summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEvan Prodromou <evan@prodromou.name>2008-06-02 16:17:07 -0400
committerEvan Prodromou <evan@prodromou.name>2008-06-02 16:17:07 -0400
commite103c8b6ea2d06cc15e1f8571936b6a2971fe4fa (patch)
tree5bab20f9a50b83a52199ae497673fee0f324b994
parent7b24d101c07ba40b5c8b648bdca0cd6d16ad15f1 (diff)
get rid of callback nonce
darcs-hash:20080602201707-84dde-400855b57fcf01e597494143cc78092351043b91.gz
-rw-r--r--actions/finishremotesubscribe.php13
-rw-r--r--actions/remotesubscribe.php9
2 files changed, 7 insertions, 15 deletions
diff --git a/actions/finishremotesubscribe.php b/actions/finishremotesubscribe.php
index b5093263e..41bc91afd 100644
--- a/actions/finishremotesubscribe.php
+++ b/actions/finishremotesubscribe.php
@@ -33,14 +33,7 @@ class FinishremotesubscribeAction extends Action {
return;
}
- $nonce = $this->trimmed('nonce');
-
- if (!$omb) {
- common_user_error(_t('No nonce returned!'));
- return;
- }
-
- $omb = $_SESSION[$nonce];
+ $omb = $_SESSION['oauth_authorization_request'];
if (!$omb) {
common_user_error(_t('Not expecting this response!'));
@@ -173,7 +166,7 @@ class FinishremotesubscribeAction extends Action {
}
# Clear the data
- unset($_SESSION[$nonce]);
+ unset($_SESSION['oauth_authorization_request']);
# If we show subscriptions in reverse chron order, this should
# show up close to the top of the page
@@ -187,7 +180,7 @@ class FinishremotesubscribeAction extends Action {
$con = omb_oauth_consumer();
$tok = new OAuthToken($omb['token'], $omb['secret']);
- $url = $omb[OAUTH_ENDPOINT_ACCESS][0];
+ $url = omb_service_uri($omb[OAUTH_ENDPOINT_ACCESS]);
# XXX: Is this the right thing to do? Strip off GET params and make them
# POST params? Seems wrong to me.
diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php
index 3dea07f16..fa7843880 100644
--- a/actions/remotesubscribe.php
+++ b/actions/remotesubscribe.php
@@ -336,10 +336,9 @@ class RemotesubscribeAction extends Action {
$req->set_parameter('omb_listenee_avatar', $avatar->url);
}
- $nonce = $this->make_nonce();
-
- $req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe',
- array('nonce' => $nonce)));
+ # XXX: add a nonce to prevent replay attacks
+
+ $req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe'));
# XXX: test to see if endpoint accepts this signature method
@@ -351,7 +350,7 @@ class RemotesubscribeAction extends Action {
$omb['token'] = $token;
$omb['secret'] = $secret;
- $_SESSION[$nonce] = $omb;
+ $_SESSION['oauth_authorization_request'] = $omb;
# Redirect to authorization service