Support » Developing with WordPress » WP / Angular : Nonce incorrect on first load

Viewing 10 replies - 1 through 10 (of 10 total)
  • Moderator bcworkz


    All things being equal, the nonce should not change on reload. The only thing that’s possibly not equal is the user login state. It appears the user should be already logged in on the initial request, but the nonce changing indicates this is not true.

    Try using the ‘nonce_user_logged_out’ filter to always return the visitor user ID. As this filter only fires when no one is logged in, it should be OK to let it apply in all cases. In this case, the generated nonce should be the same whether the visitor user is actually logged in or not.

    All untested, but it’s the best explanation that I can see.

    Thank you very much for your logic reply.
    I understand now that the initial login was not working properly, or happening too late, anyway it needed another reload to be strong enough to generate a working nonce.

    Is there a solution out there to automatically shadowlogin ‘visitor’ properly if no one is logged in yet ? I guess if i solve this, my first wp_create_nonce will be working.

    I’ve looked into the nonce_user_logged_out filter, but do not understand how to make it work & send a solid nonce to js variable… That is why I’m thinking i should better make a solid shadowlogin first.

    … I’ve been spending weeks to understand how to allow any visitor to post stuff with $http, came to the conclusion that i needed that visitor to be logged in first… I’m very close to make it work, I’m on one reload away :)…

    If you don’t have time for this, please let me know if i should have another way of seeing it.

    Thank you,


    • This reply was modified 3 years, 2 months ago by joDelicious.
    • This reply was modified 3 years, 2 months ago by joDelicious.
    • This reply was modified 3 years, 2 months ago by joDelicious.
    Moderator bcworkz


    Use the filter by adding the following to functions.php. Use the actual “visitor” user ID in place of VISITOR.
    add_filter('nonce_user_logged_out', function($id){ return VISITOR; });

    With this in place, you existing code should be using the proper nonce on initial load. wp_verify_nonce() uses the same filter, so it all should work out. That’s the theory anyway, I’ve not tested this myself.

    In general, to auto login a visitor, I don’t see a viable alternative to what you’ve already done. However, to post specific content does not necessarily require the user be logged in. A custom handler for requests sent to admin-ajax.php or admin-post.php can insert new posts or whatever without the user being logged in.

    Either way, open posting strikes me as a really bad idea. I think you will open up the site to all manner of undesirable content by doing this. At a minimum, you should handle submissions as WP comments usually are. Strip out all advanced HTML tags, limit the number of links, blacklist certain terms, use flood prevention measures, require a valid, non-disposable email and other spam prevention measures, etc. And yes, the form still requires a nonce, but by not attempting a login, the nonce should be produced consistently from the start even without the above filter.

    Thanx again for your reply.

    Adding the filter with the correct user ID does not make the system work any better.

    Anyway it looks that I’m working the wrong way…
    I should focus on uphill problems: Angular $http posting is working great when logged in, but is always giving me a 401 Unauthorized response / “rest_cannot_create” when not logged in.

    It’s crazy how much I’ve tried unlogged posting with the Rest Api without success…

    There is a big lack of documentation / examples about it. The example on WP Rest Api Documentation using jQuery/AJAX is not working when not logged in, and overall very limited.

    Cheerz anyway…

    • This reply was modified 3 years, 2 months ago by joDelicious.
    Moderator bcworkz


    Well, phooey! I guess there’s something about the sequence of events not making sense to me. If you want to continue with the REST API approach, all I can suggest is using one of the authentication plugins so the user needing to be logged in does not matter. Unfortunately, as you’ve observed, the API documentation right now is barely adequate, if even that. It means making serious use of the API requires a good RESTful experience base picked up elsewhere.

    While RESTful coding is an important skill to develop, since your app comes from the same server as WP, it’s not a necessary interface. As I mentioned earlier, custom coding an AJAX or admin-post handler could be more fruitful than figuring out REST, assuming you have some modest PHP skills. Admin-post is not very well documented, but it’s fairly simple. AJAX is more complex, but better documented.

    Which ever way you decide to go, best of luck to you!

    🙂 Thank you.

    … I’m pretty stuck on this project as it is all written in Angular / Ui-router, etc… So I would need to convert it to php to try something else than the REST approach… Or I’m missing something.

    WordPress is very weak by not giving a full solution with authentication for its REST… All solutions (OAuth, JWT… are never straight forward, I never had success with them)

    Anyway thanx again for your generosity.


    • This reply was modified 3 years, 2 months ago by joDelicious.
    Moderator bcworkz


    Yeah, I think you’re missing something. While I’m not familiar with Angular, I do understand its basic purpose. Adapting it to AJAX or admin-post would only take some minor adjustments on the Angular side. The PHP comes in to replace what the REST API does for you. While replacing an API sounds ominous, you only need to address the functionality you need, the rest doesn’t matter. While the API goes through great lengths to be RESTful, your custom PHP does not need to conform to anything but basic PHP syntax. Do whatever is needed to get the task done and no more. It doesn’t have to be pretty, it just needs to work.

    It’s not my intention to talk you into a task that is alien to you. I’m just offering alternatives. It sounds like REST is already alien enough, so you’d be trading one alien for another. At least AJAX and procedural PHP has some decent documentation.

    🙂 I understand, especially when you use the ‘alien’ word.

    Basically these last years I’ve been into 3 steps in terms of workflow :
    1. WP PHP & jQuery (only once php ajax, big headache at that time)
    2. WP PHP for back-end but only theme/index.php on the front, and Angular/UI-Router for everything front.
    3. Full WP PHP + Angular but with no ng-routing/templates, only used as monster-jQuery, which is the best/fastest of both world, as it avoids the server rendering issue which leads to SEO problems.

    So I’m using the WpRestApi since step 2, but always for GETs, and always with what it provides as default (except for menus & advanced wpml relations, which required additional plug-ins). So I’ve never code any additional endpoints nor specific permissions.

    For the record the specific project I need POSTing was built on step2, that is why i cannot use something else than the Rest for Ajax calls (if I’m not mistaken), or i would need to refactor it to step3.

    Now it seems there is 4 possible roads to solve my issue :
    A. GhostLogin of ‘visitor’: Still a problem to make it work, and looks like unsafe road.
    B. Find an authentication solution that finally works (not too excited, so much time in the bin already, i hope WP will finally provide a package solution)
    C. Extend the WP RestApi with some endpoints & permissions (I might have found someone ready to write it)
    D. Convert the project to step3 and work with PHP AJAX.

    I find the WP Rest Api very easy to use, so i tend to road C, which from my point of view is more future friendly than PHP AJAX, yet it will need PHP coding to extend the rest.

    I’ll let you know what happens.
    Thank you very much for your input.

    • This reply was modified 3 years, 2 months ago by joDelicious.
    • This reply was modified 3 years, 2 months ago by joDelicious.
    • This reply was modified 3 years, 2 months ago by joDelicious.
    • This reply was modified 3 years, 2 months ago by joDelicious.
    • This reply was modified 3 years, 2 months ago by joDelicious.

    Bingo with road B, finally !!

    I’ve answered my question here

    Best regards…

    Moderator bcworkz


    Awesome! That really is the best solution, provided you can get it to work. Which you did 🙂

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘WP / Angular : Nonce incorrect on first load’ is closed to new replies.