From 459727bd610df5e579311a1627ee9b0e93ac44b0 Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Thu, 7 Oct 2010 18:32:27 -0700 Subject: [PATCH] Update ApiOauthAccessTokenAction to OAuth 1.0a --- actions/apioauthaccesstoken.php | 56 ++++++++++++++++++++++++++------- lib/apioauthstore.php | 34 ++++++++++++-------- 2 files changed, 65 insertions(+), 25 deletions(-) diff --git a/actions/apioauthaccesstoken.php b/actions/apioauthaccesstoken.php index 887df4c20d..b8b188b1dc 100644 --- a/actions/apioauthaccesstoken.php +++ b/actions/apioauthaccesstoken.php @@ -2,7 +2,8 @@ /** * StatusNet, the distributed open-source microblogging tool * - * Exchange an authorized OAuth request token for an access token + * Action for getting OAuth token credentials (exchange an authorized + * request token for an access token) * * PHP version 5 * @@ -34,7 +35,8 @@ if (!defined('STATUSNET')) { require_once INSTALLDIR . '/lib/apioauth.php'; /** - * Exchange an authorized OAuth request token for an access token + * Action for getting OAuth token credentials (exchange an authorized + * request token for an access token) * * @category API * @package StatusNet @@ -45,6 +47,8 @@ require_once INSTALLDIR . '/lib/apioauth.php'; class ApiOauthAccessTokenAction extends ApiOauthAction { + protected $reqToken = null; + protected $verifier = null; /** * Class handler. @@ -65,30 +69,58 @@ class ApiOauthAccessTokenAction extends ApiOauthAction $atok = null; + // XXX: Insist that oauth_token and oauth_verifier be populated? + // Spec doesn't say they MUST be. + try { + $req = OAuthRequest::from_request(); + + $this->reqToken = $req->get_parameter('oauth_token'); + $this->verifier = $req->get_parameter('oauth_verifier'); + $atok = $server->fetch_access_token($req); } catch (OAuthException $e) { common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); common_debug(var_export($req, true)); - $this->outputError($e->getMessage()); - return; + $code = $e->getCode(); + $this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text'); } if (empty($atok)) { - common_debug('couldn\'t get access token.'); - print "Token exchange failed. Has the request token been authorized?\n"; + + // Token exchange failed -- log it + + list($proxy, $ip) = common_client_ip(); + + $msg = sprintf( + 'API OAuth - Failure exchanging request token for access token, ' + . 'request token = %s, verifier = %s, IP = %s, proxy = %s', + $this->reqToken, + $this->verifier, + $ip, + $proxy + ); + + common_log(LOG_WARNING, $msg); + + print "Invalid request token or verifier."; + } else { - print $atok; + $this->showAccessToken($atok); } } - function outputError($msg) + /* + * Display OAuth token credentials + * + * @param OAuthToken token the access token + */ + + function showAccessToken($token) { - header('HTTP/1.1 401 Unauthorized'); - header('Content-Type: text/html; charset=utf-8'); - print $msg . "\n"; + header('Content-Type: application/x-www-form-urlencoded'); + print $token; } } - diff --git a/lib/apioauthstore.php b/lib/apioauthstore.php index 7a4fe8db52..4b52ba1ba9 100644 --- a/lib/apioauthstore.php +++ b/lib/apioauthstore.php @@ -71,29 +71,33 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore } } - function new_access_token($token, $consumer) + function new_access_token($token, $consumer, $verifier) { - common_debug('new_access_token("'.$token->key.'","'.$consumer->key.'")', __FILE__); + common_debug( + 'new_access_token("' . $token->key . '","' . $consumer->key. '","' . $verifier . '")', + __FILE__ + ); $rt = new Token(); + $rt->consumer_key = $consumer->key; - $rt->tok = $token->key; - $rt->type = 0; // request + $rt->tok = $token->key; + $rt->type = 0; // request $app = Oauth_application::getByConsumerKey($consumer->key); + assert(!empty($app)); - if (empty($app)) { - common_debug("empty app!"); - } + if ($rt->find(true) && $rt->state == 1 && $rt->verifier == $verifier) { // authorized - if ($rt->find(true) && $rt->state == 1) { // authorized common_debug('request token found.', __FILE__); // find the associated user of the app $appUser = new Oauth_application_user(); + $appUser->application_id = $app->id; - $appUser->token = $rt->tok; + $appUser->token = $rt->tok; + $result = $appUser->find(true); if (!empty($result)) { @@ -106,10 +110,12 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore // go ahead and make the access token $at = new Token(); - $at->consumer_key = $consumer->key; - $at->tok = common_good_rand(16); - $at->secret = common_good_rand(16); - $at->type = 1; // access + $at->consumer_key = $consumer->key; + $at->tok = common_good_rand(16); + $at->secret = common_good_rand(16); + $at->type = 1; // access + $at->verifier = $verifier; + $at->verified_callback = $rt->verified_callback; // 1.0a $at->created = DB_DataObject_Cast::dateTime(); if (!$at->insert()) { @@ -217,4 +223,6 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore return new OAuthToken($t->tok, $t->secret); } } + + } -- 2.39.5