3 * StatusNet, the distributed open-source microblogging tool
5 * Issue temporary OAuth credentials (a request token)
9 * LICENCE: This program is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU Affero General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU Affero General Public License for more details.
19 * You should have received a copy of the GNU Affero General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * @author Zach Copley <zach@status.net>
25 * @copyright 2010 StatusNet, Inc.
26 * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
27 * @link http://status.net/
30 if (!defined('STATUSNET')) {
35 * Issue temporary OAuth credentials (a request token)
39 * @author Zach Copley <zach@status.net>
40 * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
41 * @link http://status.net/
43 class ApiOAuthRequestTokenAction extends ApiOAuthAction
46 * Take arguments for running
48 * @param array $args $_REQUEST args
50 * @return boolean success flag
52 function prepare($args)
54 parent::prepare($args);
56 // XXX: support "force_login" parameter like Twitter? (Forces the user to enter
57 // their credentials to ensure the correct users account is authorized.)
63 * Handle a request for temporary OAuth credentials
65 * Make sure the request is kosher, then emit a set of temporary
66 * credentials -- AKA an unauthorized request token.
68 * @param array $args array of arguments
72 function handle($args)
74 parent::handle($args);
76 $datastore = new ApiGNUsocialOAuthDataStore();
77 $server = new OAuthServer($datastore);
78 $hmac_method = new OAuthSignatureMethod_HMAC_SHA1();
80 $server->add_signature_method($hmac_method);
84 $req = OAuthRequest::from_request();
87 if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
88 throw new OAuthException(
89 "You must provide a valid URL or 'oob' in oauth_callback.",
94 // check signature and issue a new request token
95 $token = $server->fetch_request_token($req);
100 "API OAuth - Issued request token %s for consumer %s with oauth_callback %s",
102 $req->get_parameter('oauth_consumer_key'),
103 "'" . $req->get_parameter('oauth_callback') ."'"
107 // return token to the client
108 $this->showRequestToken($token);
110 } catch (OAuthException $e) {
111 common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
113 // Return 401 for for bad credentials or signature problems,
114 // and 400 for missing or unsupported parameters
116 $code = $e->getCode();
117 $this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text');
122 * Display temporary OAuth credentials
124 function showRequestToken($token)
126 header('Content-Type: application/x-www-form-urlencoded');
128 print '&oauth_callback_confirmed=true';
131 /* Make sure the callback parameter contains either a real URL
132 * or the string 'oob'.
134 * @todo Check for evil/banned URLs here
136 * @return boolean true or false
138 function verifyCallback($callback)
140 if ($callback == "oob") {
141 common_debug("OAuth request token requested for out of band client.");
143 // XXX: Should we throw an error if a client is registered as a
144 // web application but requests the pin based workflow? For now I'm
145 // allowing the workflow to proceed and issuing a pin. --Zach
149 return filter_var($callback, FILTER_VALIDATE_URL);