summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZach Copley <zach@status.net>2010-01-10 23:03:30 -0800
committerZach Copley <zach@status.net>2010-01-24 16:36:02 -0800
commitc473a39a7da07fbe5b80fec4c08111a554691c3a (patch)
treeb52bc4ff6e7f3d611516346fd2323bd8410ca052
parente9e448bcee69b0c39badf353faedb4c29af3f502 (diff)
Associate request tokens with OAuth apps and app users
-rw-r--r--actions/apioauthauthorize.php64
-rw-r--r--classes/Oauth_application_user.php24
-rw-r--r--classes/statusnet.ini4
-rw-r--r--db/statusnet.sql5
4 files changed, 81 insertions, 16 deletions
diff --git a/actions/apioauthauthorize.php b/actions/apioauthauthorize.php
index 895a0c6e5..48d5087ef 100644
--- a/actions/apioauthauthorize.php
+++ b/actions/apioauthauthorize.php
@@ -125,19 +125,12 @@ class ApiOauthAuthorizeAction extends Action
parent::handle($args);
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
- /* Use a session token for CSRF protection. */
- $token = $this->trimmed('token');
- if (!$token || $token != common_session_token()) {
- $this->showForm(_('There was a problem with your session token. '.
- 'Try again, please.'));
- return;
- }
$this->handlePost();
} else {
- common_debug('ApiOauthAuthorize::handle()');
+ // XXX: make better error messages
if (empty($this->oauth_token)) {
@@ -160,7 +153,7 @@ class ApiOauthAuthorizeAction extends Action
function handlePost()
{
- /* Use a session token for CSRF protection. */
+ // check session token for CSRF protection.
$token = $this->trimmed('token');
@@ -175,25 +168,66 @@ class ApiOauthAuthorizeAction extends Action
return;
}
- // is the user already logged in?
-
// check creds
+ $user = null;
+
if (!common_logged_in()) {
$user = common_check_user($this->nickname, $this->password);
if (empty($user)) {
$this->showForm(_("Invalid nickname / password!"));
return;
}
- }
+ } else {
+ $user = common_current_user();
+ }
if ($this->arg('allow')) {
+ // mark the req token as authorized
+
$this->store->authorize_token($this->oauth_token);
+ // Check to see if there was a previous token associated
+ // with this user/app and kill it. If you're doing this you
+ // probably don't want any old tokens anyway.
+
+ $appUser = Oauth_application_user::getByKeys($user, $this->app);
+
+ if (!empty($appUser)) {
+ $result = $appUser->delete();
+
+ if (!$result) {
+ common_log_db_error($appUser, 'DELETE', __FILE__);
+ throw new ServerException(_('DB error deleting OAuth app user.'));
+ return;
+ }
+ }
+
+ // associated the new req token with the user and the app
+
+ $appUser = new Oauth_application_user();
+
+ $appUser->profile_id = $user->id;
+ $appUser->application_id = $this->app->id;
+ $appUser->access_type = $this->app->access_type;
+ $appUser->token = $this->oauth_token;
+ $appUser->created = common_sql_now();
+
+ $result = $appUser->insert();
+
+ if (!$result) {
+ common_log_db_error($appUser, 'INSERT', __FILE__);
+ throw new ServerException(_('DB error inserting OAuth app user.'));
+ return;
+ }
+
// if we have a callback redirect and provide the token
if (!empty($this->callback)) {
+
+ // XXX: Need better way to build this redirect url.
+
$target_url = $this->callback . '?oauth_token=' . $this->oauth_token;
common_redirect($target_url, 303);
}
@@ -202,7 +236,7 @@ class ApiOauthAuthorizeAction extends Action
$this->elementStart('p');
- // XXX: Do verifier code?
+ // XXX: Do OAuth 1.0a verifier code?
$this->raw(sprintf(_("The request token %s has been authorized. " .
'Please exchange it for an access token.'),
@@ -233,7 +267,9 @@ class ApiOauthAuthorizeAction extends Action
function showScripts()
{
parent::showScripts();
- // $this->autofocus('nickname');
+ if (!common_logged_in()) {
+ $this->autofocus('nickname');
+ }
}
/**
diff --git a/classes/Oauth_application_user.php b/classes/Oauth_application_user.php
index 9e45ece25..e4c018f21 100644
--- a/classes/Oauth_application_user.php
+++ b/classes/Oauth_application_user.php
@@ -13,12 +13,34 @@ class Oauth_application_user extends Memcached_DataObject
public $profile_id; // int(4) primary_key not_null
public $application_id; // int(4) primary_key not_null
public $access_type; // tinyint(1)
+ public $token; // varchar(255)
+ public $secret; // varchar(255)
+ public $verifier; // varchar(255)
public $created; // datetime not_null
+ public $modified; // timestamp not_null default_CURRENT_TIMESTAMP
/* Static get */
function staticGet($k,$v=NULL) {
- return Memcached_DataObject::staticGet('Oauth_application_user',$k,$v);
+ return Memcached_DataObject::staticGet('Oauth_application_user',$k,$v);
}
/* the code above is auto generated do not remove the tag below */
###END_AUTOCODE
+
+ static function getByKeys($user, $app)
+ {
+ if (empty($user) || empty($app)) {
+ return null;
+ }
+
+ $oau = new Oauth_application_user();
+
+ $oau->profile_id = $user->id;
+ $oau->application_id = $app->id;
+ $oau->limit(1);
+
+ $result = $oau->find(true);
+
+ return empty($result) ? null : $oau;
+ }
+
}
diff --git a/classes/statusnet.ini b/classes/statusnet.ini
index 0cbe60a5a..43f6c4466 100644
--- a/classes/statusnet.ini
+++ b/classes/statusnet.ini
@@ -372,7 +372,11 @@ id = N
profile_id = 129
application_id = 129
access_type = 17
+token = 2
+secret = 2
+verifier = 2
created = 142
+modified = 384
[oauth_application_user__keys]
profile_id = K
diff --git a/db/statusnet.sql b/db/statusnet.sql
index a2740b60c..eb4706067 100644
--- a/db/statusnet.sql
+++ b/db/statusnet.sql
@@ -229,8 +229,11 @@ create table oauth_application_user (
profile_id integer not null comment 'user of the application' references profile (id),
application_id integer not null comment 'id of the application' references oauth_application (id),
access_type tinyint default 0 comment 'access type, bit 1 = read, bit 2 = write, bit 3 = revoked',
+ token varchar(255) comment 'authorization token',
+ secret varchar(255) comment 'token secret',
+ verifier varchar(255) not null comment 'verification code',
created datetime not null comment 'date this record was created',
-
+ modified timestamp comment 'date this record was modified',
constraint primary key (profile_id, application_id)
) ENGINE=InnoDB CHARACTER SET utf8 COLLATE utf8_bin;