OAuth - better log messages
This commit is contained in:
parent
e04a6ef93e
commit
5866493cae
@ -67,7 +67,7 @@ class ApiOauthAccessTokenAction extends ApiOauthAction
|
|||||||
|
|
||||||
$server->add_signature_method($hmac_method);
|
$server->add_signature_method($hmac_method);
|
||||||
|
|
||||||
$atok = null;
|
$atok = $app = null;
|
||||||
|
|
||||||
// XXX: Insist that oauth_token and oauth_verifier be populated?
|
// XXX: Insist that oauth_token and oauth_verifier be populated?
|
||||||
// Spec doesn't say they MUST be.
|
// Spec doesn't say they MUST be.
|
||||||
@ -78,7 +78,7 @@ class ApiOauthAccessTokenAction extends ApiOauthAction
|
|||||||
|
|
||||||
$this->reqToken = $req->get_parameter('oauth_token');
|
$this->reqToken = $req->get_parameter('oauth_token');
|
||||||
$this->verifier = $req->get_parameter('oauth_verifier');
|
$this->verifier = $req->get_parameter('oauth_verifier');
|
||||||
|
$app = $datastore->getAppByRequestToken($this->reqToken);
|
||||||
$atok = $server->fetch_access_token($req);
|
$atok = $server->fetch_access_token($req);
|
||||||
|
|
||||||
} catch (OAuthException $e) {
|
} catch (OAuthException $e) {
|
||||||
@ -92,22 +92,26 @@ class ApiOauthAccessTokenAction extends ApiOauthAction
|
|||||||
|
|
||||||
// Token exchange failed -- log it
|
// Token exchange failed -- log it
|
||||||
|
|
||||||
list($proxy, $ip) = common_client_ip();
|
|
||||||
|
|
||||||
$msg = sprintf(
|
$msg = sprintf(
|
||||||
'API OAuth - Failure exchanging request token for access token, '
|
'API OAuth - Failure exchanging OAuth request token for access token, '
|
||||||
. 'request token = %s, verifier = %s, IP = %s, proxy = %s',
|
. 'request token = %s, verifier = %s',
|
||||||
$this->reqToken,
|
$this->reqToken,
|
||||||
$this->verifier,
|
$this->verifier
|
||||||
$ip,
|
|
||||||
$proxy
|
|
||||||
);
|
);
|
||||||
|
|
||||||
common_log(LOG_WARNING, $msg);
|
common_log(LOG_WARNIGN, $msg);
|
||||||
|
|
||||||
$this->clientError(_("Invalid request token or verifier.", 400, 'text'));
|
$this->clientError(_("Invalid request token or verifier.", 400, 'text'));
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
common_log(
|
||||||
|
LOG_INFO,
|
||||||
|
sprintf(
|
||||||
|
"Issued now access token '%s' for application %d (%s).",
|
||||||
|
$atok->key,
|
||||||
|
$app->id,
|
||||||
|
$app->name
|
||||||
|
)
|
||||||
|
);
|
||||||
$this->showAccessToken($atok);
|
$this->showAccessToken($atok);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -113,14 +113,12 @@ class ApiOauthAuthorizeAction extends Action
|
|||||||
$this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam);
|
$this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam);
|
||||||
|
|
||||||
if (empty($this->reqToken)) {
|
if (empty($this->reqToken)) {
|
||||||
$this->serverError(
|
$this->clientError(_('Invalid request token.'));
|
||||||
_('Invalid request token.')
|
|
||||||
);
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
// Check to make sure we haven't already authorized the token
|
// Check to make sure we haven't already authorized the token
|
||||||
if ($this->reqToken->state != 0) {
|
if ($this->reqToken->state != 0) {
|
||||||
$this->clientError("Invalid request token.");
|
$this->clientError(_("Invalid request token."));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -240,15 +238,31 @@ class ApiOauthAuthorizeAction extends Action
|
|||||||
// Redirect the user to the provided OAuth callback
|
// Redirect the user to the provided OAuth callback
|
||||||
common_redirect($targetUrl, 303);
|
common_redirect($targetUrl, 303);
|
||||||
|
|
||||||
} else {
|
} elseif ($this->app->type == 2) {
|
||||||
|
|
||||||
|
// Strangely, a web application seems to want to do the OOB
|
||||||
|
// workflow. Because no callback was specified anywhere.
|
||||||
common_log(
|
common_log(
|
||||||
LOG_INFO,
|
LOG_WARNING,
|
||||||
"No oauth_callback parameter provided for application ID "
|
sprintf(
|
||||||
. $this->app->id
|
"API OAuth - No callback provided for OAuth web client ID %s (%s) "
|
||||||
. " when authorizing request token."
|
. "during authorization step. Falling back to OOB workflow.",
|
||||||
|
$this->app->id,
|
||||||
|
$this->app->name
|
||||||
|
)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
common_log(
|
||||||
|
LOG_INFO,
|
||||||
|
sprintf(
|
||||||
|
"The request token '%s' for OAuth application %s (%s) has been authorized.",
|
||||||
|
$this->oauthTokenParam,
|
||||||
|
$this->app->id,
|
||||||
|
$this->app->name
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
// Otherwise, inform the user that the rt was authorized
|
// Otherwise, inform the user that the rt was authorized
|
||||||
$this->showAuthorized();
|
$this->showAuthorized();
|
||||||
|
|
||||||
|
@ -146,7 +146,7 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
|
|||||||
function verifyCallback($callback)
|
function verifyCallback($callback)
|
||||||
{
|
{
|
||||||
if ($callback == "oob") {
|
if ($callback == "oob") {
|
||||||
common_debug("OAuth request token requested for out of bounds client.");
|
common_debug("OAuth request token requested for out of band client.");
|
||||||
|
|
||||||
// XXX: Should we throw an error if a client is registered as a
|
// XXX: Should we throw an error if a client is registered as a
|
||||||
// web application but requests the pin based workflow? For now I'm
|
// web application but requests the pin based workflow? For now I'm
|
||||||
|
@ -168,9 +168,11 @@ class ApiAuthAction extends ApiAction
|
|||||||
$app = Oauth_application::getByConsumerKey($consumer);
|
$app = Oauth_application::getByConsumerKey($consumer);
|
||||||
|
|
||||||
if (empty($app)) {
|
if (empty($app)) {
|
||||||
common_log(LOG_WARNING,
|
common_log(
|
||||||
'Couldn\'t find the OAuth app for consumer key: ' .
|
LOG_WARNING,
|
||||||
$consumer);
|
'API OAuth - Couldn\'t find the OAuth app for consumer key: ' .
|
||||||
|
$consumer
|
||||||
|
);
|
||||||
// TRANS: OAuth exception thrown when no application is found for a given consumer key.
|
// TRANS: OAuth exception thrown when no application is found for a given consumer key.
|
||||||
throw new OAuthException(_('No application for that consumer key.'));
|
throw new OAuthException(_('No application for that consumer key.'));
|
||||||
}
|
}
|
||||||
@ -197,16 +199,19 @@ class ApiAuthAction extends ApiAction
|
|||||||
}
|
}
|
||||||
|
|
||||||
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
|
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
|
||||||
"application '%s' (id: %d) with %s access.";
|
"application '%s' (id: %d) with %s access.";
|
||||||
|
|
||||||
common_log(LOG_INFO, sprintf($msg,
|
common_log(
|
||||||
$this->auth_user->nickname,
|
LOG_INFO,
|
||||||
$this->auth_user->id,
|
sprintf(
|
||||||
$app->name,
|
$msg,
|
||||||
$app->id,
|
$this->auth_user->nickname,
|
||||||
($this->access = self::READ_WRITE) ?
|
$this->auth_user->id,
|
||||||
'read-write' : 'read-only'
|
$app->name,
|
||||||
));
|
$app->id,
|
||||||
|
($this->access = self::READ_WRITE) ? 'read-write' : 'read-only'
|
||||||
|
)
|
||||||
|
);
|
||||||
} else {
|
} else {
|
||||||
// TRANS: OAuth exception given when an incorrect access token was given for a user.
|
// TRANS: OAuth exception given when an incorrect access token was given for a user.
|
||||||
throw new OAuthException(_('Bad access token.'));
|
throw new OAuthException(_('Bad access token.'));
|
||||||
@ -218,6 +223,7 @@ class ApiAuthAction extends ApiAction
|
|||||||
}
|
}
|
||||||
|
|
||||||
} catch (OAuthException $e) {
|
} catch (OAuthException $e) {
|
||||||
|
$this->logAuthFailure($e->getMessage());
|
||||||
common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
|
common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
|
||||||
$this->clientError($e->getMessage(), 401, $this->format);
|
$this->clientError($e->getMessage(), 401, $this->format);
|
||||||
exit;
|
exit;
|
||||||
@ -276,16 +282,11 @@ class ApiAuthAction extends ApiAction
|
|||||||
$this->access = self::READ_WRITE;
|
$this->access = self::READ_WRITE;
|
||||||
|
|
||||||
if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) {
|
if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) {
|
||||||
|
$msg = sprintf(
|
||||||
// basic authentication failed
|
"basic auth nickname = %s",
|
||||||
list($proxy, $ip) = common_client_ip();
|
$this->auth_user_nickname
|
||||||
|
);
|
||||||
$msg = sprintf( 'Failed API auth attempt, nickname = %1$s, ' .
|
$this->logAuthFailure($msg);
|
||||||
'proxy = %2$s, ip = %3$s',
|
|
||||||
$this->auth_user_nickname,
|
|
||||||
$proxy,
|
|
||||||
$ip);
|
|
||||||
common_log(LOG_WARNING, $msg);
|
|
||||||
// TRANS: Client error thrown when authentication fails.
|
// TRANS: Client error thrown when authentication fails.
|
||||||
$this->clientError(_("Could not authenticate you."), 401, $this->format);
|
$this->clientError(_("Could not authenticate you."), 401, $this->format);
|
||||||
exit;
|
exit;
|
||||||
@ -332,4 +333,24 @@ class ApiAuthAction extends ApiAction
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Log an API authentication failer. Collect the proxy and IP
|
||||||
|
* and log them
|
||||||
|
*
|
||||||
|
* @param string $logMsg additional log message
|
||||||
|
*/
|
||||||
|
|
||||||
|
function logAuthFailure($logMsg)
|
||||||
|
{
|
||||||
|
list($proxy, $ip) = common_client_ip();
|
||||||
|
|
||||||
|
$msg = sprintf(
|
||||||
|
'API auth failure (proxy = %1$s, ip = %2$s) - ',
|
||||||
|
$proxy,
|
||||||
|
$ip
|
||||||
|
);
|
||||||
|
|
||||||
|
common_log(LOG_WARNING, $msg . $logMsg);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -74,8 +74,13 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore
|
|||||||
function new_access_token($token, $consumer, $verifier)
|
function new_access_token($token, $consumer, $verifier)
|
||||||
{
|
{
|
||||||
common_debug(
|
common_debug(
|
||||||
'new_access_token("' . $token->key . '","' . $consumer->key. '","' . $verifier . '")',
|
sprintf(
|
||||||
__FILE__
|
"%s - New access token from request token %s, consumer %s and verifier %s ",
|
||||||
|
__FILE__,
|
||||||
|
$token,
|
||||||
|
$consumer,
|
||||||
|
$verifier
|
||||||
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
$rt = new Token();
|
$rt = new Token();
|
||||||
|
Loading…
Reference in New Issue
Block a user