Closed gikaragia closed 10 months ago
Sorry for clicking 'request for review' @yscik this isn't ready yet. I'll notify you when it is.
Hey @yscik this should be ready to review again. I discussed a bit with @alexsanford and he came up with a much better idea. With usage of WP's already provided secret keys and the wp_nonce
methods we don't really need to store anothing to provide tokens. So with this approach, we do something similar with what WP does for nonces and expiries.
As a next step I will look into migrating alerts into using this token class. This should be ready for review now.
Thank you for looking into this @alexsanford, good points!
If the server-side secret key ever needs to be rotated, all existing tokens will be invalidated. This is also true of nonces and session tokens, I believe.
We could potentially store the token somewhere but I am thinking that if the key is compromised our tokens should be expired anyway.
not have any link with a valid token
As we know how often these emails are sent we can adjust the expiry accordingly. We also have a flow to send another email if the token is expired or if the user just visits the alert management screen so I think we should be ok.
Closes https://github.com/Automattic/wpjm-addons/issues/161, https://github.com/Automattic/wpjm-addons/issues/160
This meant to be be an initial approach to get some early feedback. Main points:
Changes Proposed in this Pull Request
Testing Instructions