security(gdpr): restore nonce verification for all consent endpoints

parhumm · parhumm · commit beacf084d549 · 2026-03-20T06:34:56.000+01:00
Revert the anonymous nonce bypass — consent is a state-changing operation. A cross-site POST without nonce verification could force-accept consent, enabling PII tracking without genuine user action (GDPR violation). On cached pages, anonymous consent REST calls return 403, but the JS cookie still records consent client-side, and tracking works via the /hit endpoint (PR #235). This is an acceptable trade-off for security. Changes: - ConsentChangeRestController: restore nonce verification for all users - GDPRBannerRestController: restore nonce required + verification - ConsentHandler: restore check_ajax_referer and wp_verify_nonce - wp-slimstat.js: skip X-WP-Nonce header when nonce is empty to avoid WordPress core rest_cookie_check_errors 403 before handler runs - Unit tests: replace inline pattern tests with actual handler invocations - E2E test 5: verify stale nonce causes 403 (correct security behavior) while client-side cookie is still set Refs #240, #241
diff --git a/src/Controllers/Rest/ConsentChangeRestController.php b/src/Controllers/Rest/ConsentChangeRestController.php
@@ -127,7 +127,7 @@ public function register_routes(): void
 						'sanitize_callback' => 'sanitize_text_field',
 					],
 					'nonce'  => [
-						'required'          => false,
+						'required'          => true,
 						'type'              => 'string',
 						'sanitize_callback' => 'sanitize_text_field',
 					],
@@ -146,19 +146,18 @@ public function handle_consent_change(\WP_REST_Request $request)
 	{
 		$this->currentRequest = $request;
 
-		// Only verify nonce for logged-in users. Anonymous users on cached pages
-		// don't have a valid nonce (wp_rest_nonce is only generated for logged-in
-		// users). This endpoint only modifies the caller's own consent state
-		// (cookie-based), so there is no CSRF attack surface for anonymous users.
-		if (get_current_user_id() > 0) {
-			$nonce = $request->get_param('nonce');
-			if (!wp_verify_nonce($nonce, 'wp_rest')) {
-				return new \WP_Error(
-					'rest_forbidden',
-					__('Invalid security token.', 'wp-slimstat'),
-					['status' => 403]
-				);
-			}
+		// Verify nonce for all users — consent is a state-changing operation.
+		// Without verification, a cross-site POST could force-accept consent,
+		// enabling PII tracking without genuine user action (GDPR violation).
+		// On cached pages with stale nonces, this returns 403 — the JS cookie
+		// still records consent client-side, and tracking works via /hit (PR #235).
+		$nonce = $request->get_param('nonce');
+		if (!wp_verify_nonce($nonce, 'wp_rest')) {
+			return new \WP_Error(
+				'rest_forbidden',
+				__('Invalid security token.', 'wp-slimstat'),
+				['status' => 403]
+			);
 		}
 
 		$source = $request->get_param('source');
diff --git a/src/Controllers/Rest/GDPRBannerRestController.php b/src/Controllers/Rest/GDPRBannerRestController.php
@@ -49,7 +49,7 @@ public function register_routes(): void
 						'sanitize_callback' => 'sanitize_text_field',
 					],
 					'nonce'   => [
-						'required'          => false,
+						'required'          => true,
 						'type'              => 'string',
 						'sanitize_callback' => 'sanitize_text_field',
 					],
@@ -66,18 +66,19 @@ public function register_routes(): void
 	 */
 	public function handle_consent(\WP_REST_Request $request)
 	{
-		// Only verify nonce for logged-in users. Anonymous users on cached pages
-		// don't have a valid nonce. This endpoint only sets the caller's own
-		// consent cookie, so there is no CSRF attack surface for anonymous users.
-		if (get_current_user_id() > 0) {
-			$nonce = $request->get_param('nonce');
-			if (!wp_verify_nonce($nonce, 'wp_rest')) {
-				return new \WP_Error(
-					'rest_forbidden',
-					__('Invalid security token.', 'wp-slimstat'),
-					['status' => 403]
-				);
-			}
+		// Verify nonce for all users — consent is a state-changing operation.
+		// A cross-site POST without nonce verification could force-accept consent,
+		// enabling PII tracking without genuine user action (GDPR violation).
+		// On cached pages, anonymous users may have a stale/empty nonce — the
+		// request will fail with 403, but the JS cookie still records consent
+		// client-side, and tracking works via the /hit endpoint (PR #235).
+		$nonce = $request->get_param('nonce');
+		if (!wp_verify_nonce($nonce, 'wp_rest')) {
+			return new \WP_Error(
+				'rest_forbidden',
+				__('Invalid security token.', 'wp-slimstat'),
+				['status' => 403]
+			);
 		}
 
 		// Check if SlimStat banner is enabled
diff --git a/src/Services/Privacy/ConsentHandler.php b/src/Services/Privacy/ConsentHandler.php
@@ -36,12 +36,7 @@ class ConsentHandler
 	 */
 	public static function handleConsentRevoked()
 	{
-		// Only verify nonce for logged-in users. Anonymous users on cached pages
-		// don't have a valid nonce. This endpoint only deletes the caller's own
-		// tracking cookie, so there is no CSRF attack surface for anonymous users.
-		if (get_current_user_id() > 0) {
-			check_ajax_referer('wp_rest', 'nonce');
-		}
+		check_ajax_referer('wp_rest', 'nonce');
 
 		if (function_exists('wp_cache_delete')) {
 			wp_cache_delete('slimstat_consent_state', 'slimstat');
@@ -100,19 +95,14 @@ public static function handleBannerConsent(bool $return_json = true, array $data
 			$pageview_id_raw = isset($_POST['pageview_id']) ? sanitize_text_field(wp_unslash($_POST['pageview_id'])) : '';
 		}
 
-		// Only verify nonce for logged-in users. Anonymous users on cached pages
-		// don't have a valid nonce. This endpoint only sets the caller's own
-		// consent cookie, so there is no CSRF attack surface for anonymous users.
-		if (get_current_user_id() > 0) {
-			if (empty($nonce) || !wp_verify_nonce($nonce, 'wp_rest')) {
-				if ($return_json) {
-					wp_send_json_error([
-						'message' => __('Invalid security token.', 'wp-slimstat'),
-					]);
-					return;
-				}
-				return false;
+		if (empty($nonce) || !wp_verify_nonce($nonce, 'wp_rest')) {
+			if ($return_json) {
+				wp_send_json_error([
+					'message' => __('Invalid security token.', 'wp-slimstat'),
+				]);
+				return;
 			}
+			return false;
 		}
 
 		if (empty(\wp_slimstat::$settings['use_slimstat_banner']) ||
diff --git a/tests/e2e/gdpr-banner-consent-persistence.spec.ts b/tests/e2e/gdpr-banner-consent-persistence.spec.ts
@@ -451,11 +451,18 @@ test.describe('GDPR Banner Consent Persistence — #240 #241', () => {
       '"wp_rest_nonce":"stale_expired_nonce_12345"',
     );
 
-    // Step 3: Serve modified HTML via page.route()
+    // Step 3: Serve modified HTML via page.route() and track consent-change responses
     const testCtx = await browser.newContext();
     await testCtx.addCookies(COOKIEYES_DISMISS_COOKIES);
     const testPage = await testCtx.newPage();
 
+    const consentResponses: { status: number; url: string }[] = [];
+    testPage.on('response', (res) => {
+      if (isConsentChangeRequest({ url: () => res.url(), method: () => 'POST' } as any)) {
+        consentResponses.push({ status: res.status(), url: res.url() });
+      }
+    });
+
     await testPage.route(`**/?e2e_marker=stale-nonce*`, (route) =>
       route.fulfill({
         status: 200,
@@ -479,16 +486,29 @@ test.describe('GDPR Banner Consent Persistence — #240 #241', () => {
     });
     await testPage.waitForTimeout(3000);
 
-    // Step 5: Consent cookie should be set (proves consent flow completed despite stale nonce)
+    // Step 5: Client-side cookie MUST be set (JS handles consent regardless of server response)
     const cookies = await testCtx.cookies();
     const consentCookie = cookies.find(
       (c) => c.name === 'slimstat_gdpr_consent',
     );
     expect(
       consentCookie,
-      'slimstat_gdpr_consent cookie should be set after accepting on stale-nonce cached page',
+      'slimstat_gdpr_consent cookie should be set client-side even with stale nonce',
     ).toBeTruthy();
 
+    // Step 6: Server-side consent-change POST should return 403 (nonce verified for all users).
+    // This is the correct security behavior — stale nonce is rejected.
+    // Consent is still recorded via the client-side cookie.
+    if (consentResponses.length > 0) {
+      const has403 = consentResponses.some((r) => r.status === 403);
+      expect(
+        has403,
+        `Stale nonce should cause 403 on consent-change endpoint (got: ${JSON.stringify(consentResponses)})`,
+      ).toBe(true);
+    }
+    // Note: if no consent-change responses captured (evaluate-click limitation), the
+    // cookie assertion above still validates the client-side consent flow works.
+
     await testPage.close();
     await testCtx.close();
   });
diff --git a/tests/gdpr-consent-cookie-test.php b/tests/gdpr-consent-cookie-test.php
@@ -26,6 +26,28 @@ function is_ssl(): bool
     }
 }
 
+// ─── Stub namespaced classes for ConsentHandler dependencies ─────
+namespace SlimStat\Providers {
+    class IPHashProvider {
+        public static function upgradeToPii(array $stat): array { return $stat; }
+    }
+}
+
+namespace SlimStat\Tracker {
+    class Session {
+        public static function deleteTrackingCookie(): void {}
+    }
+    class Utils {
+        public static function getValueWithoutChecksum($v) { return $v; }
+    }
+}
+
+namespace SlimStat\Utils {
+    class Consent {
+        public static function normalizeConsent($c) { return is_array($c) ? $c : ['statistics' => $c]; }
+    }
+}
+
 // ─── Everything else in global namespace ─────────────────────────
 namespace {
 
@@ -339,67 +361,75 @@ class wp_slimstat
 assert_true(strlen($html) > 0, 'getBannerHtml should return non-empty HTML when no consent');
 
 // ═══════════════════════════════════════════════════════════════════════════
-// Section 2: Nonce Skip Pattern for Anonymous Users
+// Section 2: Actual Handler Nonce Verification
+// Tests call the real controller/handler methods to verify nonce is enforced.
 // ═══════════════════════════════════════════════════════════════════════════
 
-// ─── Test 6: Nonce verification skipped when user_id = 0 (anonymous) ───
-
-$_stub_user_id     = 0;
-$_stub_nonce_valid = false; // nonce is invalid/stale
-$nonce = 'stale_nonce_123';
-
-// Simulate the fixed pattern
-$should_reject = false;
-$user_id = get_current_user_id();
-if ($user_id > 0) {
-    if (!wp_verify_nonce($nonce, 'wp_rest')) {
-        $should_reject = true;
-    }
-}
-assert_false($should_reject, 'Anonymous user with stale nonce should NOT be rejected');
+// Load the actual handlers under test
+require_once __DIR__ . '/../src/Interfaces/RestControllerInterface.php';
+require_once __DIR__ . '/../src/Controllers/Rest/GDPRBannerRestController.php';
+require_once __DIR__ . '/../src/Services/Privacy/ConsentHandler.php';
 
-// ─── Test 7: Nonce verification enforced when user_id > 0 with bad nonce ──
+// ─── Test 6: GDPRBannerRestController rejects request with bad nonce ───
 
-$_stub_user_id     = 1;
 $_stub_nonce_valid = false;
-$nonce = 'bad_nonce';
+\wp_slimstat::$settings = ['use_slimstat_banner' => 'on'];
 
-$should_reject = false;
-$user_id = get_current_user_id();
-if ($user_id > 0) {
-    if (!wp_verify_nonce($nonce, 'wp_rest')) {
-        $should_reject = true;
-    }
-}
-assert_true($should_reject, 'Logged-in user with bad nonce should be rejected');
+$controller = new \SlimStat\Controllers\Rest\GDPRBannerRestController();
+$request = new \WP_REST_Request(['consent' => 'accepted', 'nonce' => 'bad_nonce_123']);
+$result = $controller->handle_consent($request);
 
-// ─── Test 8: Nonce verification passes for logged-in user with valid nonce ──
+assert_true($result instanceof \WP_Error, 'handle_consent should return WP_Error when nonce is invalid');
+assert_same('rest_forbidden', $result->get_error_code(), 'handle_consent should return rest_forbidden error code');
+assert_same(403, $result->get_error_data()['status'], 'handle_consent should return 403 status');
+
+// ─── Test 7: GDPRBannerRestController accepts request with valid nonce ───
 
-$_stub_user_id     = 1;
 $_stub_nonce_valid = true;
-$nonce = 'valid_nonce';
+$_setcookie_calls = [];
+\wp_slimstat::$settings = ['use_slimstat_banner' => 'on'];
 
-$should_reject = false;
-$user_id = get_current_user_id();
-if ($user_id > 0) {
-    if (!wp_verify_nonce($nonce, 'wp_rest')) {
-        $should_reject = true;
-    }
-}
-assert_false($should_reject, 'Logged-in user with valid nonce should NOT be rejected');
+$controller = new \SlimStat\Controllers\Rest\GDPRBannerRestController();
+$request = new \WP_REST_Request(['consent' => 'accepted', 'nonce' => 'valid_nonce']);
+$result = $controller->handle_consent($request);
 
-// ─── Test 9: check_ajax_referer skipped for anonymous in handleConsentRevoked ──
+assert_true($result instanceof \WP_REST_Response, 'handle_consent should return WP_REST_Response on valid nonce');
+assert_same(200, $result->status, 'handle_consent should return 200 on success');
+assert_true($result->data['success'] ?? false, 'handle_consent response should indicate success');
+
+// ─── Test 8: GDPRBannerRestController rejects empty nonce ───
 
-$_stub_user_id     = 0;
 $_stub_nonce_valid = false;
+\wp_slimstat::$settings = ['use_slimstat_banner' => 'on'];
+
+$controller = new \SlimStat\Controllers\Rest\GDPRBannerRestController();
+$request = new \WP_REST_Request(['consent' => 'accepted', 'nonce' => '']);
+$result = $controller->handle_consent($request);
+
+assert_true($result instanceof \WP_Error, 'handle_consent should return WP_Error when nonce is empty');
+assert_same('rest_forbidden', $result->get_error_code(), 'handle_consent should return rest_forbidden for empty nonce');
 
-// Simulate the fixed pattern for handleConsentRevoked
-$was_checked = false;
-if (get_current_user_id() > 0) {
-    // In real code: check_ajax_referer('wp_rest', 'nonce');
-    $was_checked = true;
+// ─── Test 9: ConsentHandler::handleBannerConsent rejects empty nonce ───
+
+$_stub_nonce_valid = false;
+\wp_slimstat::$settings = ['use_slimstat_banner' => 'on'];
+$_stub_json_error = null;
+
+$caught_error = false;
+try {
+    \SlimStat\Services\Privacy\ConsentHandler::handleBannerConsent(false, [
+        'nonce'   => '',
+        'consent' => 'accepted',
+    ]);
+} catch (\Throwable $e) {
+    // handleBannerConsent returns false for non-JSON mode with bad nonce
 }
-assert_false($was_checked, 'check_ajax_referer should be skipped for anonymous users');
+// In non-JSON mode, it returns false when nonce fails
+$nonce_result = \SlimStat\Services\Privacy\ConsentHandler::handleBannerConsent(false, [
+    'nonce'   => 'stale_nonce',
+    'consent' => 'accepted',
+]);
+assert_false($nonce_result, 'handleBannerConsent should return false when nonce verification fails');
 
 // ═══════════════════════════════════════════════════════════════════════════
 
diff --git a/wp-slimstat.js b/wp-slimstat.js
@@ -932,13 +932,19 @@ var SlimStat = (function () {
                 payload.pageview_id = String(pageviewId);
             }
 
+            // Build headers — only include X-WP-Nonce when nonce is non-empty.
+            // Anonymous users on cached pages have no valid nonce. Sending an
+            // empty/stale X-WP-Nonce causes WordPress core (rest_cookie_check_errors)
+            // to reject with 403 before the controller handler even runs.
+            var headers = { "Content-Type": "application/json" };
+            if (nonce) {
+                headers["X-WP-Nonce"] = nonce;
+            }
+
             if (typeof window.fetch === "function") {
                 fetch(endpoint, {
                     method: "POST",
-                    headers: {
-                        "Content-Type": "application/json",
-                        "X-WP-Nonce": nonce,
-                    },
+                    headers: headers,
                     credentials: "same-origin",
                     body: JSON.stringify(payload),
                 })
@@ -953,7 +959,9 @@ var SlimStat = (function () {
                 var xhr = new XMLHttpRequest();
                 xhr.open("POST", endpoint, true);
                 xhr.setRequestHeader("Content-Type", "application/json");
-                xhr.setRequestHeader("X-WP-Nonce", nonce);
+                if (nonce) {
+                    xhr.setRequestHeader("X-WP-Nonce", nonce);
+                }
                 xhr.onload = function () {
                     if (xhr.status >= 200 && xhr.status < 300) {
                         try {
diff --git a/wp-slimstat.min.js b/wp-slimstat.min.js
diff --git a/wp-slimstat.min.js.map b/wp-slimstat.min.js.map
