X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Fapioauthrequesttoken.php;h=1279d5e092e63162a999f6774f75e4684a6e1374;hb=c285f80b1830cffd20a28c693d74c59f8c3c39f6;hp=c1ccd4b7d72d87bb422005892867952a07a6a190;hpb=6472331be51bc6d0e670603b2a89fb66022f6b51;p=quix0rs-gnu-social.git diff --git a/actions/apioauthrequesttoken.php b/actions/apioauthrequesttoken.php index c1ccd4b7d7..1279d5e092 100644 --- a/actions/apioauthrequesttoken.php +++ b/actions/apioauthrequesttoken.php @@ -2,7 +2,7 @@ /** * StatusNet, the distributed open-source microblogging tool * - * Get an OAuth request token + * Issue temporary OAuth credentials (a request token) * * PHP version 5 * @@ -31,10 +31,8 @@ if (!defined('STATUSNET')) { exit(1); } -require_once INSTALLDIR . '/lib/api.php'; - /** - * Get an OAuth request token + * Issue temporary OAuth credentials (a request token) * * @category API * @package StatusNet @@ -42,8 +40,113 @@ require_once INSTALLDIR . '/lib/api.php'; * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ - -class ApiOauthRequestTokenAction extends ApiAction +class ApiOAuthRequestTokenAction extends ApiOAuthAction { + /** + * Take arguments for running + * + * @param array $args $_REQUEST args + * + * @return boolean success flag + */ + function prepare(array $args = array()) + { + parent::prepare($args); + + // XXX: support "force_login" parameter like Twitter? (Forces the user to enter + // their credentials to ensure the correct users account is authorized.) + + return true; + } + + /** + * Handle a request for temporary OAuth credentials + * + * Make sure the request is kosher, then emit a set of temporary + * credentials -- AKA an unauthorized request token. + * + * @param array $args array of arguments + * + * @return void + */ + function handle() + { + parent::handle(); + + $datastore = new ApiGNUsocialOAuthDataStore(); + $server = new OAuthServer($datastore); + $hmac_method = new OAuthSignatureMethod_HMAC_SHA1(); + + $server->add_signature_method($hmac_method); + + try { + + $req = OAuthRequest::from_request(); + + // verify callback + if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) { + throw new OAuthException( + "You must provide a valid URL or 'oob' in oauth_callback.", + 400 + ); + } + + // check signature and issue a new request token + $token = $server->fetch_request_token($req); + + common_log( + LOG_INFO, + sprintf( + "API OAuth - Issued request token %s for consumer %s with oauth_callback %s", + $token->key, + $req->get_parameter('oauth_consumer_key'), + "'" . $req->get_parameter('oauth_callback') ."'" + ) + ); + + // return token to the client + $this->showRequestToken($token); + + } catch (OAuthException $e) { + common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); + + // Return 401 for for bad credentials or signature problems, + // and 400 for missing or unsupported parameters + + $code = $e->getCode(); + $this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text'); + } + } + + /* + * Display temporary OAuth credentials + */ + function showRequestToken($token) + { + header('Content-Type: application/x-www-form-urlencoded'); + print $token; + print '&oauth_callback_confirmed=true'; + } + + /* Make sure the callback parameter contains either a real URL + * or the string 'oob'. + * + * @todo Check for evil/banned URLs here + * + * @return boolean true or false + */ + function verifyCallback($callback) + { + if ($callback == "oob") { + common_debug("OAuth request token requested for out of band client."); + + // XXX: Should we throw an error if a client is registered as a + // web application but requests the pin based workflow? For now I'm + // allowing the workflow to proceed and issuing a pin. --Zach + return true; + } else { + return filter_var($callback, FILTER_VALIDATE_URL); + } + } }