This package consists of methods which implement the following WordPress Nonce functions in Object Oriented way:
- wp_create_nonce()
- wp_verify_nonce()
- wp_nonce_field()
- wp_nonce_url()
To develop this solution, the basic working of wordpress nonce functions, its declaration and usage was studied. Next step was to recreate the same outside of WordPress without using any of its in built functions.
The functionality is recreated by the interface class NonceInterface. The NonceInterface is implemented by the abstract class NonceAbstract. Each of the wp functions defined above are implemented by the respective classes which extends NonceAbstract class. The classes are as follows:
- NonceGenerate - is used to generate the nonce value and mimics wp_create_nonce() function
- NonceURL - is used to generate the URL with nonce value
- NonceField - is used to generate the form fields with nonce value
- NonceValidate - is used to validate the nonce generated
The test cases for each of the class :
- NonceGenerateTest
- NonceUrlTest
- NonceFieldTest
- NonceValidateTest
This library is distributed as a Composer package.
composer.phar install
This library is developed with PHP 7.3.8.
Inpsyde PHP Codex has been followed.
Limitation
Could not use certain return types for methods as per the codex:
"void return type is not present in PHP version 7.0 or earlier", "Nullable return types are not supported in PHP 7.0 or earlier. :?string"
Test cases have been written using PHPUnit for each of the functionality. It can be executed using the phpunit.xml file as follows
phpunit --configuration phpunit.xml
The nonce creation functionality done by wp_create_nonce is implemented in the NonceGenerate class. The action done by the user is taken as an argument and nonce is generated using it. For this project, the nonce generation is replicated by creating a md5 hashed value of the nonce action. If no name for the user action is given, default name '_wpnonce' will be taken.
Limitation
The time frame or life of a nonce is not implemented.
Nonce generate is provided under NonceGenerate.php :
$nonce_obj = new NonceGenerate($nonceName,$nonceAction,null);
$nonce_obj->generateNonce();
The testcases for nonce generation are provided under NonceGenerateTest.php
The method takes two arguments: 1. wpReferrer - is a boolean which indicates if referrer URL needs to be appended 2. wpEcho - is a boolean which indicates if the form fields need to be printed
The user action, name of the nonce are taken and the method generates hidden form fields of input type and appends the nonce value of the action. A sample referrer has been given as actual URL cannot be obtained. If no name for the user action is given, default name '_wpnonce' will be taken.
To generate the form fields, NonceField.php is used:
$nonce_obj = new NonceField($nonceName,$nonceAction,null);
$nonce_obj->generateNonceField($wpReferrer,$wpEcho);
The testcases for nonce form field generation are provided under NonceFieldTest.php
The method takes user provided URL and generates nonce value for it and appends it to the URL. The default name '_wpnonce' is chosen.
To generate the URL, NonceUrl.php is used:
$nonce_obj = new NonceUrl(null, $nonceAction, null);
$nonce_obj->generateNonceUrl$nonceUrl);
The testcases for nonce URL generation are provided under NonceURLTest.php
This method takes nonce value and validates it. The nonce object is set with nonce action and nonce value to be validated. It then generates nonce value of the given action using md5 hash function and compares it with given nonce value.
Limitation
Only the basic validation is done assuming that the scope of this assignment is limited.
To validate the nonce, NonceValidate.php is used:
$nonce_obj = new NonceValidate(null, $nonceAction, $nonceValueToBeChecked);
$nonce_obj->checkIfValid();
The testcases for nonce validation are provided under NonceValidateTest.php
This library comes with unit tests for PHPUnit version 8.3.4. The tests use the PSR-4 autoloader generated by Composer.
This library is licensed under the terms of the GPLv2 license.