get rid of callback nonce

darcs-hash:20080602201707-84dde-400855b57fcf01e597494143cc78092351043b91.gz

diff --git a/actions/finishremotesubscribe.php b/actions/finishremotesubscribe.php
index b5093263e101eef123e8ff96792b53fb0a055348..41bc91afd8fbd5414f6dc048f74a51455b216124 100644 (file)
--- a/actions/finishremotesubscribe.php
+++ b/actions/finishremotesubscribe.php
@@ -33,14 +33,7 @@ class FinishremotesubscribeAction extends Action {
                    return;
                }
                
-               $nonce = $this->trimmed('nonce');
-               
-               if (!$omb) {
-                       common_user_error(_t('No nonce returned!'));
-                       return;
-               }
-               
-               $omb = $_SESSION[$nonce];
+               $omb = $_SESSION['oauth_authorization_request'];
                
                if (!$omb) {
                        common_user_error(_t('Not expecting this response!'));
@@ -173,7 +166,7 @@ class FinishremotesubscribeAction extends Action {
                }
 
                # Clear the data
-               unset($_SESSION[$nonce]);
+               unset($_SESSION['oauth_authorization_request']);
                
                # If we show subscriptions in reverse chron order, this should
                # show up close to the top of the page
@@ -187,7 +180,7 @@ class FinishremotesubscribeAction extends Action {
                $con = omb_oauth_consumer();
                $tok = new OAuthToken($omb['token'], $omb['secret']);
 
-               $url = $omb[OAUTH_ENDPOINT_ACCESS][0];
+               $url = omb_service_uri($omb[OAUTH_ENDPOINT_ACCESS]);
                
                # XXX: Is this the right thing to do? Strip off GET params and make them
                # POST params? Seems wrong to me.

diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php
index 3dea07f16d9909b99645752f97c8e776247f3ab6..fa784388076c1021e0fc5b869dfd9009900e92bc 100644 (file)
--- a/actions/remotesubscribe.php
+++ b/actions/remotesubscribe.php
@@ -336,10 +336,9 @@ class RemotesubscribeAction extends Action {
                        $req->set_parameter('omb_listenee_avatar', $avatar->url);
                }
 
-               $nonce = $this->make_nonce();
-
-               $req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe',
-                                                                                                                          array('nonce' => $nonce)));
+               # XXX: add a nonce to prevent replay attacks
+               
+               $req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe'));
 
                # XXX: test to see if endpoint accepts this signature method
 
@@ -351,7 +350,7 @@ class RemotesubscribeAction extends Action {
                $omb['token'] = $token;
                $omb['secret'] = $secret;
 
-               $_SESSION[$nonce] = $omb;
+               $_SESSION['oauth_authorization_request'] = $omb;
 
                # Redirect to authorization service