API: Switch site frame nonce to user+site value

[mmtr]

Changes proposed in this Pull Request:

On D27129-code we're changing the way the frame nonces are generated to use both the user ID and site ID.

Since that will be an breaking change for the API (p7jreA-2hw-p2), we need to version the /sites/:site endpoint (which is where the frame nonces are serialized) in order to keep using the nonce generated from only the site ID on the existing versions (1.0 and 1.2) and switch to the user+site value on the new version (1.3).

Given Fusion is not able to apply these changes automatically, this will also need a diff in WP.com: D27153-code

Testing instructions:

• Make an authenticated call to https://public-api.wordpress.com/rest/v1.2/me/sites?site_visibility=all&include_domain_only=true&site_activity=active&fields=ID,URL,options&options=frame_nonce_site_only,frame_nonce.
• Verify that both frame_nonce and frame_nonce_site_only are returned with the same value for all WP.com and JP sites.
• Make an authenticated call to https://public-api.wordpress.com/rest/v1.3/me/sites?site_visibility=all&include_domain_only=true&site_activity=active&fields=ID,URL,options&options=frame_nonce_site_only,frame_nonce.
• For JP sites, check that frame_nonce has a different value now but frame_nonce_site_only still have the same value as before. For WP.com sites, both frame_nonce and frame_nonce_site_only still have the same value as before.

Repeat steps but replacing the API calls from /me/sites to /sites/<SITE_SLUG_OR_ID>.

Proposed changelog entry for your changes:

WPCOM API: Switch site frame nonces to new user and site specific values.

[jetpackbot]

	Warnings
⚠️	Consider adding new PHP files to PHPCS whitelist for automatic linting: json-endpoints/class.wpcom-json-api-get-site-v1-3-endpoint.php

This is an automated check which relies on PULL_REQUEST_TEMPLATE. We encourage you to follow that template as it helps Jetpack maintainers do their job. If you think 'Testing instructions' or 'Proposed changelog entry' are not needed for your PR - please explain why you think so. Thanks for cooperation 🤖

Generated by 🚫 dangerJS against 927a28f

[mdawaffe]

nonces are generated to use both the user ID and site ID.

Why is this a breaking change in the API? Has Jetpack ever used the previous form of frame nonces?

[mmtr]

nonces are generated to use both the user ID and site ID.

Why is this a breaking change in the API? Has Jetpack ever used the previous form of frame nonces?

It will affect the WordPress.com desktop and mobile apps as they use the old site-specific nonces for previewing posts.

Actually, we already deployed this change without versioning the API and had to revert it when we realized that the post previews were not working on those apps (p7jreA-2hw-p2).

[kwight]

@jeherve Would you or someone else mind a final look at this? This PR will bring JP back into sync with recent work on the WP.com side.

• D26952-code
• D26953-code
• D26956-code
• D27153-code

[obenland]

@Automattic/jetpack-crew When one of you gets a chance, would you mind ✅ this PR to help unblock us from posting a Call for Testing?

[jeherve]

This seems to work well in my tests. Merge when ready 👍