3 * StatusNet, the distributed open-source microblogging tool
5 * Issue temporary OAuth credentials (a request token)
9 * LICENCE: This program is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU Affero General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU Affero General Public License for more details.
19 * You should have received a copy of the GNU Affero General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * @author Zach Copley <zach@status.net>
25 * @copyright 2010 StatusNet, Inc.
26 * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
27 * @link http://status.net/
30 if (!defined('STATUSNET')) {
34 require_once INSTALLDIR . '/lib/apioauth.php';
37 * Issue temporary OAuth credentials (a request token)
41 * @author Zach Copley <zach@status.net>
42 * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
43 * @link http://status.net/
46 class ApiOauthRequestTokenAction extends ApiOauthAction
49 * Take arguments for running
51 * @param array $args $_REQUEST args
53 * @return boolean success flag
57 function prepare($args)
59 parent::prepare($args);
61 // XXX: support "force_login" parameter like Twitter? (Forces the user to enter
62 // their credentials to ensure the correct users account is authorized.)
68 * Handle a request for temporary OAuth credentials
70 * Make sure the request is kosher, then emit a set of temporary
71 * credentials -- AKA an unauthorized request token.
73 * @param array $args array of arguments
78 function handle($args)
80 parent::handle($args);
82 $datastore = new ApiStatusNetOAuthDataStore();
83 $server = new OAuthServer($datastore);
84 $hmac_method = new OAuthSignatureMethod_HMAC_SHA1();
86 $server->add_signature_method($hmac_method);
90 $req = OAuthRequest::from_request();
93 if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
94 throw new OAuthException(
95 "You must provide a valid URL or 'oob' in oauth_callback.",
100 // check signature and issue a new request token
101 $token = $server->fetch_request_token($req);
106 "API OAuth - Issued request token %s for consumer %s with oauth_callback %s",
108 $req->get_parameter('oauth_consumer_key'),
109 "'" . $req->get_parameter('oauth_callback') ."'"
113 // return token to the client
114 $this->showRequestToken($token);
116 } catch (OAuthException $e) {
117 common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
119 // Return 401 for for bad credentials or signature problems,
120 // and 400 for missing or unsupported parameters
122 $code = $e->getCode();
123 $this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text');
128 * Display temporary OAuth credentials
131 function showRequestToken($token)
133 header('Content-Type: application/x-www-form-urlencoded');
135 print '&oauth_callback_confirmed=true';
138 /* Make sure the callback parameter contains either a real URL
139 * or the string 'oob'.
141 * @todo Check for evil/banned URLs here
143 * @return boolean true or false
146 function verifyCallback($callback)
148 if ($callback == "oob") {
149 common_debug("OAuth request token requested for out of band client.");
151 // XXX: Should we throw an error if a client is registered as a
152 // web application but requests the pin based workflow? For now I'm
153 // allowing the workflow to proceed and issuing a pin. --Zach
157 return Validate::uri($callback);