Utilize validate_request Rest API nonce method

aatanasovdev · aatanasovdev · commit cb76098be53d · 2026-02-02T09:39:13.000+02:00
diff --git a/php/class-rest-api.php b/php/class-rest-api.php
@@ -12,6 +12,11 @@
  */
 class REST_API {
 
+	/**
+	 * Base path for the REST API endpoints.
+	 *
+	 * @var string
+	 */
 	const BASE = 'cloudinary/v1';
 
 	/**
@@ -21,6 +26,13 @@ class REST_API {
 	 */
 	public $endpoints;
 
+	/**
+	 * The nonce key used for WordPress REST API authentication.
+	 *
+	 * @var string
+	 */
+	const NONCE_KEY = 'wp_rest';
+
 	/**
 	 * REST_API constructor.
 	 *
@@ -81,7 +93,7 @@ public function background_request( $endpoint, $params = array(), $method = 'POS
 
 		$url = Utils::rest_url( static::BASE . '/' . $endpoint );
 		// Setup a call for a background sync.
-		$params['nonce'] = wp_create_nonce( 'wp_rest' );
+		$params['nonce'] = wp_create_nonce( static::NONCE_KEY );
 		$args            = array(
 			'timeout'   => 0.1,
 			'blocking'  => false,
@@ -115,4 +127,15 @@ public function background_request( $endpoint, $params = array(), $method = 'POS
 		// Send request.
 		wp_remote_request( $url, $args );
 	}
+
+	/**
+	 * Validation for request.
+	 *
+	 * @param \WP_REST_Request $request The original request.
+	 *
+	 * @return bool
+	 */
+	public static function validate_request( $request ) {
+		return wp_verify_nonce( $request->get_header( 'x_wp_nonce' ), self::NONCE_KEY );
+	}
 }
diff --git a/php/ui/class-state.php b/php/ui/class-state.php
@@ -98,22 +98,13 @@ public function rest_endpoints( $endpoints ) {
 			'method'              => \WP_REST_Server::CREATABLE,
 			'callback'            => array( $this, 'set_state' ),
 			'args'                => array(),
-			'permission_callback' => array( $this, 'validate_request' ),
+			'permission_callback' => array( 'Cloudinary\REST_API', 'validate_request' ),
 		);
 
 		return $endpoints;
 	}
 
-	/**
-	 * Validation for request.
-	 *
-	 * @param \WP_REST_Request $request The original request.
-	 *
-	 * @return bool
-	 */
-	public function validate_request( $request ) {
-		return wp_verify_nonce( $request->get_header( 'x_wp_nonce' ), 'wp_rest' );
-	}
+
 
 	/**
 	 * Set the UI state.
