3 * StatusNet, the distributed open-source microblogging tool
5 * Issue temporary OAuth credentials (a request token)
9 * LICENCE: This program is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU Affero General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU Affero General Public License for more details.
19 * You should have received a copy of the GNU Affero General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * @author Zach Copley <zach@status.net>
25 * @copyright 2010 StatusNet, Inc.
26 * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
27 * @link http://status.net/
30 if (!defined('STATUSNET')) {
34 require_once INSTALLDIR . '/lib/apioauth.php';
37 * Issue temporary OAuth credentials (a request token)
41 * @author Zach Copley <zach@status.net>
42 * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
43 * @link http://status.net/
46 class ApiOauthRequestTokenAction extends ApiOauthAction
49 * Take arguments for running
51 * @param array $args $_REQUEST args
53 * @return boolean success flag
57 function prepare($args)
59 parent::prepare($args);
61 // XXX: support "force_login" parameter like Twitter? (Forces the user to enter
62 // their credentials to ensure the correct users account is authorized.)
68 * Handle a request for temporary OAuth credentials
70 * Make sure the request is kosher, then emit a set of temporary
71 * credentials -- AKA an unauthorized request token.
73 * @param array $args array of arguments
78 function handle($args)
80 parent::handle($args);
82 $datastore = new ApiStatusNetOAuthDataStore();
83 $server = new OAuthServer($datastore);
84 $hmac_method = new OAuthSignatureMethod_HMAC_SHA1();
86 $server->add_signature_method($hmac_method);
90 $req = OAuthRequest::from_request();
93 if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
94 throw new OAuthException(
95 "You must provide a valid URL or 'oob' in oauth_callback.",
100 // check signature and issue a new request token
101 $token = $server->fetch_request_token($req);
103 // return token to the client
104 $this->showRequestToken($token);
106 } catch (OAuthException $e) {
107 common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
109 // Return 401 for for bad credentials or signature problems,
110 // and 400 for missing or unsupported parameters
112 $code = $e->getCode();
113 $this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text');
118 * Display temporary OAuth credentials
121 function showRequestToken($token)
123 header('Content-Type: application/x-www-form-urlencoded');
125 print '&oauth_callback_confirmed=true';
128 /* Make sure the callback parameter contains either a real URL
129 * or the string 'oob'.
131 * @todo Check for evil/banned URLs here
133 * @return boolean true or false
136 function verifyCallback($callback)
138 if ($callback == "oob") {
139 common_debug("OAuth request token requested for out of bounds client.");
141 // XXX: Should we throw an error if a client is registered as a
142 // web application but requests the pin based workflow? For now I'm
143 // allowing the workflow to proceed and issuing a pin. --Zach
147 return Validate::uri(
149 array('allowed_schemes' => array('http', 'https'))