3 * StatusNet, the distributed open-source microblogging tool
5 * Authorize an OAuth request token
9 * LICENCE: This program is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU Affero General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU Affero General Public License for more details.
19 * You should have received a copy of the GNU Affero General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * @author Zach Copley <zach@status.net>
25 * @copyright 2010 StatusNet, Inc.
26 * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
27 * @link http://status.net/
30 if (!defined('STATUSNET')) {
34 require_once INSTALLDIR . '/lib/apioauthstore.php';
37 * Authorize an OAuth request token
41 * @author Zach Copley <zach@status.net>
42 * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
43 * @link http://status.net/
46 class ApiOauthAuthorizeAction extends Action
56 * Is this a read-only action?
58 * @return boolean false
61 function isReadOnly($args)
66 function prepare($args)
68 parent::prepare($args);
70 common_debug(var_export($_REQUEST, true));
72 $this->nickname = $this->trimmed('nickname');
73 $this->password = $this->arg('password');
74 $this->oauth_token = $this->arg('oauth_token');
75 $this->callback = $this->arg('oauth_callback');
76 $this->store = new ApiStatusNetOAuthDataStore();
83 // Look up the full req token
85 $req_token = $this->store->lookup_token(null,
89 if (empty($req_token)) {
91 common_debug("Couldn't find request token!");
93 $this->clientError(_('Bad request.'));
99 $app = new Oauth_application();
100 $app->consumer_key = $req_token->consumer_key;
101 $result = $app->find(true);
103 if (!empty($result)) {
108 common_debug("couldn't find the app!");
114 * Handle input, produce output
116 * Switches on request method; either shows the form or handles its input.
118 * @param array $args $_REQUEST data
123 function handle($args)
125 parent::handle($args);
127 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
133 // XXX: make better error messages
135 if (empty($this->oauth_token)) {
137 common_debug("No request token found.");
139 $this->clientError(_('Bad request.'));
143 if (!$this->getApp()) {
144 $this->clientError(_('Bad request.'));
148 common_debug("Requesting auth for app: $app->name.");
154 function handlePost()
156 // check session token for CSRF protection.
158 $token = $this->trimmed('token');
160 if (!$token || $token != common_session_token()) {
161 $this->showForm(_('There was a problem with your session token. '.
162 'Try again, please.'));
166 if (!$this->getApp()) {
167 $this->clientError(_('Bad request.'));
175 if (!common_logged_in()) {
176 $user = common_check_user($this->nickname, $this->password);
178 $this->showForm(_("Invalid nickname / password!"));
182 $user = common_current_user();
185 if ($this->arg('allow')) {
187 // mark the req token as authorized
189 $this->store->authorize_token($this->oauth_token);
191 // Check to see if there was a previous token associated
192 // with this user/app and kill it. If you're doing this you
193 // probably don't want any old tokens anyway.
195 $appUser = Oauth_application_user::getByKeys($user, $this->app);
197 if (!empty($appUser)) {
198 $result = $appUser->delete();
201 common_log_db_error($appUser, 'DELETE', __FILE__);
202 throw new ServerException(_('DB error deleting OAuth app user.'));
207 // associated the new req token with the user and the app
209 $appUser = new Oauth_application_user();
211 $appUser->profile_id = $user->id;
212 $appUser->application_id = $this->app->id;
213 $appUser->access_type = $this->app->access_type;
214 $appUser->token = $this->oauth_token;
215 $appUser->created = common_sql_now();
217 $result = $appUser->insert();
220 common_log_db_error($appUser, 'INSERT', __FILE__);
221 throw new ServerException(_('DB error inserting OAuth app user.'));
225 // if we have a callback redirect and provide the token
227 if (!empty($this->callback)) {
229 // XXX: Need better way to build this redirect url.
231 $target_url = $this->callback . '?oauth_token=' . $this->oauth_token;
232 common_redirect($target_url, 303);
235 // otherwise inform the user that the rt was authorized
237 $this->elementStart('p');
239 // XXX: Do OAuth 1.0a verifier code?
241 $this->raw(sprintf(_("The request token %s has been authorized. " .
242 'Please exchange it for an access token.'),
243 $this->oauth_token));
245 $this->elementEnd('p');
247 } else if ($this->arg('deny')) {
249 $this->elementStart('p');
251 $this->raw(sprintf(_("The request token %s has been denied."),
252 $this->oauth_token));
254 $this->elementEnd('p');
256 $this->clientError(_('Unexpected form submission.'));
261 function showForm($error=null)
263 $this->error = $error;
267 function showScripts()
269 parent::showScripts();
270 if (!common_logged_in()) {
271 $this->autofocus('nickname');
278 * @return string title of the page
283 return _('An application would like to connect to your account');
289 * Display a notice for how to use the page, or the
290 * error if it exists.
295 function showPageNotice()
298 $this->element('p', 'error', $this->error);
300 $instr = $this->getInstructions();
301 $output = common_markup_to_html($instr);
308 * Shows the authorization form.
313 function showContent()
315 $this->elementStart('form', array('method' => 'post',
316 'id' => 'form_login',
317 'class' => 'form_settings',
318 'action' => common_local_url('apioauthauthorize')));
320 $this->hidden('token', common_session_token());
321 $this->hidden('oauth_token', $this->oauth_token);
322 $this->hidden('oauth_callback', $this->callback);
324 $this->elementStart('fieldset');
326 $this->elementStart('ul');
327 $this->elementStart('li');
328 if (!empty($this->app->icon)) {
329 $this->element('img', array('src' => $this->app->icon));
331 $this->elementEnd('li');
332 $this->elementStart('li');
334 $access = ($this->app->access_type & Oauth_application::$writeAccess) ?
335 'access and update' : 'access';
337 $msg = _("The application <b>%s</b> by <b>%s</b> would like " .
338 "the ability to <b>%s</b> your account data.");
340 $this->raw(sprintf($msg,
342 $this->app->organization,
345 $this->elementEnd('li');
346 $this->elementEnd('ul');
348 $this->elementEnd('fieldset');
350 if (!common_logged_in()) {
352 $this->elementStart('fieldset');
353 $this->element('legend', null, _('Login'));
354 $this->elementStart('ul', 'form_data');
355 $this->elementStart('li');
356 $this->input('nickname', _('Nickname'));
357 $this->elementEnd('li');
358 $this->elementStart('li');
359 $this->password('password', _('Password'));
360 $this->elementEnd('li');
361 $this->elementEnd('ul');
363 $this->elementEnd('fieldset');
367 $this->element('input', array('id' => 'deny_submit',
371 'value' => _('Deny')));
373 $this->element('input', array('id' => 'allow_submit',
377 'value' => _('Allow')));
379 $this->elementEnd('form');
383 * Instructions for using the form
385 * For "remembered" logins, we make the user re-login when they
386 * try to change settings. Different instructions for this case.
391 function getInstructions()
393 return _('Allow or deny access to your account information.');
400 * Shows different login/register actions.
405 function showLocalNav()