gnu-social/actions/apioauthrequesttoken.php

<?php
/**
 * StatusNet, the distributed open-source microblogging tool
 *
 * Issue temporary OAuth credentials (a request token)
 *
 * PHP version 5
 *
 * LICENCE: This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * @category  API
 * @package   StatusNet
 * @author    Zach Copley <zach@status.net>
 * @copyright 2010 StatusNet, Inc.
 * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
 * @link      http://status.net/
 */

if (!defined('STATUSNET')) {
    exit(1);
}

require_once INSTALLDIR . '/lib/apioauth.php';

/**
 * Issue temporary OAuth credentials (a request token)
 *
 * @category API
 * @package  StatusNet
 * @author   Zach Copley <zach@status.net>
 * @license  http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
 * @link     http://status.net/
 */
class ApiOauthRequestTokenAction extends ApiOauthAction
{
    /**
     * Take arguments for running
     *
     * @param array $args $_REQUEST args
     *
     * @return boolean success flag
     */
    function prepare($args)
    {
        parent::prepare($args);

        // XXX: support "force_login" parameter like Twitter? (Forces the user to enter
        // their credentials to ensure the correct users account is authorized.)

        return true;
    }

    /**
     * Handle a request for temporary OAuth credentials
     *
     * Make sure the request is kosher, then emit a set of temporary
     * credentials -- AKA an unauthorized request token.
     *
     * @param array $args array of arguments
     *
     * @return void
     */
    function handle($args)
    {
        parent::handle($args);

        $datastore   = new ApiStatusNetOAuthDataStore();
        $server      = new OAuthServer($datastore);
        $hmac_method = new OAuthSignatureMethod_HMAC_SHA1();

        $server->add_signature_method($hmac_method);

        try {

            $req = OAuthRequest::from_request();

            // verify callback
            if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
                throw new OAuthException(
                    "You must provide a valid URL or 'oob' in oauth_callback.",
                    400
                );
            }

            // check signature and issue a new request token
            $token = $server->fetch_request_token($req);

            common_log(
                LOG_INFO,
                sprintf(
                    "API OAuth - Issued request token %s for consumer %s with oauth_callback %s",
                    $token->key,
                    $req->get_parameter('oauth_consumer_key'),
                    "'" . $req->get_parameter('oauth_callback') ."'"
                )
            );

            // return token to the client
            $this->showRequestToken($token);

        } catch (OAuthException $e) {
            common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());

            // Return 401 for for bad credentials or signature problems,
            // and 400 for missing or unsupported parameters

            $code = $e->getCode();
            $this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text');
        }
    }

    /*
     * Display temporary OAuth credentials
     */
    function showRequestToken($token)
    {
        header('Content-Type: application/x-www-form-urlencoded');
        print $token;
        print '&oauth_callback_confirmed=true';
    }

    /* Make sure the callback parameter contains either a real URL
     * or the string 'oob'.
     *
     * @todo Check for evil/banned URLs here
     *
     * @return boolean true or false
     */
    function verifyCallback($callback)
    {
        if ($callback == "oob") {
            common_debug("OAuth request token requested for out of band client.");

            // XXX: Should we throw an error if a client is registered as a
            // web application but requests the pin based workflow? For now I'm
            // allowing the workflow to proceed and issuing a pin. --Zach

            return true;
        } else {
            return Validate::uri($callback);
        }
    }
}
Stubs for API OAuth token exchange stuff 2010-01-07 13:19:21 -08:00			`<?php`
			`/**`
			`* StatusNet, the distributed open-source microblogging tool`
			`*`
Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00			`* Issue temporary OAuth credentials (a request token)`
Stubs for API OAuth token exchange stuff 2010-01-07 13:19:21 -08:00			`*`
			`* PHP version 5`
			`*`
			`* LICENCE: This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as published by`
			`* the Free Software Foundation, either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*`
			`* @category API`
			`* @package StatusNet`
			`* @author Zach Copley <zach@status.net>`
			`* @copyright 2010 StatusNet, Inc.`
			`* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0`
			`* @link http://status.net/`
			`*/`

			`if (!defined('STATUSNET')) {`
			`exit(1);`
			`}`

OAuth 1.0 working now 2010-01-13 05:06:35 +00:00			`require_once INSTALLDIR . '/lib/apioauth.php';`
Stubs for API OAuth token exchange stuff 2010-01-07 13:19:21 -08:00
			`/**`
Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00			`* Issue temporary OAuth credentials (a request token)`
Stubs for API OAuth token exchange stuff 2010-01-07 13:19:21 -08:00			`*`
			`* @category API`
			`* @package StatusNet`
			`* @author Zach Copley <zach@status.net>`
			`* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0`
			`* @link http://status.net/`
			`*/`
OAuth 1.0 working now 2010-01-13 05:06:35 +00:00			`class ApiOauthRequestTokenAction extends ApiOauthAction`
Stubs for API OAuth token exchange stuff 2010-01-07 13:19:21 -08:00			`{`
Action for issuing a request token 2010-01-07 18:33:17 -08:00			`/**`
OAuth 1.0 working now 2010-01-13 05:06:35 +00:00			`* Take arguments for running`
			`*`
			`* @param array $args $_REQUEST args`
			`*`
			`* @return boolean success flag`
Action for issuing a request token 2010-01-07 18:33:17 -08:00			`*/`
OAuth 1.0 working now 2010-01-13 05:06:35 +00:00			`function prepare($args)`
Action for issuing a request token 2010-01-07 18:33:17 -08:00			`{`
OAuth 1.0 working now 2010-01-13 05:06:35 +00:00			`parent::prepare($args);`

Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00			`// XXX: support "force_login" parameter like Twitter? (Forces the user to enter`
			`// their credentials to ensure the correct users account is authorized.)`
OAuth 1.0 working now 2010-01-13 05:06:35 +00:00
			`return true;`
Action for issuing a request token 2010-01-07 18:33:17 -08:00			`}`

			`/**`
Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00			`* Handle a request for temporary OAuth credentials`
			`*`
			`* Make sure the request is kosher, then emit a set of temporary`
			`* credentials -- AKA an unauthorized request token.`
Action for issuing a request token 2010-01-07 18:33:17 -08:00			`*`
			`* @param array $args array of arguments`
			`*`
			`* @return void`
			`*/`
			`function handle($args)`
			`{`
			`parent::handle($args);`

			`$datastore = new ApiStatusNetOAuthDataStore();`
			`$server = new OAuthServer($datastore);`
			`$hmac_method = new OAuthSignatureMethod_HMAC_SHA1();`
Workflow for request tokens and authorizing request tokens 2010-01-10 21:35:46 -08:00
Action for issuing a request token 2010-01-07 18:33:17 -08:00			`$server->add_signature_method($hmac_method);`

			`try {`
Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00
Added a comment about an open question: Should we allow pin-based workflow for clients registered as web applications? 2010-10-07 14:17:56 -07:00			`$req = OAuthRequest::from_request();`
Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00
			`// verify callback`
			`if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {`
			`throw new OAuthException(`
			`"You must provide a valid URL or 'oob' in oauth_callback.",`
			`400`
			`);`
			`}`

			`// check signature and issue a new request token`
Action for issuing a request token 2010-01-07 18:33:17 -08:00			`$token = $server->fetch_request_token($req);`
Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00
Output a log message when issuing a request token 2010-10-12 12:25:34 -07:00			`common_log(`
			`LOG_INFO,`
			`sprintf(`
			`"API OAuth - Issued request token %s for consumer %s with oauth_callback %s",`
			`$token->key,`
			`$req->get_parameter('oauth_consumer_key'),`
			`"'" . $req->get_parameter('oauth_callback') ."'"`
			`)`
			`);`

Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00			`// return token to the client`
			`$this->showRequestToken($token);`

Action for issuing a request token 2010-01-07 18:33:17 -08:00			`} catch (OAuthException $e) {`
s/LOG_WARN/LOG_WARNING/ 2010-01-27 08:45:56 +00:00			`common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());`
Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00
			`// Return 401 for for bad credentials or signature problems,`
			`// and 400 for missing or unsupported parameters`

			`$code = $e->getCode();`
			`$this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text');`
			`}`
			`}`

			`/*`
			`* Display temporary OAuth credentials`
			`*/`
			`function showRequestToken($token)`
			`{`
			`header('Content-Type: application/x-www-form-urlencoded');`
			`print $token;`
			`print '&oauth_callback_confirmed=true';`
			`}`

			`/* Make sure the callback parameter contains either a real URL`
			`* or the string 'oob'.`
			`*`
			`* @todo Check for evil/banned URLs here`
			`*`
			`* @return boolean true or false`
			`*/`
			`function verifyCallback($callback)`
			`{`
			`if ($callback == "oob") {`
OAuth - better log messages 2010-10-19 12:07:59 -07:00			`common_debug("OAuth request token requested for out of band client.");`
Added a comment about an open question: Should we allow pin-based workflow for clients registered as web applications? 2010-10-07 14:17:56 -07:00
			`// XXX: Should we throw an error if a client is registered as a`
			`// web application but requests the pin based workflow? For now I'm`
			`// allowing the workflow to proceed and issuing a pin. --Zach`

Update ApiOauthRequestTokenAction to support OAuth 1.0a 2010-10-05 17:53:50 -07:00			`return true;`
			`} else {`
Relax restrictions on URL validation for oauth_callback. We need to allow custom schemes like mustard:// etc. 2010-10-19 19:29:21 +00:00			`return Validate::uri($callback);`
Action for issuing a request token 2010-01-07 18:33:17 -08:00			`}`
			`}`
Stubs for API OAuth token exchange stuff 2010-01-07 13:19:21 -08:00			`}`