Include REST API nonce in URL Metric storage requests when the user i…

…s logged-in
WordPress · Jan 30, 2025 · 9f89cd4 · 9f89cd4
1 parent 85ce02b
commit 9f89cd4
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 5 deletions.
diff --git a/plugins/optimization-detective/detect.js b/plugins/optimization-detective/detect.js
@@ -253,6 +253,7 @@ function extendElementData( xpath, properties ) {
  * @param {number}                 args.maxViewportAspectRatio     Maximum aspect ratio allowed for the viewport.
  * @param {boolean}                args.isDebug                    Whether to show debug messages.
  * @param {string}                 args.restApiEndpoint            URL for where to send the detection data.
+ * @param {string}                 [args.restApiNonce]             Nonce for the REST API when the user is logged-in.
  * @param {string}                 args.currentETag                Current ETag.
  * @param {string}                 args.currentUrl                 Current URL.
  * @param {string}                 args.urlMetricSlug              Slug for URL Metric.
@@ -269,6 +270,7 @@ export default async function detect( {
 	isDebug,
 	extensionModuleUrls,
 	restApiEndpoint,
+	restApiNonce,
 	currentETag,
 	currentUrl,
 	urlMetricSlug,
@@ -664,6 +666,9 @@ export default async function detect( {
 	}
 
 	const url = new URL( restApiEndpoint );
+	if ( typeof restApiNonce === 'string' ) {
+		url.searchParams.set( '_wpnonce', restApiNonce );
+	}
 	url.searchParams.set( 'slug', urlMetricSlug );
 	url.searchParams.set( 'current_etag', currentETag );
 	if ( typeof cachePurgePostId === 'number' ) {

diff --git a/plugins/optimization-detective/detection.php b/plugins/optimization-detective/detection.php
@@ -137,6 +137,9 @@ static function ( OD_URL_Metric_Group $group ): array {
 		'storageLockTTL'         => OD_Storage_Lock::get_ttl(),
 		'webVitalsLibrarySrc'    => $web_vitals_lib_src,
 	);
+	if ( is_user_logged_in() ) {
+		$detect_args['restApiNonce'] = wp_create_nonce( 'wp_rest' );
+	}
 	if ( WP_DEBUG ) {
 		$detect_args['urlMetricGroupCollection'] = $group_collection;
 	}

diff --git a/plugins/optimization-detective/docs/hooks.md b/plugins/optimization-detective/docs/hooks.md
@@ -102,7 +102,7 @@ add_filter( 'od_url_metrics_breakpoint_sample_size', function (): int {
 } );
 ```
 
-### Filter: `od_url_metric_storage_lock_ttl` (default: 60 seconds, except 0 for admins)
+### Filter: `od_url_metric_storage_lock_ttl` (default: 60 seconds, except 0 for authorized logged-in users)
 
 Filters how long the current IP is locked from submitting another URL metric storage REST API request.
 
@@ -114,7 +114,7 @@ add_filter( 'od_metrics_storage_lock_ttl', function ( int $ttl ): int {
 } );
 ```
 
-By default, the TTL is zero (0) for administrator users and sixty (60) for everyone else. Whether the current user is an administrator is determined by whether the user has the `od_store_url_metric_now` capability. This meta capability by default maps to the `manage_options` capability via the `map_meta_cap` filter.
+By default, the TTL is zero (0) for authorized users and sixty (60) for everyone else. Whether the current user is authorized is determined by whether the user has the `od_store_url_metric_now` capability. This meta capability by default maps to the `manage_options` primitive capability via the `map_meta_cap` filter.
 
 During development this is useful to set to zero so you can quickly collect new URL Metrics by reloading the page without having to wait for the storage lock to release:
 

diff --git a/plugins/optimization-detective/storage/class-od-storage-lock.php b/plugins/optimization-detective/storage/class-od-storage-lock.php
@@ -84,9 +84,9 @@ public static function get_ttl(): int {
 		 *         return is_user_logged_in() ? 0 : $ttl;
 		 *     } );
 		 *
-		 * By default, the TTL is zero (0) for administrator users and sixty (60) for everyone else. Whether the current
-		 * user is an administrator is determined by whether the user has the `od_store_url_metric_now` capability. This
-		 * meta capability by default maps to the `manage_options` capability via the `map_meta_cap` filter.
+		 * By default, the TTL is zero (0) for authorized users and sixty (60) for everyone else. Whether the current
+		 * user is authorized is determined by whether the user has the `od_store_url_metric_now` capability. This
+		 * meta capability by default maps to the `manage_options` primitive capability via the `map_meta_cap` filter.
 		 *
 		 * @since 0.1.0
 		 * @since 1.0.0 This now defaults to zero (0) for administrator users.

diff --git a/plugins/optimization-detective/tests/test-detection.php b/plugins/optimization-detective/tests/test-detection.php
@@ -210,5 +210,10 @@ public function test_od_get_detection_script_returns_script( Closure $set_up, ar
 		$this->assertStringContainsString( '"minimumViewportWidth":601', $script );
 		$this->assertStringContainsString( '"minimumViewportWidth":783', $script );
 		$this->assertStringContainsString( '"complete":false', $script );
+		if ( is_user_logged_in() ) {
+			$this->assertStringContainsString( '"restApiNonce":', $script );
+		} else {
+			$this->assertStringNotContainsString( '"restApiNonce":', $script );
+		}
 	}
 }