not very reliable).

So regarding that “do not need to verify“, it’s only true for the wp_rest nonce (i.e. the default cookie-based authentication). All other nonces, should there be any, need to be verified manually.

Related Posts:

  1. How to get a unique nonce for each Ajax request?
  2. Nonces and Cache
  3. Is it safe to assume that a nonce may be validated more than once?
  4. Multiple ajax nonce requests
  5. Using Nonces for AJAX that only retrieves data
  6. How to verify nonce from Bulk/Quick Edit in save_post?
  7. How to add WordPress nonces to ajax request
  8. Ajax function returns -1
  9. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  10. wp_verify_nonce always returns false when logged in as admin
  11. ajax and nonce when JavaScript is in a seperate file
  12. wp_verify_nonce doesn’t return true on server when it matches the nonce
  13. AJAX requests broken due to HTTPS for wp-admin
  14. Nonces, AJAX, script variables & security in WordPress
  15. Why does WordPress Heartbeat login not refresh the nonces?
  16. wp-admin AJAX with Fetch API is done without user
  17. How do I check if AJAX nonces are implemented correctly?
  18. How to check an ajax nonce in PHP
  19. Can a wp_nonce created from domain 1 to be verified on domain 2?
  20. how to send Ajax request in wordpress backend
  21. Identical wp_rest nonce returned from rest_api
  22. WP Admin AJAX Security – using POST to include a relative URL
  23. wp_create_nonce() in REST API makes user->ID zero
  24. ajax nonce verification failing
  25. SSO autologin WordPress + Ajax
  26. Nonce fails on ajax save
  27. Unable to successfully verify nonce
  28. Cache plugins and ajax nonce verification
  29. Nonce doesn’t validate in nopriv call
  30. Why does check_ajax_referer give a 403 error on https websites?
  31. WordPress is creating nonce as a logged in user but verifying it incorrectly
  32. javascript ajax and nonce
  33. How to check nonce lifetime value of plugins?
  34. Using nonce when loading posts with AJAX
  35. Should wordpress nonce be placed in html form or in javascript file
  36. wp_verify_nonce not working on the mobile device
  37. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  38. AJAX form not working, still reloads on submit
  39. Ajax Security regarding user priviliges and nonces
  40. How to use nonces for frontend AJAX voting if the page gets cached?
  41. WordPress wp_localize_script nonce and ajax URL
  42. Nonces can be reused multiple times? Bug / Security issue?
  43. gettext does not translate when called in ajax
  44. Execute one AJAX request after another AJAX request finished
  45. Ajax and autocomplete
  46. Load tinyMCE / wp_editor() via AJAX [duplicate]
  47. How to correctly load wordpress in a non WP script for AJAX request
  48. Dynamically changing navigation links (next and previous) via AJAX
  49. how to use reCaptcha v3 in wordpress custom login form?
  50. AJAX action not triggering PHP function
  51. add_action and Ajax
  52. Help with AJAX front end comment moderation
  53. wp_verify_nonce not working
  54. Enqueue script in header
  55. wp_ajax_nopriv_xxx is not firing on one site, works on all others. -1 for logged out users
  56. Ajax Modal Flickers When Opened Multiple Times
  57. Increased CPU load due to admin-ajax.php spam
  58. Can’t get result from sql using ajax result
  59. Theme Customizer – Conditional Controls
  60. Edit a different page in WP Customizer
  61. WordPress AJAX – how to return true or false in the callback function
  62. WordPress Ajax POST Error 403 admin-ajax.php
  63. Pass additional parameter with async upload
  64. AJAX request randomly stop working and returns error 400
  65. WordPress search results with Ajax, get_post_type() not working
  66. Audio TAG Not using MediaElement When Page is loaded through ajax
  67. Best way to use ajax front-end?
  68. Ajax calls from the theme directory
  69. How to pass parameters from jQuery ajax into PHP function?
  70. ajax is returning 0
  71. How to add ajax url to js using wp_add_inline_script()?
  72. use jQuery.load() to include a php file in a div, wp_query() is part of php file
  73. WP AJAX post filter > do something with empty value
  74. How to jQuery Ajax show new data from successful insert?
  75. Redirect after saving form; and yet use wp_die()
  76. ajaxt returning object object [closed]
  77. Load more posts (Ajax) in tabbed sidebar on single.php
  78. Something strange with ajax
  79. Why is the file not uploading to the server?
  80. Get localize of a loaded javascript
  81. REST public POST giving 403 forbidden nginx
  82. Query data after an Ajax insert
  83. How to get next and previous post into ajax formed modal windows?
  84. Content including hooks inside wp-settings.php are being called twice in WordPress
  85. Problem when sending file via ajax
  86. JS global variable doesn’t update
  87. 404 error custom post type rest api
  88. Change button text after ajax db update
  89. Jquery wrap permalink in a data-attribute?
  90. How do I display posts of a specific day?
  91. Load .php file into div using ajax
  92. Native WordPress Video Shortcode Not Working After Post is Loaded via Ajax
  93. Ajax Function call is always returning 0 in front end(without plugin) [closed]
  94. Using AJAX for dynamic settings pages
  95. Speeding up admin-ajax.php
  96. admin ajax is not working for non logged in users
  97. wp_localize_script not create variable in head section
  98. AJAX admin Internal 500 error Failed to Upload
  99. Class property not visible inside ajax callback function?
  100. Run PHPMailer function after ajax function completes that adds row to custom table

Leave a Comment