Added a comment about an open question: Should we allow pin-based

workflow for clients registered as web applications?

diff --git a/actions/apioauthauthorize.php b/actions/apioauthauthorize.php
index d0b6211400b4bc0228c9c38917d13f79fea14f43..ea5c30c2accab53730d8d236ed893e0eaa2aa162 100644 (file)
--- a/actions/apioauthauthorize.php
+++ b/actions/apioauthauthorize.php
@@ -464,7 +464,10 @@ class ApiOauthAuthorizeAction extends Action
             $pin->showPage();
         } else {
 
-            // NOTE: This should probably never happen; trhow an error instead?
+            // NOTE: This would only happen if an application registered as
+            // a web application but sent in 'oob' for the oauth_callback
+            // parameter. Usually web apps will send in a callback and
+            // not use the pin-based workflow.
 
             $info = new InfoAction(
                 $title,

diff --git a/actions/apioauthrequesttoken.php b/actions/apioauthrequesttoken.php
index 4f4c2c8fb272bb5fa02410c0fe864b20ae5fff8b..825460f93c72fbcc2acb82c253eaea4645cdea3f 100644 (file)
--- a/actions/apioauthrequesttoken.php
+++ b/actions/apioauthrequesttoken.php
@@ -87,7 +87,7 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
 
         try {
 
-            $req   = OAuthRequest::from_request();
+            $req = OAuthRequest::from_request();
 
             // verify callback
             if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
@@ -137,6 +137,11 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
     {
         if ($callback == "oob") {
             common_debug("OAuth request token requested for out of bounds client.");
+
+            // XXX: Should we throw an error if a client is registered as a
+            // web application but requests the pin based workflow? For now I'm
+            // allowing the workflow to proceed and issuing a pin. --Zach
+
             return true;
         } else {
             return Validate::uri(