I have a two step process when loggin in a user with a client app to the WordPress site
1st Step : Client app calls the API url of the WordPress site, it creates a nonce and returns the nonce token to the app.
$nonce = wp_create_nonce("my-action");
2nd Step : Client app loads the WordPress site using a Web view with a GET request including the nonce in a GET parameter. Then verifies the nonce.
wp_verify_nonce( $_GET['token'], 'my-action' );
I simulated this, with Postman and desktop browser. But nonce cannot be verified. It always fails.
This is where I create nonce
if(username_exists($username)){
$user = get_user_by('login', $username );
$result['status'] = "already_registered";
$token = sha1(date('H:i'));
$result['token'] = $token;
$result['nonce'] = wp_create_nonce("my-action");
return $result;
}
This is where I check nonce...
function userAuth(){
echo $_GET['token'];
$nonce = wp_verify_nonce( $_GET['token'], 'my-action' );
//Do more things based on above verification
}
Any idea what's wrong ?
I had the situation when wp_verify_nonce() on my live server WP site never returned true. And at the same time the site's copy (identical code) on my stage server validated this to true all the time.
Issue was the same page with the form comprising the nonce was opened twice (in different Chrome windows) from the same live site URL. The second copy of the page was opened much later then the first (say 15 mins later). And I forgot about the first one being opened (that had generated the different nonce as being tied to the earlier time), trying to get the younger page form nonce verified with no success.
The reason was wp_verify_nonce() compared the younger page nonce with the older one somehow.
I.e. wp_create_nonce(), I repeated on my backend to test the issue, gave me two non-identical nonces. The one in the hidden form field that I sent via AJAX and the different one in my server AJAX handler next to the wp_verify_nonce() check line. The multiple Ctrl-F5 + opened Chrome Dev Tools network with cache disabled had no effect. Nonces were different.
As soon as I closed the older page and cleared the cache for the new page the nonce verified to true.