Merge branch 'oauth-1.0a' into 0.9.x

author: Zach Copley <zach@status.net> 2010-10-12 17:52:04 -0700
committer: Zach Copley <zach@status.net> 2010-10-12 17:52:04 -0700
commit: 04f3f57e2eed2a7757b3dd2bf5afc4926dd0961b (patch)
tree: 1cc2f2ac91ef73e1025442ce8ac5ae4322d9073b /actions/apioauthrequesttoken.php
parent: 112b6c40793a18262425ca039e4fe4a6eb68bce4 (diff)
parent: 5270e931311af0f644ebd4302833ad3bb89b81d4 (diff)
1 files changed, 78 insertions, 13 deletions
diff --git a/actions/apioauthrequesttoken.php b/actions/apioauthrequesttoken.php
index 4fa626d86..478d2dbfc 100644
--- a/actions/apioauthrequesttoken.php
+++ b/actions/apioauthrequesttoken.php
@@ -2,7 +2,7 @@
 /**
  * StatusNet, the distributed open-source microblogging tool
  *
- * Get an OAuth request token
+ * Issue temporary OAuth credentials (a request token)
  *
  * PHP version 5
  *
@@ -34,7 +34,7 @@ if (!defined('STATUSNET')) {
 require_once INSTALLDIR . '/lib/apioauth.php';
 
 /**
- * Get an OAuth request token
+ * Issue temporary OAuth credentials (a request token)
  *
  * @category API
  * @package  StatusNet
@@ -58,22 +58,23 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
     {
         parent::prepare($args);
 
-        $this->callback  = $this->arg('oauth_callback');
-
-        if (!empty($this->callback)) {
-            common_debug("callback: $this->callback");
-        }
+        // XXX: support "force_login" parameter like Twitter? (Forces the user to enter
+        // their credentials to ensure the correct users account is authorized.)
 
         return true;
     }
 
     /**
-     * Class handler.
+     * Handle a request for temporary OAuth credentials
+     *
+     * Make sure the request is kosher, then emit a set of temporary
+     * credentials -- AKA an unauthorized request token.
      *
      * @param array $args array of arguments
      *
      * @return void
      */
+
     function handle($args)
     {
         parent::handle($args);
@@ -85,14 +86,78 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
         $server->add_signature_method($hmac_method);
 
         try {
-            $req   = OAuthRequest::from_request();
+
+            $req = OAuthRequest::from_request();
+
+            // verify callback
+            if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
+                throw new OAuthException(
+                    "You must provide a valid URL or 'oob' in oauth_callback.",
+                    400
+                );
+            }
+
+            // check signature and issue a new request token
             $token = $server->fetch_request_token($req);
-            print $token;
+
+            common_log(
+                LOG_INFO,
+                sprintf(
+                    "API OAuth - Issued request token %s for consumer %s with oauth_callback %s",
+                    $token->key,
+                    $req->get_parameter('oauth_consumer_key'),
+                    "'" . $req->get_parameter('oauth_callback') ."'"
+                )
+            );
+
+            // return token to the client
+            $this->showRequestToken($token);
+
         } catch (OAuthException $e) {
             common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
-            header('HTTP/1.1 401 Unauthorized');
-            header('Content-Type: text/html; charset=utf-8');
-            print $e->getMessage() . "\n";
+
+            // Return 401 for for bad credentials or signature problems,
+            // and 400 for missing or unsupported parameters
+
+            $code = $e->getCode();
+            $this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text');
+        }
+    }
+
+    /*
+     * Display temporary OAuth credentials
+     */
+
+    function showRequestToken($token)
+    {
+        header('Content-Type: application/x-www-form-urlencoded');
+        print $token;
+        print '&oauth_callback_confirmed=true';
+    }
+
+    /* Make sure the callback parameter contains either a real URL
+     * or the string 'oob'.
+     *
+     * @todo Check for evil/banned URLs here
+     *
+     * @return boolean true or false
+     */
+
+    function verifyCallback($callback)
+    {
+        if ($callback == "oob") {
+            common_debug("OAuth request token requested for out of bounds client.");
+
+            // XXX: Should we throw an error if a client is registered as a
+            // web application but requests the pin based workflow? For now I'm
+            // allowing the workflow to proceed and issuing a pin. --Zach
+
+            return true;
+        } else {
+            return Validate::uri(
+                $callback,
+                array('allowed_schemes' => array('http', 'https'))
+            );
         }
     }
author	Zach Copley <zach@status.net>	2010-10-12 17:52:04 -0700
committer	Zach Copley <zach@status.net>	2010-10-12 17:52:04 -0700
commit	04f3f57e2eed2a7757b3dd2bf5afc4926dd0961b (patch)
tree	1cc2f2ac91ef73e1025442ce8ac5ae4322d9073b /actions/apioauthrequesttoken.php
parent	112b6c40793a18262425ca039e4fe4a6eb68bce4 (diff)
parent	5270e931311af0f644ebd4302833ad3bb89b81d4 (diff)