easy-digital-downloads
easy-digital-downloads copied to clipboard
awesomemotive
Add to cart fails when downloads are dynamically loaded due to AJAX nonce verification using incorrect verification function
Bug Report
Expected behavior
When EDD posts are loaded dynamically via a "Load More" AJAX call (or some other method employed by a plugin or theme), the add to cart functionality breaks on the posts loaded dynamically due to the nonce verification failing in the AJAX callback function. This results in the "loader" constantly spinning and the item is never added to the cart. This happens due to the incorrect usage of the wp_verify_nonce function.
This can be fixed by replacing the line:
$nonce_verified = wp_verify_nonce( $nonce, 'edd-add-to-cart-' . $download_id );
With:
$nonce_verified = check_ajax_referer( 'edd-add-to-cart-' . $download_id, 'nonce', false );
Actual behavior
Add to cart fails on the newly loaded/queried posts because nonce verification fails.
Steps to reproduce the behavior
If you use FacetWP or another plugin on Themedd (or Vendd), you will see that once the new posts are loaded the add to cart no longer works on the newly queried items.
As a side note (for anyone else who experiences this issue), once the FacetWP process is finished, you can need to trigger this code again to make sure all the correct classes are added to the new posts.
var $ = jQuery;
// Hide unneeded elements. These are things that are required in case JS breaks or isn't present
$( '.edd-no-js' ).hide();
$( 'a.edd-add-to-cart' ).addClass( 'edd-has-js' );
This may no longer be an issue with the tokenization work done in #8715. We did this specifically to avoid nonces and caching add to cart links, but i might solve this issue as well.
September 2022. I've wracked my brains making sure my templates and functions etc are all up-to-snuff with v3.0, and this spinny spin madness has been upsetting my customers for months now. I have to clear caches for them to make a purchase. 💸 I'm confused because I find what seems to be core add-to-cart AJAX function deep inside a gateway/stripe folder (I'm running Stripe). In the includes/payment-methods/buy-now/ajax.php file there is a line which reads:
$valid_nonce = wp_verify_nonce( $nonce, 'edd-add-to-cart-' . $download_id );
Which reads exactly like the line in the original post by @davidsherlock above. Twilight Zone. I do not have anything other than EDD plugins running on my sales pages, no dynamic content or 3rd party AJAX. What's even more strange is I am still seeing "missing nonce" errors occasionally even though I have checked and double-checked and my template overrides DO include the nonce and the most current escaping, etc. It's a pretty simple setup, so I can't be the only one.
Can this be revisited?
@sagehenstudio We've actually got a Stripe release that we've been testing that moves away from using the nonces (as they don't play well with caching), and using this core tokenizer.
@cklosowski Could you update me where this stripe release is, pretty please? I've had to run my site without caching, after several months of failed purchases and confused emails from customers, and am waiting for Easy Digital Downloads to work with Litespeed caching again. It's very frustrating to see EDD coming out with all these various feature releases when I can't even run basic sales. Thank you.
We've introduced the tokenizer into not just the add to cart but also the Stripe releases. I'm going to close this now that we've updated all our internal references of nonces to rely on our internal tokenizer which is not nonce based, including the checkout process.
FWIW stalling on the add to cart button resumed when (I thought this issue was resolved and) I turned LiteSpeed caching back on after turning it off months ago to pause this issue. There's nothing in the error logs this time, though.