Fixes #827: Laconica expects full OAuth message for user auth request.
When a user subscribes to a remote profile, he is redirected to his own service to confirm the request. This authorization request is specified in http://oauth.net/core/1.0#auth_step2. According to the standard, it does not have to pass consumer_key, nonce, timestamp or signature. The only specified parameters are oauth_token and oauth_callback, both optional.
This commit is contained in:
Adrian Lang
@@ -216,10 +216,8 @@ class UserauthorizationAction extends Action
|
|||||||
|
|
||||||
function authorizeToken(&$req)
|
function authorizeToken(&$req)
|
||||||
{
|
{
|
||||||
$consumer_key = $req->get_parameter('oauth_consumer_key');
|
|
||||||
$token_field = $req->get_parameter('oauth_token');
|
$token_field = $req->get_parameter('oauth_token');
|
||||||
$rt = new Token();
|
$rt = new Token();
|
||||||
$rt->consumer_key = $consumer_key;
|
|
||||||
$rt->tok = $token_field;
|
$rt->tok = $token_field;
|
||||||
$rt->type = 0;
|
$rt->type = 0;
|
||||||
$rt->state = 0;
|
$rt->state = 0;
|
||||||
@@ -390,15 +388,14 @@ class UserauthorizationAction extends Action
|
|||||||
|
|
||||||
function validateRequest(&$req)
|
function validateRequest(&$req)
|
||||||
{
|
{
|
||||||
# OAuth stuff -- have to copy from OAuth.php since they're
|
/* Find token. */
|
||||||
# all private methods, and there's no user-authentication method
|
$t = new Token();
|
||||||
$this->checkVersion($req);
|
$t->tok = $req->get_parameter('oauth_token');
|
||||||
$datastore = omb_oauth_datastore();
|
$t->type = 0;
|
||||||
$consumer = $this->getConsumer($datastore, $req);
|
if (!$t->find(true)) {
|
||||||
$token = $this->getToken($datastore, $req, $consumer);
|
throw new OAuthException("Invalid request token: " . $req->get_parameter('oauth_token'));
|
||||||
$this->checkTimestamp($req);
|
}
|
||||||
$this->checkNonce($datastore, $req, $consumer, $token);
|
|
||||||
$this->checkSignature($req, $consumer, $token);
|
|
||||||
$this->validateOmb($req);
|
$this->validateOmb($req);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@@ -515,92 +512,4 @@ class UserauthorizationAction extends Action
|
|||||||
throw new OAuthException("Callback URL '$callback' is for local site.");
|
throw new OAuthException("Callback URL '$callback' is for local site.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Snagged from OAuthServer
|
|
||||||
|
|
||||||
function checkVersion(&$req)
|
|
||||||
{
|
|
||||||
$version = $req->get_parameter("oauth_version");
|
|
||||||
if (!$version) {
|
|
||||||
$version = 1.0;
|
|
||||||
}
|
|
||||||
if ($version != 1.0) {
|
|
||||||
throw new OAuthException("OAuth version '$version' not supported");
|
|
||||||
}
|
|
||||||
return $version;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Snagged from OAuthServer
|
|
||||||
|
|
||||||
function getConsumer($datastore, $req)
|
|
||||||
{
|
|
||||||
$consumer_key = @$req->get_parameter("oauth_consumer_key");
|
|
||||||
if (!$consumer_key) {
|
|
||||||
throw new OAuthException("Invalid consumer key");
|
|
||||||
}
|
|
||||||
|
|
||||||
$consumer = $datastore->lookup_consumer($consumer_key);
|
|
||||||
if (!$consumer) {
|
|
||||||
throw new OAuthException("Invalid consumer");
|
|
||||||
}
|
|
||||||
return $consumer;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Mostly cadged from OAuthServer
|
|
||||||
|
|
||||||
function getToken($datastore, &$req, $consumer)
|
|
||||||
{/*{{{*/
|
|
||||||
$token_field = @$req->get_parameter('oauth_token');
|
|
||||||
$token = $datastore->lookup_token($consumer, 'request', $token_field);
|
|
||||||
if (!$token) {
|
|
||||||
throw new OAuthException("Invalid $token_type token: $token_field");
|
|
||||||
}
|
|
||||||
return $token;
|
|
||||||
}
|
|
||||||
|
|
||||||
function checkTimestamp(&$req)
|
|
||||||
{
|
|
||||||
$timestamp = @$req->get_parameter('oauth_timestamp');
|
|
||||||
$now = time();
|
|
||||||
if ($now - $timestamp > TIMESTAMP_THRESHOLD) {
|
|
||||||
throw new OAuthException("Expired timestamp, yours $timestamp, ours $now");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# NOTE: don't call twice on the same request; will fail!
|
|
||||||
function checkNonce(&$datastore, &$req, $consumer, $token)
|
|
||||||
{
|
|
||||||
$timestamp = @$req->get_parameter('oauth_timestamp');
|
|
||||||
$nonce = @$req->get_parameter('oauth_nonce');
|
|
||||||
$found = $datastore->lookup_nonce($consumer, $token, $nonce, $timestamp);
|
|
||||||
if ($found) {
|
|
||||||
throw new OAuthException("Nonce already used");
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
function checkSignature(&$req, $consumer, $token)
|
|
||||||
{
|
|
||||||
$signature_method = $this->getSignatureMethod($req);
|
|
||||||
$signature = $req->get_parameter('oauth_signature');
|
|
||||||
$valid_sig = $signature_method->check_signature($req,
|
|
||||||
$consumer,
|
|
||||||
$token,
|
|
||||||
$signature);
|
|
||||||
if (!$valid_sig) {
|
|
||||||
throw new OAuthException("Invalid signature");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
function getSignatureMethod(&$req)
|
|
||||||
{
|
|
||||||
$signature_method = @$req->get_parameter("oauth_signature_method");
|
|
||||||
if (!$signature_method) {
|
|
||||||
$signature_method = "PLAINTEXT";
|
|
||||||
}
|
|
||||||
if ($signature_method != 'HMAC-SHA1') {
|
|
||||||
throw new OAuthException("Signature method '$signature_method' not supported.");
|
|
||||||
}
|
|
||||||
return omb_hmac_sha1();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user