if (!wp_verify_nonce($nonce, 'wp_rest')) {
return new WP_Error('rest_invalid_nonce', __('Invalid nonce'), array('status' => 403));
}
This gives 403 so the nonce does not seem to be valid when a user is logged in.
I can’t wrap my head around it.
I am thinking along the lines of:
- Logged in user calls Javascript that generates nonce
- The REST API does not know the user is logged in and generates a nonce accordingly
- The nonce comes back to the user
- The nonce is used to call the other endpoint
- The nonce is not valid because it was generate for a logged out user
I may be off, but that is the only thing that comes to mind. No idea how to handle that though…
And of course just navigating to the endpoint through the browser as a logged in user works without problems.
