wp_validate_user_request_key() WordPress Function

The wp_validate_user_request_key() function checks whether a given user request key is valid. If the key is valid, the function returns the user ID associated with the key. If the key is invalid, the function returns false. This function is useful for verifying the authenticity of user request keys used in password reset and email verification processes. By checking that the user ID associated with a key matches the ID of the user making the request, you can be sure that the request is coming from the actual user and not from an attacker.

wp_validate_user_request_key( string $request_id, string $key ) #

Validates a user request by comparing the key with the request’s key.

Contents

Parameters

$request_id

(string)(Required)ID of the request being confirmed.

$key

(string)(Required)Provided key to validate.

Top ↑

Return

(true|WP_Error) True on success, WP_Error on failure.

Top ↑

Source

File: wp-includes/user.php

function wp_validate_user_request_key( $request_id, $key ) {
	global $wp_hasher;

	$request_id       = absint( $request_id );
	$request          = wp_get_user_request( $request_id );
	$saved_key        = $request->confirm_key;
	$key_request_time = $request->modified_timestamp;

	if ( ! $request || ! $saved_key || ! $key_request_time ) {
		return new WP_Error( 'invalid_request', __( 'Invalid personal data request.' ) );
	}

	if ( ! in_array( $request->status, array( 'request-pending', 'request-failed' ), true ) ) {
		return new WP_Error( 'expired_request', __( 'This personal data request has expired.' ) );
	}

	if ( empty( $key ) ) {
		return new WP_Error( 'missing_key', __( 'The confirmation key is missing from this personal data request.' ) );
	}

	if ( empty( $wp_hasher ) ) {
		require_once ABSPATH . WPINC . '/class-phpass.php';
		$wp_hasher = new PasswordHash( 8, true );
	}

	/**
	 * Filters the expiration time of confirm keys.
	 *
	 * @since 4.9.6
	 *
	 * @param int $expiration The expiration time in seconds.
	 */
	$expiration_duration = (int) apply_filters( 'user_request_key_expiration', DAY_IN_SECONDS );
	$expiration_time     = $key_request_time + $expiration_duration;

	if ( ! $wp_hasher->CheckPassword( $key, $saved_key ) ) {
		return new WP_Error( 'invalid_key', __( 'The confirmation key is invalid for this personal data request.' ) );
	}

	if ( ! $expiration_time || time() > $expiration_time ) {
		return new WP_Error( 'expired_key', __( 'The confirmation key has expired for this personal data request.' ) );
	}

	return true;
}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Uses

Uses
UsesDescription
wp-includes/user.php:wp_get_user_request()

Returns the user request object for the specified request ID.

wp-includes/user.php:user_request_key_expiration

Filters the expiration time of confirm keys.

wp-includes/l10n.php:__()

Retrieve the translation of $text.

wp-includes/functions.php:absint()

Convert a value to non-negative integer.

wp-includes/plugin.php:apply_filters()

Calls the callback functions that have been added to a filter hook.

wp-includes/class-wp-error.php:WP_Error::__construct()

Initializes the error.

Show 1 more useHide more uses

Top ↑

Changelog

Changelog
VersionDescription
4.9.6Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.

Show More