summaryrefslogtreecommitdiff
path: root/actions
diff options
context:
space:
mode:
authorZach Copley <zach@status.net>2010-10-05 17:53:50 -0700
committerZach Copley <zach@status.net>2010-10-06 13:40:03 -0700
commitf97b863fd709135fb9f7bf7c756a1c6721e3e988 (patch)
tree824780da2d32d83c6dd108512c667cc2f3dac2ed /actions
parentf4f56eea3ae349ed7d47ae7385036107510bf5e5 (diff)
Update ApiOauthRequestTokenAction to support OAuth 1.0a
Diffstat (limited to 'actions')
-rw-r--r--actions/apioauthrequesttoken.php74
1 files changed, 62 insertions, 12 deletions
diff --git a/actions/apioauthrequesttoken.php b/actions/apioauthrequesttoken.php
index 4fa626d86..4f4c2c8fb 100644
--- a/actions/apioauthrequesttoken.php
+++ b/actions/apioauthrequesttoken.php
@@ -2,7 +2,7 @@
/**
* StatusNet, the distributed open-source microblogging tool
*
- * Get an OAuth request token
+ * Issue temporary OAuth credentials (a request token)
*
* PHP version 5
*
@@ -34,7 +34,7 @@ if (!defined('STATUSNET')) {
require_once INSTALLDIR . '/lib/apioauth.php';
/**
- * Get an OAuth request token
+ * Issue temporary OAuth credentials (a request token)
*
* @category API
* @package StatusNet
@@ -58,22 +58,23 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
{
parent::prepare($args);
- $this->callback = $this->arg('oauth_callback');
-
- if (!empty($this->callback)) {
- common_debug("callback: $this->callback");
- }
+ // XXX: support "force_login" parameter like Twitter? (Forces the user to enter
+ // their credentials to ensure the correct users account is authorized.)
return true;
}
/**
- * Class handler.
+ * Handle a request for temporary OAuth credentials
+ *
+ * Make sure the request is kosher, then emit a set of temporary
+ * credentials -- AKA an unauthorized request token.
*
* @param array $args array of arguments
*
* @return void
*/
+
function handle($args)
{
parent::handle($args);
@@ -85,14 +86,63 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
$server->add_signature_method($hmac_method);
try {
+
$req = OAuthRequest::from_request();
+
+ // verify callback
+ if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
+ throw new OAuthException(
+ "You must provide a valid URL or 'oob' in oauth_callback.",
+ 400
+ );
+ }
+
+ // check signature and issue a new request token
$token = $server->fetch_request_token($req);
- print $token;
+
+ // return token to the client
+ $this->showRequestToken($token);
+
} catch (OAuthException $e) {
common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
- header('HTTP/1.1 401 Unauthorized');
- header('Content-Type: text/html; charset=utf-8');
- print $e->getMessage() . "\n";
+
+ // Return 401 for for bad credentials or signature problems,
+ // and 400 for missing or unsupported parameters
+
+ $code = $e->getCode();
+ $this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text');
+ }
+ }
+
+ /*
+ * Display temporary OAuth credentials
+ */
+
+ function showRequestToken($token)
+ {
+ header('Content-Type: application/x-www-form-urlencoded');
+ print $token;
+ print '&oauth_callback_confirmed=true';
+ }
+
+ /* Make sure the callback parameter contains either a real URL
+ * or the string 'oob'.
+ *
+ * @todo Check for evil/banned URLs here
+ *
+ * @return boolean true or false
+ */
+
+ function verifyCallback($callback)
+ {
+ if ($callback == "oob") {
+ common_debug("OAuth request token requested for out of bounds client.");
+ return true;
+ } else {
+ return Validate::uri(
+ $callback,
+ array('allowed_schemes' => array('http', 'https'))
+ );
}
}