diff options
Diffstat (limited to 'actions/apioauthauthorize.php')
-rw-r--r-- | actions/apioauthauthorize.php | 347 |
1 files changed, 253 insertions, 94 deletions
diff --git a/actions/apioauthauthorize.php b/actions/apioauthauthorize.php index ea5c30c2a..9929c36c0 100644 --- a/actions/apioauthauthorize.php +++ b/actions/apioauthauthorize.php @@ -35,7 +35,7 @@ require_once INSTALLDIR . '/lib/apioauth.php'; require_once INSTALLDIR . '/lib/info.php'; /** - * Authorize an OAuth request token + * Authorize an Oputh request token * * @category API * @package StatusNet @@ -43,7 +43,6 @@ require_once INSTALLDIR . '/lib/info.php'; * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ - class ApiOauthAuthorizeAction extends Action { var $oauthTokenParam; @@ -69,11 +68,11 @@ class ApiOauthAuthorizeAction extends Action { parent::prepare($args); - $this->nickname = $this->trimmed('nickname'); - $this->password = $this->arg('password'); - $this->oauthTokenParam = $this->arg('oauth_token'); - $this->callback = $this->arg('oauth_callback'); - $this->store = new ApiStatusNetOAuthDataStore(); + $this->nickname = $this->trimmed('nickname'); + $this->password = $this->arg('password'); + $this->oauthTokenParam = $this->arg('oauth_token'); + $this->mode = $this->arg('mode'); + $this->store = new ApiStatusNetOAuthDataStore(); try { $this->app = $this->store->getAppByRequestToken($this->oauthTokenParam); @@ -93,7 +92,6 @@ class ApiOauthAuthorizeAction extends Action * * @return void */ - function handle($args) { parent::handle($args); @@ -106,6 +104,7 @@ class ApiOauthAuthorizeAction extends Action // Make sure a oauth_token parameter was provided if (empty($this->oauthTokenParam)) { + // TRANS: Client error given when no oauth_token was passed to the OAuth API. $this->clientError(_('No oauth_token parameter provided.')); } else { @@ -113,20 +112,21 @@ class ApiOauthAuthorizeAction extends Action $this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam); if (empty($this->reqToken)) { - $this->serverError( - _('Invalid request token.') - ); + // TRANS: Client error given when an invalid request token was passed to the OAuth API. + $this->clientError(_('Invalid request token.')); } else { // Check to make sure we haven't already authorized the token if ($this->reqToken->state != 0) { - $this->clientError("Invalid request token."); + // TRANS: Client error given when an invalid request token was passed to the OAuth API. + $this->clientError(_('Request token already authorized.')); } } } // make sure there's an app associated with this token if (empty($this->app)) { + // TRANS: Client error given when an invalid request token was passed to the OAuth API. $this->clientError(_('Invalid request token.')); } @@ -156,10 +156,15 @@ class ApiOauthAuthorizeAction extends Action // XXX Force credentials check? - // XXX OpenID + // @fixme this should probably use a unified login form handler + $user = null; + if (Event::handle('StartOAuthLoginCheck', array($this, &$user))) { + $user = common_check_user($this->nickname, $this->password); + } + Event::handle('EndOAuthLoginCheck', array($this, &$user)); - $user = common_check_user($this->nickname, $this->password); if (empty($user)) { + // TRANS: Form validation error given when an invalid username and/or password was passed to the OAuth API. $this->showForm(_("Invalid nickname / password!")); return; } @@ -167,10 +172,11 @@ class ApiOauthAuthorizeAction extends Action $user = common_current_user(); } - if ($this->arg('allow')) { + // fetch the token + $this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam); + assert(!empty($this->reqToken)); - // fetch the token - $this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam); + if ($this->arg('allow')) { // mark the req token as authorized try { @@ -179,73 +185,66 @@ class ApiOauthAuthorizeAction extends Action $this->serverError($e->getMessage()); } - // Check to see if there was a previous token associated - // with this user/app and kill it. If the user is doing this she - // probably doesn't want any old tokens anyway. - - $appUser = Oauth_application_user::getByKeys($user, $this->app); - - if (!empty($appUser)) { - $result = $appUser->delete(); - - if (!$result) { - common_log_db_error($appUser, 'DELETE', __FILE__); - $this->serverError(_('Database error deleting OAuth application user.')); - } - } - - // associated the authorized req token with the user and the app - - $appUser = new Oauth_application_user(); + common_log( + LOG_INFO, + sprintf( + "API OAuth - User %d (%s) has authorized request token %s for OAuth application %d (%s).", + $user->id, + $user->nickname, + $this->reqToken->tok, + $this->app->id, + $this->app->name + ) + ); - $appUser->profile_id = $user->id; - $appUser->application_id = $this->app->id; + // XXX: Make sure we have a oauth_token_association table. The table + // is now in the main schema, but because it is being added with + // a point release, it's unlikely to be there. This code can be + // removed as of 1.0. + $this->ensureOauthTokenAssociationTable(); - // Note: do not copy the access type from the application. - // The access type should always be 0 when the OAuth app - // user record has a request token associated with it. - // Access type gets assigned once an access token has been - // granted. The OAuth app user record then gets updated - // with the new access token and access type. + $tokenAssoc = new Oauth_token_association(); - $appUser->token = $this->oauthTokenParam; - $appUser->created = common_sql_now(); + $tokenAssoc->profile_id = $user->id; + $tokenAssoc->application_id = $this->app->id; + $tokenAssoc->token = $this->oauthTokenParam; + $tokenAssoc->created = common_sql_now(); - $result = $appUser->insert(); + $result = $tokenAssoc->insert(); if (!$result) { - common_log_db_error($appUser, 'INSERT', __FILE__); - $this->serverError(_('Database error inserting OAuth application user.')); + common_log_db_error($tokenAssoc, 'INSERT', __FILE__); + // TRANS: Server error displayed when a database action fails. + $this->serverError(_('Database error inserting oauth_token_association.')); } - // If we have a callback redirect and provide the token - - // Note: A callback specified in the app setup overrides whatever - // is passed in with the request. - - if (!empty($this->app->callback_url)) { - $this->callback = $this->app->callback_url; - } + $callback = $this->getCallback(); - if (!empty($this->callback)) { - - $targetUrl = $this->getCallback( - $this->callback, + if (!empty($callback) && $this->reqToken->verified_callback != 'oob') { + $targetUrl = $this->buildCallbackUrl( + $callback, array( 'oauth_token' => $this->oauthTokenParam, 'oauth_verifier' => $this->reqToken->verifier // 1.0a ) ); + common_log(LOG_INFO, "Redirecting to callback: $targetUrl"); + // Redirect the user to the provided OAuth callback common_redirect($targetUrl, 303); - } else { + } elseif ($this->app->type == 2) { + // Strangely, a web application seems to want to do the OOB + // workflow. Because no callback was specified anywhere. common_log( - LOG_INFO, - "No oauth_callback parameter provided for application ID " - . $this->app->id - . " when authorizing request token." + LOG_WARNING, + sprintf( + "API OAuth - No callback provided for OAuth web client ID %s (%s) " + . "during authorization step. Falling back to OOB workflow.", + $this->app->id, + $this->app->name + ) ); } @@ -254,18 +253,90 @@ class ApiOauthAuthorizeAction extends Action } else if ($this->arg('cancel')) { + common_log( + LOG_INFO, + sprintf( + "API OAuth - User %d (%s) refused to authorize request token %s for OAuth application %d (%s).", + $user->id, + $user->nickname, + $this->reqToken->tok, + $this->app->id, + $this->app->name + ) + ); + try { $this->store->revoke_token($this->oauthTokenParam, 0); - $this->showCanceled(); } catch (Exception $e) { $this->ServerError($e->getMessage()); } + $callback = $this->getCallback(); + + // If there's a callback available, inform the consumer the user + // has refused authorization + if (!empty($callback) && $this->reqToken->verified_callback != 'oob') { + $targetUrl = $this->buildCallbackUrl( + $callback, + array( + 'oauth_problem' => 'user_refused', + ) + ); + + common_log(LOG_INFO, "Redirecting to callback: $targetUrl"); + + // Redirect the user to the provided OAuth callback + common_redirect($targetUrl, 303); + } + + // otherwise inform the user that authorization for the rt was declined + $this->showCanceled(); + } else { + // TRANS: Client error given on when invalid data was passed through a form in the OAuth API. $this->clientError(_('Unexpected form submission.')); } } + // XXX Remove this function when we hit 1.0 + function ensureOauthTokenAssociationTable() + { + $schema = Schema::get(); + + $reqTokenCols = array( + new ColumnDef('profile_id', 'integer', null, true, 'PRI'), + new ColumnDef('application_id', 'integer', null, true, 'PRI'), + new ColumnDef('token', 'varchar', 255, true, 'PRI'), + new ColumnDef('created', 'datetime', null, false), + new ColumnDef( + 'modified', + 'timestamp', + null, + false, + null, + 'CURRENT_TIMESTAMP', + 'on update CURRENT_TIMESTAMP' + ) + ); + + $schema->ensureTable('oauth_token_association', $reqTokenCols); + } + + /** + * Override to add some special (more compact) styling when the page is + * being displayed in desktop mode. + * + * @return nothing + */ + function showStylesheets() + { + parent::showStyleSheets(); + + if ($this->desktopMode()) { + $this->style('#wrap {min-width: 500px; } #content {width: 480px; padding: 10px;} fieldset {margin-bottom: 10px !important;}</style>'); + } + } + function showForm($error=null) { $this->error = $error; @@ -285,9 +356,9 @@ class ApiOauthAuthorizeAction extends Action * * @return string title of the page */ - function title() { + // TRANS: Title for a page where a user can confirm/deny account access by an external application. return _('An application would like to connect to your account'); } @@ -296,7 +367,6 @@ class ApiOauthAuthorizeAction extends Action * * @return void */ - function showContent() { $this->elementStart('form', array('method' => 'post', @@ -305,9 +375,11 @@ class ApiOauthAuthorizeAction extends Action 'action' => common_local_url('ApiOauthAuthorize'))); $this->elementStart('fieldset'); $this->element('legend', array('id' => 'apioauthauthorize_allowdeny'), + // TRANS: Fieldset legend. _('Allow or deny access')); $this->hidden('token', common_session_token()); + $this->hidden('mode', $this->mode); $this->hidden('oauth_token', $this->oauthTokenParam); $this->hidden('oauth_callback', $this->callback); @@ -321,6 +393,9 @@ class ApiOauthAuthorizeAction extends Action $access = ($this->app->access_type & Oauth_application::$writeAccess) ? 'access and update' : 'access'; + // TRANS: User notification of external application requesting account access. + // TRANS: %1$s is the application name requesting access, %2$s is the organisation behind the application, + // TRANS: %3$s is the access type requested, %4$s is the StatusNet sitename. $msg = _('The application <strong>%1$s</strong> by ' . '<strong>%2$s</strong> would like the ability ' . 'to <strong>%3$s</strong> your %4$s account data. ' . @@ -336,34 +411,43 @@ class ApiOauthAuthorizeAction extends Action $this->elementEnd('li'); $this->elementEnd('ul'); + // quickie hack + $button = false; if (!common_logged_in()) { - - $this->elementStart('fieldset'); - $this->element('legend', null, _('Account')); - $this->elementStart('ul', 'form_data'); - $this->elementStart('li'); - $this->input('nickname', _('Nickname')); - $this->elementEnd('li'); - $this->elementStart('li'); - $this->password('password', _('Password')); - $this->elementEnd('li'); - $this->elementEnd('ul'); - - $this->elementEnd('fieldset'); - + if (Event::handle('StartOAuthLoginForm', array($this, &$button))) { + $this->elementStart('fieldset'); + // TRANS: Fieldset legend. + $this->element('legend', null, _m('LEGEND','Account')); + $this->elementStart('ul', 'form_data'); + $this->elementStart('li'); + // TRANS: Field label on OAuth API authorisation form. + $this->input('nickname', _('Nickname')); + $this->elementEnd('li'); + $this->elementStart('li'); + // TRANS: Field label on OAuth API authorisation form. + $this->password('password', _('Password')); + $this->elementEnd('li'); + $this->elementEnd('ul'); + + $this->elementEnd('fieldset'); + } + Event::handle('EndOAuthLoginForm', array($this, &$button)); } $this->element('input', array('id' => 'cancel_submit', 'class' => 'submit submit form_action-primary', 'name' => 'cancel', 'type' => 'submit', - 'value' => _('Cancel'))); + // TRANS: Button text that when clicked will cancel the process of allowing access to an account + // TRANS: by an external application. + 'value' => _m('BUTTON','Cancel'))); $this->element('input', array('id' => 'allow_submit', 'class' => 'submit submit form_action-secondary', 'name' => 'allow', 'type' => 'submit', - 'value' => _('Allow'))); + // TRANS: Button text that when clicked will allow access to an account by an external application. + 'value' => $button ? $button : _m('BUTTON','Allow'))); $this->elementEnd('fieldset'); $this->elementEnd('form'); @@ -377,9 +461,9 @@ class ApiOauthAuthorizeAction extends Action * * @return void */ - function getInstructions() { + // TRANS: Form instructions. return _('Authorize access to your account information.'); } @@ -390,18 +474,61 @@ class ApiOauthAuthorizeAction extends Action * * @return void */ - function showLocalNav() { // NOP } + /* + * Checks to see if a the "mode" parameter is present in the request + * and set to "desktop". If it is, the page is meant to be displayed in + * a small frame of another application, and we should suppress the + * header, aside, and footer. + */ + function desktopMode() + { + if (isset($this->mode) && $this->mode == 'desktop') { + return true; + } else { + return false; + } + } + + /* + * Override - suppress output in "desktop" mode + */ + function showHeader() + { + if ($this->desktopMode() == false) { + parent::showHeader(); + } + } + + /* + * Override - suppress output in "desktop" mode + */ + function showAside() + { + if ($this->desktopMode() == false) { + parent::showAside(); + } + } + + /* + * Override - suppress output in "desktop" mode + */ + function showFooter() + { + if ($this->desktopMode() == false) { + parent::showFooter(); + } + } + /** * Show site notice. * * @return nothing */ - function showSiteNotice() { // NOP @@ -414,7 +541,6 @@ class ApiOauthAuthorizeAction extends Action * * @return nothing */ - function showNoticeForm() { // NOP @@ -426,14 +552,16 @@ class ApiOauthAuthorizeAction extends Action * * @return nothing */ - function showCanceled() { $info = new InfoAction( + // TRANS: Header for user notification after revoking OAuth access to an application. _('Authorization canceled.'), sprintf( + // TRANS: User notification after revoking OAuth access to an application. + // TRANS: %s is an OAuth token. _('The request token %s has been revoked.'), - $this->oauthTokenParm + $this->oauthTokenParam ) ); @@ -446,15 +574,18 @@ class ApiOauthAuthorizeAction extends Action * * @return nothing */ - function showAuthorized() { $title = sprintf( + // TRANS: Header of user notification after authorising an application access to a profile. + // TRANS: %s is the authorised application name. _("You have successfully authorized %s."), $this->app->name ); $msg = sprintf( + // TRANS: Uer notification after authorising an application access to a profile. + // TRANS: %s is the authorised application name. _('Please return to %s and enter the following security code to complete the process.'), $this->app->name ); @@ -481,6 +612,36 @@ class ApiOauthAuthorizeAction extends Action } /* + * Figure out what the callback should be + */ + function getCallback() + { + $callback = null; + + // Return the verified callback if we have one + if ($this->reqToken->verified_callback != 'oob') { + + $callback = $this->reqToken->verified_callback; + + // Otherwise return the callback that was provided when + // registering the app + if (empty($callback)) { + + common_debug( + "No verified callback found for request token, using application callback: " + . $this->app->callback_url, + __FILE__ + ); + + $callback = $this->app->callback_url; + } + + } + + return $callback; + } + + /* * Properly format the callback URL and parameters so it's * suitable for a redirect in the OAuth dance * @@ -489,8 +650,7 @@ class ApiOauthAuthorizeAction extends Action * * @return string $url a URL to use for redirecting to */ - - function getCallback($url, $params) + function buildCallbackUrl($url, $params) { foreach ($params as $k => $v) { $url = $this->appendQueryVar( @@ -513,7 +673,6 @@ class ApiOauthAuthorizeAction extends Action * * @return string $url the new URL with added parameter */ - function appendQueryVar($url, $k, $v) { $url = preg_replace('/(.*)(\?|&)' . $k . '=[^&]+?(&)(.*)/i', '$1$2$4', $url . '&'); $url = substr($url, 0, -1); |