summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdrian Lang <mail@adrianlang.de>2009-03-07 12:38:47 +0100
committerAdrian Lang <mail@adrianlang.de>2009-03-11 10:30:30 +0100
commit24713499a9686b6c2f1e765bb29d7e93e7256cd0 (patch)
tree1ecdfe9fafb3e2c6f4d2a81926fdb94bcaf1a57d
parent04a05ca236e0c61da2ddc4c8f93e2ba153466342 (diff)
Fixes #827: Laconica expects full OAuth message for user auth request.
When a user subscribes to a remote profile, he is redirected to his own service to confirm the request. This authorization request is specified in http://oauth.net/core/1.0#auth_step2. According to the standard, it does not have to pass consumer_key, nonce, timestamp or signature. The only specified parameters are oauth_token and oauth_callback, both optional.
-rw-r--r--actions/userauthorization.php107
1 files changed, 8 insertions, 99 deletions
diff --git a/actions/userauthorization.php b/actions/userauthorization.php
index 6a76e3a4c..d0041ca5a 100644
--- a/actions/userauthorization.php
+++ b/actions/userauthorization.php
@@ -216,10 +216,8 @@ class UserauthorizationAction extends Action
function authorizeToken(&$req)
{
- $consumer_key = $req->get_parameter('oauth_consumer_key');
$token_field = $req->get_parameter('oauth_token');
$rt = new Token();
- $rt->consumer_key = $consumer_key;
$rt->tok = $token_field;
$rt->type = 0;
$rt->state = 0;
@@ -390,15 +388,14 @@ class UserauthorizationAction extends Action
function validateRequest(&$req)
{
- # OAuth stuff -- have to copy from OAuth.php since they're
- # all private methods, and there's no user-authentication method
- $this->checkVersion($req);
- $datastore = omb_oauth_datastore();
- $consumer = $this->getConsumer($datastore, $req);
- $token = $this->getToken($datastore, $req, $consumer);
- $this->checkTimestamp($req);
- $this->checkNonce($datastore, $req, $consumer, $token);
- $this->checkSignature($req, $consumer, $token);
+ /* Find token. */
+ $t = new Token();
+ $t->tok = $req->get_parameter('oauth_token');
+ $t->type = 0;
+ if (!$t->find(true)) {
+ throw new OAuthException("Invalid request token: " . $req->get_parameter('oauth_token'));
+ }
+
$this->validateOmb($req);
return true;
}
@@ -515,92 +512,4 @@ class UserauthorizationAction extends Action
throw new OAuthException("Callback URL '$callback' is for local site.");
}
}
-
- # Snagged from OAuthServer
-
- function checkVersion(&$req)
- {
- $version = $req->get_parameter("oauth_version");
- if (!$version) {
- $version = 1.0;
- }
- if ($version != 1.0) {
- throw new OAuthException("OAuth version '$version' not supported");
- }
- return $version;
- }
-
- # Snagged from OAuthServer
-
- function getConsumer($datastore, $req)
- {
- $consumer_key = @$req->get_parameter("oauth_consumer_key");
- if (!$consumer_key) {
- throw new OAuthException("Invalid consumer key");
- }
-
- $consumer = $datastore->lookup_consumer($consumer_key);
- if (!$consumer) {
- throw new OAuthException("Invalid consumer");
- }
- return $consumer;
- }
-
- # Mostly cadged from OAuthServer
-
- function getToken($datastore, &$req, $consumer)
- {/*{{{*/
- $token_field = @$req->get_parameter('oauth_token');
- $token = $datastore->lookup_token($consumer, 'request', $token_field);
- if (!$token) {
- throw new OAuthException("Invalid $token_type token: $token_field");
- }
- return $token;
- }
-
- function checkTimestamp(&$req)
- {
- $timestamp = @$req->get_parameter('oauth_timestamp');
- $now = time();
- if ($now - $timestamp > TIMESTAMP_THRESHOLD) {
- throw new OAuthException("Expired timestamp, yours $timestamp, ours $now");
- }
- }
-
- # NOTE: don't call twice on the same request; will fail!
- function checkNonce(&$datastore, &$req, $consumer, $token)
- {
- $timestamp = @$req->get_parameter('oauth_timestamp');
- $nonce = @$req->get_parameter('oauth_nonce');
- $found = $datastore->lookup_nonce($consumer, $token, $nonce, $timestamp);
- if ($found) {
- throw new OAuthException("Nonce already used");
- }
- return true;
- }
-
- function checkSignature(&$req, $consumer, $token)
- {
- $signature_method = $this->getSignatureMethod($req);
- $signature = $req->get_parameter('oauth_signature');
- $valid_sig = $signature_method->check_signature($req,
- $consumer,
- $token,
- $signature);
- if (!$valid_sig) {
- throw new OAuthException("Invalid signature");
- }
- }
-
- function getSignatureMethod(&$req)
- {
- $signature_method = @$req->get_parameter("oauth_signature_method");
- if (!$signature_method) {
- $signature_method = "PLAINTEXT";
- }
- if ($signature_method != 'HMAC-SHA1') {
- throw new OAuthException("Signature method '$signature_method' not supported.");
- }
- return omb_hmac_sha1();
- }
}