diff --git a/actions/finishremotesubscribe.php b/actions/finishremotesubscribe.php index b5093263e1..41bc91afd8 100644 --- a/actions/finishremotesubscribe.php +++ b/actions/finishremotesubscribe.php @@ -33,14 +33,7 @@ class FinishremotesubscribeAction extends Action { return; } - $nonce = $this->trimmed('nonce'); - - if (!$omb) { - common_user_error(_t('No nonce returned!')); - return; - } - - $omb = $_SESSION[$nonce]; + $omb = $_SESSION['oauth_authorization_request']; if (!$omb) { common_user_error(_t('Not expecting this response!')); @@ -173,7 +166,7 @@ class FinishremotesubscribeAction extends Action { } # Clear the data - unset($_SESSION[$nonce]); + unset($_SESSION['oauth_authorization_request']); # If we show subscriptions in reverse chron order, this should # show up close to the top of the page @@ -187,7 +180,7 @@ class FinishremotesubscribeAction extends Action { $con = omb_oauth_consumer(); $tok = new OAuthToken($omb['token'], $omb['secret']); - $url = $omb[OAUTH_ENDPOINT_ACCESS][0]; + $url = omb_service_uri($omb[OAUTH_ENDPOINT_ACCESS]); # XXX: Is this the right thing to do? Strip off GET params and make them # POST params? Seems wrong to me. diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php index 3dea07f16d..fa78438807 100644 --- a/actions/remotesubscribe.php +++ b/actions/remotesubscribe.php @@ -336,10 +336,9 @@ class RemotesubscribeAction extends Action { $req->set_parameter('omb_listenee_avatar', $avatar->url); } - $nonce = $this->make_nonce(); - - $req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe', - array('nonce' => $nonce))); + # XXX: add a nonce to prevent replay attacks + + $req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe')); # XXX: test to see if endpoint accepts this signature method @@ -351,7 +350,7 @@ class RemotesubscribeAction extends Action { $omb['token'] = $token; $omb['secret'] = $secret; - $_SESSION[$nonce] = $omb; + $_SESSION['oauth_authorization_request'] = $omb; # Redirect to authorization service