Clarification Request: Issues and Inefficiencies

Hi

I am looking at the code and any inefficiencies on my website, be it from my plugins or themes installed.

I like this plugin however I have some questions.

Instead of embedding nonces directly into forms or hidden fields, the plugin stores them in the session (e.g., $_SESSION['cfturnstile_checkout_checked'] and $_SESSION['cfturnstile_login_checked']). Although the nonces are verified with wp_verify_nonce(), this pattern is nonstandard in WordPress and couples security to session integrity. Why use nonstandard WordPress calls and why rely on session integrity. Is this specific for cloudflares turnstile?

In the API-related checkout block check (cfturnstile_woo_checkout_block_check), the plugin throws exceptions when the check fails. If these exceptions aren’t caught and handled by WooCommerce properly, they could expose error details or disrupt the normal flow of order processing.

The plugin uses functions like esc_attr( get_option('cfturnstile_guest_only') ) to retrieve configuration options. Although this escapes the value for safe HTML output, using it directly for logic checks is nonstandard. It would be clearer to sanitize or cast the option to a boolean (or the appropriate type) when used in conditional logic.

Similar Functions for Different Forms:
The functions for rendering Turnstile fields on WooCommerce login, registration, reset, and checkout pages all follow the same pattern:

• Generating a unique ID with wp_rand().
• Calling cfturnstile_field_show() with similar parameters.

This pattern could be abstracted into a single helper function that accepts parameters (e.g., form type or CSS selectors) to reduce repeated code.

Multiple callbacks (for checkout and login checks) include nearly identical code for:

• Starting a session if one isn’t already active.
• Checking for a session-stored nonce and verifying it.
• Creating a new nonce and storing it in the session if needed.

Centralizing this functionality in a utility function would reduce code duplication and make maintenance easier.

Multiple Conditional Checks for Similar Contexts:
The plugin repeatedly checks for contexts such as XMLRPC, REST API, and user authentication (e.g., in login and registration checks). While these checks are necessary, they are scattered in different functions. Consolidating or centralizing these checks might simplify the logic.

Addressing these issues would help tighten security and improve maintainability by reducing duplicated code and following more standard WordPress practices.