fix(modal-checkout): add nonce to checkout logic

includes/class-modal-checkout.php

@@ -13,6 +13,13 @@
  * Modal Checkout Class.
  */
 final class Modal_Checkout {
+	/**
+	 * Checkout nonce value.
+	 *
+	 * @var string
+	 */
+	const CHECKOUT_NONCE = 'newspack_modal_checkout_nonce';
+
 	/**
 	 * Checkout registration flag.
 	 *
@@ -231,12 +238,15 @@ public static function process_checkout_request() {
 			return;
 		}
 
-		$is_newspack_checkout = filter_input( INPUT_GET, 'newspack_checkout', FILTER_SANITIZE_NUMBER_INT );
-
-		if ( ! $is_newspack_checkout ) {
+		if ( ! filter_input( INPUT_GET, 'newspack_checkout', FILTER_SANITIZE_NUMBER_INT ) ) {
 			return;
 		}
 
+		if ( ! check_ajax_referer( self::CHECKOUT_NONCE ) ) {
+			wp_send_json_error( [ 'message' => __( 'Invalid nonce.', 'newspack-blocks' ) ] );
+			wp_die();
+		}
+
 		$product_id                 = filter_input( INPUT_GET, 'product_id', FILTER_SANITIZE_NUMBER_INT );
 		$variation_id               = filter_input( INPUT_GET, 'variation_id', FILTER_SANITIZE_NUMBER_INT );
 		$after_success_behavior     = filter_input( INPUT_GET, 'after_success_behavior', FILTER_SANITIZE_SPECIAL_CHARS );
@@ -385,7 +395,7 @@ public static function process_abandon_checkout() {
 			return;
 		}
 
-		if ( ! check_ajax_referer( 'newspack_modal_checkout_nonce' ) ) {
+		if ( ! check_ajax_referer( self::CHECKOUT_NONCE ) ) {
 			wp_send_json_error( [ 'message' => __( 'Invalid nonce.', 'newspack-blocks' ) ] );
 			wp_die();
 		}
@@ -754,7 +764,7 @@ public static function enqueue_scripts() {
 			[
 				'ajax_url'              => admin_url( 'admin-ajax.php' ),
 				'nyp_nonce'             => wp_create_nonce( 'newspack_checkout_name_your_price' ),
-				'checkout_nonce'        => wp_create_nonce( 'newspack_modal_checkout_nonce' ),
+				'checkout_nonce'        => wp_create_nonce( self::CHECKOUT_NONCE ),
 				'newspack_class_prefix' => self::get_class_prefix(),
 				'is_checkout_complete'  => function_exists( 'is_order_received_page' ) && is_order_received_page(),
 				'divider_text'          => esc_html__( 'Or', 'newspack-blocks' ),
@@ -933,6 +943,7 @@ public static function enqueue_modal( $product_id = null ) {
 			'newspackBlocksModal',
 			[
 				'ajax_url'                   => admin_url( 'admin-ajax.php' ),
+				'checkout_nonce'             => wp_create_nonce( self::CHECKOUT_NONCE ),
 				'checkout_registration_flag' => self::CHECKOUT_REGISTRATION_FLAG,
 				'newspack_class_prefix'      => self::get_class_prefix(),
 				'is_registration_required'   => self::is_registration_required(),

src/blocks/checkout-button/view.php

@@ -42,8 +42,8 @@ function render_callback( $attributes ) {
 	if ( $attributes['is_variable'] && ! empty( $attributes['variation'] ) ) {
 		$product_id = $attributes['variation'];
 	}
-	\Newspack_Blocks\Modal_Checkout::enqueue_modal( $product_id );
-	\Newspack_Blocks::enqueue_view_assets( 'checkout-button' );
+	Modal_Checkout::enqueue_modal( $product_id );
+	Newspack_Blocks::enqueue_view_assets( 'checkout-button' );
 
 	$background_color           = $attributes['backgroundColor'] ?? '';
 	$gradient                   = $attributes['gradient'] ?? '';
@@ -105,6 +105,7 @@ function render_callback( $attributes ) {
 	$hidden_fields .= $after_success_behavior ? '<input type="hidden" name="after_success_behavior" value="' . esc_attr( $after_success_behavior ) . '" />' : '';
 	$hidden_fields .= $after_success_button_label ? '<input type="hidden" name="after_success_button_label" value="' . esc_attr( $after_success_button_label ) . '" />' : '';
 	$hidden_fields .= $after_success_url ? '<input type="hidden" name="after_success_url" value="' . esc_attr( $after_success_url ) . '" />' : '';
+	$hidden_fields .= wp_nonce_field( Modal_Checkout::CHECKOUT_NONCE );
 
 	// Generate the form.
 	if ( function_exists( 'wc_get_product' ) ) {

src/modal-checkout/index.js

@@ -362,7 +362,7 @@ import { domReady } from './utils';
 					const input = $nyp.find( 'input[name="price"]' );
 					input.attr( 'disabled', true );
 					const data = {
-						_ajax_nonce: newspackBlocksModalCheckout.nyp_nonce,
+						_wpnonce: newspackBlocksModalCheckout.nyp_nonce,
 						action: 'process_name_your_price_request',
 						price: $nyp.find( 'input[name="price"]' ).val(),
 						product_id: $nyp.find( 'input[name="product_id"]' ).val(),

src/modal-checkout/modal.js

@@ -31,6 +31,8 @@ domReady( () => {
 		return;
 	}
 
+	modalCheckout.checkout_nonce = newspackBlocksModal.checkout_nonce;
+
 	const modalContent = modalCheckout.querySelector( `.${ MODAL_CLASS_PREFIX }__content` );
 	const modalCheckoutHiddenInput = createHiddenInput( 'modal_checkout', '1' );
 	const spinner = modalContent.querySelector( `.${ CLASS_PREFIX }__spinner` );
@@ -119,8 +121,7 @@ domReady( () => {
 				setModalSize();
 				setModalTitle( newspackBlocksModal.labels.checkout_modal_title );
 				if ( iframe.contentWindow?.newspackBlocksModalCheckout?.checkout_nonce ) {
-					// Store the checkout nonce for later use.
-					// We store the nonce from the iframe content window to ensure the nonce was generated for a logged in session
+					// Update to iframe's checkout nonce to ensure nonce is always generated for a logged in session.
 					modalCheckout.checkout_nonce = iframe.contentWindow.newspackBlocksModalCheckout.checkout_nonce;
 				}
 			}
@@ -170,7 +171,6 @@ domReady( () => {
 		body.append( 'modal_checkout', '1' );
 		body.append( 'action', 'abandon_modal_checkout' );
 		body.append( '_wpnonce', modalCheckout.checkout_nonce );
-		modalCheckout.checkout_nonce = null;
 		fetch(
 			newspackBlocksModal.ajax_url,
 			{
@@ -233,6 +233,7 @@ domReady( () => {
 				variationModal
 					.querySelectorAll( `form[target="${ IFRAME_NAME }"]` )
 					.forEach( singleVariationForm => {
+						singleVariationForm.appendChild( createHiddenInput( '_wpnonce', modalCheckout.checkout_nonce ) );
 						// Fill in the after success variables in the variation modal.
 						[
 							'after_success_behavior',