Why does WordPress Heartbeat login not refresh the nonces?

Here’s an interesting experiment: Go to wordpress plugins listing page, notice the activate, deactivate links all have a nonce part in the request.

In a second tab, log out of the site, and go back to plugin listing page.

After awhile, the page realizes it’s not logged in, and pops up a log in screen. Log in, and click an “activate” or “deactivate” button.

Notice it gives the nonce-failure message, “are you sure you want to do this”? Because the previous session’s nonces don’t work. Why does WordPress not know to refresh these nonces? I thought new nonces would be sent back as a heartbeat-ajax, but it looks like there isn’t an ajax request with the login screen.

Update: It seems this is called when the user logs in, but I guess not too many scripts are smart about acting on this trigger?

$( document ).on( 'heartbeat-tick.wp-auth-check', function( e, data ) {
        if ( 'wp-auth-check' in data ) {
            schedule();
            if ( ! data['wp-auth-check'] && wrap.hasClass('hidden') ) {
                show();
            } else if ( data['wp-auth-check'] && ! wrap.hasClass('hidden') ) {
                hide();
            }
        }
    }).

because the Heartbeat system is mostly orthogonal to the rest of wordpress and therefor it is not really aware what is the content of the pages it runs on. As it is a relatively new system it probably has edges that are not well defined or tested, and if you think there is some weird behaviour or an actual bug please open a ticket at the wordpress trac – https://core.trac.wordpress.org/