OAuth - better log messages

This commit is contained in:
Zach Copley 2010-10-19 12:07:59 -07:00
parent e04a6ef93e
commit 5866493cae
5 changed files with 89 additions and 45 deletions

View File

@ -67,7 +67,7 @@ class ApiOauthAccessTokenAction extends ApiOauthAction
$server->add_signature_method($hmac_method);
$atok = null;
$atok = $app = null;
// XXX: Insist that oauth_token and oauth_verifier be populated?
// Spec doesn't say they MUST be.
@ -78,7 +78,7 @@ class ApiOauthAccessTokenAction extends ApiOauthAction
$this->reqToken = $req->get_parameter('oauth_token');
$this->verifier = $req->get_parameter('oauth_verifier');
$app = $datastore->getAppByRequestToken($this->reqToken);
$atok = $server->fetch_access_token($req);
} catch (OAuthException $e) {
@ -92,22 +92,26 @@ class ApiOauthAccessTokenAction extends ApiOauthAction
// Token exchange failed -- log it
list($proxy, $ip) = common_client_ip();
$msg = sprintf(
'API OAuth - Failure exchanging request token for access token, '
. 'request token = %s, verifier = %s, IP = %s, proxy = %s',
'API OAuth - Failure exchanging OAuth request token for access token, '
. 'request token = %s, verifier = %s',
$this->reqToken,
$this->verifier,
$ip,
$proxy
$this->verifier
);
common_log(LOG_WARNING, $msg);
common_log(LOG_WARNIGN, $msg);
$this->clientError(_("Invalid request token or verifier.", 400, 'text'));
} else {
common_log(
LOG_INFO,
sprintf(
"Issued now access token '%s' for application %d (%s).",
$atok->key,
$app->id,
$app->name
)
);
$this->showAccessToken($atok);
}
}

View File

@ -113,14 +113,12 @@ class ApiOauthAuthorizeAction extends Action
$this->reqToken = $this->store->getTokenByKey($this->oauthTokenParam);
if (empty($this->reqToken)) {
$this->serverError(
_('Invalid request token.')
);
$this->clientError(_('Invalid request token.'));
} else {
// Check to make sure we haven't already authorized the token
if ($this->reqToken->state != 0) {
$this->clientError("Invalid request token.");
$this->clientError(_("Invalid request token."));
}
}
}
@ -240,15 +238,31 @@ class ApiOauthAuthorizeAction extends Action
// Redirect the user to the provided OAuth callback
common_redirect($targetUrl, 303);
} else {
} elseif ($this->app->type == 2) {
// Strangely, a web application seems to want to do the OOB
// workflow. Because no callback was specified anywhere.
common_log(
LOG_INFO,
"No oauth_callback parameter provided for application ID "
. $this->app->id
. " when authorizing request token."
LOG_WARNING,
sprintf(
"API OAuth - No callback provided for OAuth web client ID %s (%s) "
. "during authorization step. Falling back to OOB workflow.",
$this->app->id,
$this->app->name
)
);
}
common_log(
LOG_INFO,
sprintf(
"The request token '%s' for OAuth application %s (%s) has been authorized.",
$this->oauthTokenParam,
$this->app->id,
$this->app->name
)
);
// Otherwise, inform the user that the rt was authorized
$this->showAuthorized();

View File

@ -146,7 +146,7 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
function verifyCallback($callback)
{
if ($callback == "oob") {
common_debug("OAuth request token requested for out of bounds client.");
common_debug("OAuth request token requested for out of band client.");
// XXX: Should we throw an error if a client is registered as a
// web application but requests the pin based workflow? For now I'm

View File

@ -168,9 +168,11 @@ class ApiAuthAction extends ApiAction
$app = Oauth_application::getByConsumerKey($consumer);
if (empty($app)) {
common_log(LOG_WARNING,
'Couldn\'t find the OAuth app for consumer key: ' .
$consumer);
common_log(
LOG_WARNING,
'API OAuth - Couldn\'t find the OAuth app for consumer key: ' .
$consumer
);
// TRANS: OAuth exception thrown when no application is found for a given consumer key.
throw new OAuthException(_('No application for that consumer key.'));
}
@ -199,14 +201,17 @@ class ApiAuthAction extends ApiAction
$msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
"application '%s' (id: %d) with %s access.";
common_log(LOG_INFO, sprintf($msg,
common_log(
LOG_INFO,
sprintf(
$msg,
$this->auth_user->nickname,
$this->auth_user->id,
$app->name,
$app->id,
($this->access = self::READ_WRITE) ?
'read-write' : 'read-only'
));
($this->access = self::READ_WRITE) ? 'read-write' : 'read-only'
)
);
} else {
// TRANS: OAuth exception given when an incorrect access token was given for a user.
throw new OAuthException(_('Bad access token.'));
@ -218,6 +223,7 @@ class ApiAuthAction extends ApiAction
}
} catch (OAuthException $e) {
$this->logAuthFailure($e->getMessage());
common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
$this->clientError($e->getMessage(), 401, $this->format);
exit;
@ -276,16 +282,11 @@ class ApiAuthAction extends ApiAction
$this->access = self::READ_WRITE;
if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) {
// basic authentication failed
list($proxy, $ip) = common_client_ip();
$msg = sprintf( 'Failed API auth attempt, nickname = %1$s, ' .
'proxy = %2$s, ip = %3$s',
$this->auth_user_nickname,
$proxy,
$ip);
common_log(LOG_WARNING, $msg);
$msg = sprintf(
"basic auth nickname = %s",
$this->auth_user_nickname
);
$this->logAuthFailure($msg);
// TRANS: Client error thrown when authentication fails.
$this->clientError(_("Could not authenticate you."), 401, $this->format);
exit;
@ -332,4 +333,24 @@ class ApiAuthAction extends ApiAction
}
}
}
/**
* Log an API authentication failer. Collect the proxy and IP
* and log them
*
* @param string $logMsg additional log message
*/
function logAuthFailure($logMsg)
{
list($proxy, $ip) = common_client_ip();
$msg = sprintf(
'API auth failure (proxy = %1$s, ip = %2$s) - ',
$proxy,
$ip
);
common_log(LOG_WARNING, $msg . $logMsg);
}
}

View File

@ -74,8 +74,13 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore
function new_access_token($token, $consumer, $verifier)
{
common_debug(
'new_access_token("' . $token->key . '","' . $consumer->key. '","' . $verifier . '")',
__FILE__
sprintf(
"%s - New access token from request token %s, consumer %s and verifier %s ",
__FILE__,
$token,
$consumer,
$verifier
)
);
$rt = new Token();