fix: understanding nonce

openedx · Jan 29, 2024 · 18677b7 · 18677b7
1 parent 379aa87
commit 18677b7
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/admin/views/class-openedx-commerce-settings.php b/admin/views/class-openedx-commerce-settings.php
@@ -149,7 +149,13 @@ public function openedx_settings_init() {
 			'sanitize_text_field'
 		);
 
-		if ( wp_verify_nonce( isset( $_POST['generate_new_token'] ), 'openedx_commerce_new_token' ) ) {
+		if ( ! isset( $_POST['openedx_commerce_new_token'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['openedx_commerce_new_token'] ) ), plugin_basename( __FILE__ ) )
+		) {
+			return;
+		}
+
+		if ( isset( $_POST['generate_new_token'] ) ) {
 			$this->set_new_token();
 		}
 
@@ -188,7 +194,6 @@ public function set_new_token() {
 			$exp_date->add( new DateInterval( 'PT' . $exp_time . 'S' ) );
 			update_option( 'openedx-token-expiration-overlap', $exp_date );
 
-			$nonce = wp_create_nonce( 'openedx_commerce_new_token' );
 			update_option( 'openedx-jwt-token', $response_data['access_token'] );
 
 			set_transient( 'openedx_success_message', 'Token generated', 10 );
@@ -285,10 +290,11 @@ public function openedx_jwt_token_callback() {
 			$masked_value = '';
 		}
 
+		wp_nonce_field( plugin_basename( __FILE__ ), 'openedx_commerce_new_token' );
+
 		?>
 
 		<div class="openedx-jwt-token-wrapper">
-			<input type="hidden" name="openedx_commerce_new_token" value="<?php echo esc_attr( $nonce ); ?>">
 
 			<input class="setting_input" class="openedx-jwt-token-input" type="text" name="openedx-jwt-token" id="openedx-jwt-token"
 				value="<?php echo esc_attr( $value ); ?>" hidden/>