OAuth - better log messages

This commit is contained in:
Zach Copley 2010-10-19 12:07:59 -07:00
parent e04a6ef93e
commit 5866493cae
5 changed files with 89 additions and 45 deletions

View File

@ -67,7 +67,7 @@ class ApiOauthAccessTokenAction extends ApiOauthAction
$server->add_signature_method($hmac_method); $server->add_signature_method($hmac_method);
$atok = null; $atok = $app = null;
// XXX: Insist that oauth_token and oauth_verifier be populated? // XXX: Insist that oauth_token and oauth_verifier be populated?
// Spec doesn't say they MUST be. // Spec doesn't say they MUST be.
@ -78,7 +78,7 @@ class ApiOauthAccessTokenAction extends ApiOauthAction
$this->reqToken = $req->get_parameter('oauth_token'); $this->reqToken = $req->get_parameter('oauth_token');
$this->verifier = $req->get_parameter('oauth_verifier'); $this->verifier = $req->get_parameter('oauth_verifier');
$app = $datastore->getAppByRequestToken($this->reqToken);
$atok = $server->fetch_access_token($req); $atok = $server->fetch_access_token($req);
} catch (OAuthException $e) { } catch (OAuthException $e) {
@ -92,22 +92,26 @@ class ApiOauthAccessTokenAction extends ApiOauthAction
// Token exchange failed -- log it // Token exchange failed -- log it
list($proxy, $ip) = common_client_ip();
$msg = sprintf( $msg = sprintf(
'API OAuth - Failure exchanging request token for access token, ' 'API OAuth - Failure exchanging OAuth request token for access token, '
. 'request token = %s, verifier = %s, IP = %s, proxy = %s', . 'request token = %s, verifier = %s',
$this->reqToken, $this->reqToken,
$this->verifier, $this->verifier
$ip,
$proxy
); );
common_log(LOG_WARNING, $msg); common_log(LOG_WARNIGN, $msg);
$this->clientError(_("Invalid request token or verifier.", 400, 'text')); $this->clientError(_("Invalid request token or verifier.", 400, 'text'));
} else { } else {
common_log(
LOG_INFO,
sprintf(
"Issued now access token '%s' for application %d (%s).",
$atok->key,
$app->id,
$app->name
)
);
$this->showAccessToken($atok); $this->showAccessToken($atok);
} }
} }

View File

@ -113,14 +113,12 @@ class ApiOauthAuthorizeAction extends Action
$this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam); $this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam);
if (empty($this->reqToken)) { if (empty($this->reqToken)) {
$this->serverError( $this->clientError(_('Invalid request token.'));
_('Invalid request token.')
);
} else { } else {
// Check to make sure we haven't already authorized the token // Check to make sure we haven't already authorized the token
if ($this->reqToken->state != 0) { if ($this->reqToken->state != 0) {
$this->clientError("Invalid request token."); $this->clientError(_("Invalid request token."));
} }
} }
} }
@ -240,15 +238,31 @@ class ApiOauthAuthorizeAction extends Action
// Redirect the user to the provided OAuth callback // Redirect the user to the provided OAuth callback
common_redirect($targetUrl, 303); common_redirect($targetUrl, 303);
} else { } elseif ($this->app->type == 2) {
// Strangely, a web application seems to want to do the OOB
// workflow. Because no callback was specified anywhere.
common_log( common_log(
LOG_INFO, LOG_WARNING,
"No oauth_callback parameter provided for application ID " sprintf(
. $this->app->id "API OAuth - No callback provided for OAuth web client ID %s (%s) "
. " when authorizing request token." . "during authorization step. Falling back to OOB workflow.",
$this->app->id,
$this->app->name
)
); );
} }
common_log(
LOG_INFO,
sprintf(
"The request token '%s' for OAuth application %s (%s) has been authorized.",
$this->oauthTokenParam,
$this->app->id,
$this->app->name
)
);
// Otherwise, inform the user that the rt was authorized // Otherwise, inform the user that the rt was authorized
$this->showAuthorized(); $this->showAuthorized();

View File

@ -146,7 +146,7 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
function verifyCallback($callback) function verifyCallback($callback)
{ {
if ($callback == "oob") { if ($callback == "oob") {
common_debug("OAuth request token requested for out of bounds client."); common_debug("OAuth request token requested for out of band client.");
// XXX: Should we throw an error if a client is registered as a // XXX: Should we throw an error if a client is registered as a
// web application but requests the pin based workflow? For now I'm // web application but requests the pin based workflow? For now I'm

View File

@ -168,9 +168,11 @@ class ApiAuthAction extends ApiAction
$app = Oauth_application::getByConsumerKey($consumer); $app = Oauth_application::getByConsumerKey($consumer);
if (empty($app)) { if (empty($app)) {
common_log(LOG_WARNING, common_log(
'Couldn\'t find the OAuth app for consumer key: ' . LOG_WARNING,
$consumer); 'API OAuth - Couldn\'t find the OAuth app for consumer key: ' .
$consumer
);
// TRANS: OAuth exception thrown when no application is found for a given consumer key. // TRANS: OAuth exception thrown when no application is found for a given consumer key.
throw new OAuthException(_('No application for that consumer key.')); throw new OAuthException(_('No application for that consumer key.'));
} }
@ -197,16 +199,19 @@ class ApiAuthAction extends ApiAction
} }
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
"application '%s' (id: %d) with %s access."; "application '%s' (id: %d) with %s access.";
common_log(LOG_INFO, sprintf($msg, common_log(
$this->auth_user->nickname, LOG_INFO,
$this->auth_user->id, sprintf(
$app->name, $msg,
$app->id, $this->auth_user->nickname,
($this->access = self::READ_WRITE) ? $this->auth_user->id,
'read-write' : 'read-only' $app->name,
)); $app->id,
($this->access = self::READ_WRITE) ? 'read-write' : 'read-only'
)
);
} else { } else {
// TRANS: OAuth exception given when an incorrect access token was given for a user. // TRANS: OAuth exception given when an incorrect access token was given for a user.
throw new OAuthException(_('Bad access token.')); throw new OAuthException(_('Bad access token.'));
@ -218,6 +223,7 @@ class ApiAuthAction extends ApiAction
} }
} catch (OAuthException $e) { } catch (OAuthException $e) {
$this->logAuthFailure($e->getMessage());
common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
$this->clientError($e->getMessage(), 401, $this->format); $this->clientError($e->getMessage(), 401, $this->format);
exit; exit;
@ -276,16 +282,11 @@ class ApiAuthAction extends ApiAction
$this->access = self::READ_WRITE; $this->access = self::READ_WRITE;
if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) { if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) {
$msg = sprintf(
// basic authentication failed "basic auth nickname = %s",
list($proxy, $ip) = common_client_ip(); $this->auth_user_nickname
);
$msg = sprintf( 'Failed API auth attempt, nickname = %1$s, ' . $this->logAuthFailure($msg);
'proxy = %2$s, ip = %3$s',
$this->auth_user_nickname,
$proxy,
$ip);
common_log(LOG_WARNING, $msg);
// TRANS: Client error thrown when authentication fails. // TRANS: Client error thrown when authentication fails.
$this->clientError(_("Could not authenticate you."), 401, $this->format); $this->clientError(_("Could not authenticate you."), 401, $this->format);
exit; exit;
@ -332,4 +333,24 @@ class ApiAuthAction extends ApiAction
} }
} }
} }
/**
* Log an API authentication failer. Collect the proxy and IP
* and log them
*
* @param string $logMsg additional log message
*/
function logAuthFailure($logMsg)
{
list($proxy, $ip) = common_client_ip();
$msg = sprintf(
'API auth failure (proxy = %1$s, ip = %2$s) - ',
$proxy,
$ip
);
common_log(LOG_WARNING, $msg . $logMsg);
}
} }

View File

@ -74,8 +74,13 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore
function new_access_token($token, $consumer, $verifier) function new_access_token($token, $consumer, $verifier)
{ {
common_debug( common_debug(
'new_access_token("' . $token->key . '","' . $consumer->key. '","' . $verifier . '")', sprintf(
__FILE__ "%s - New access token from request token %s, consumer %s and verifier %s ",
__FILE__,
$token,
$consumer,
$verifier
)
); );
$rt = new Token(); $rt = new Token();