Inconsistency in expiry

[karthikeya-io]

Issues

• Inconsistent preview link expiry.
• This inconsistency becomes more noticeable when expiry is set to higher values.

Cause

• The inconsistency is due to the use of a half-life for nonce verification.

Suggestions

1. Documentation Update

• Based on the verification logic every preview link will be definitely valid for half life of expiry set.
• We can mention this in REDME so that it will be clear.
• Example: if we set $nonce_life to 5 days it can be valid between 2.5 days to 5 days

2. Change verification logic, instead of using half life we can use n

• I have tried with 10, It increases consistency to 90% from current 50%

private static function nonce_tick() {
    $nonce_life = apply_filters( 'ppp_nonce_life', 2 * DAY_IN_SECONDS );

    return ceil( time() / ( $nonce_life / 10 ) );
}

private static function verify_nonce( $nonce, $action = -1 ) {
    $i = self::nonce_tick();

    // Allow a range of 10 ticks to be valid (current + previous 9).
    $range = 10;

    for ( $j = 0; $j < $range; $j++ ) {
        if ( substr( wp_hash( ( $i - $j ) . $action, 'nonce' ), -12, 10 ) === $nonce ) {
            return $j + 1;
        }
    }

    // Invalid nonce.
    return false;
}

• If this solution is acceptable, I am happy to raise a PR to implement it.

Related Support Topics

https://wordpress.org/support/topic/in-what-way-is-expiration-calculated/