Added a comment about an open question: Should we allow pin-based

workflow for clients registered as web applications?
2010-10-07 14:17:56 -07:00 · 2010-10-07 14:17:56 -07:00 · f8808b0761
parent b8f2cc4e6f
commit f8808b0761
2 changed files with 10 additions and 2 deletions
--- a/actions/apioauthauthorize.php
+++ b/actions/apioauthauthorize.php
@ -464,7 +464,10 @@ class ApiOauthAuthorizeAction extends Action
            $pin->showPage();
        } else {

-            // NOTE: This should probably never happen; trhow an error instead?
+            // NOTE: This would only happen if an application registered as
+            // a web application but sent in 'oob' for the oauth_callback
+            // parameter. Usually web apps will send in a callback and
+            // not use the pin-based workflow.

            $info = new InfoAction(
                $title,
--- a/actions/apioauthrequesttoken.php
+++ b/actions/apioauthrequesttoken.php
@ -87,7 +87,7 @@ class ApiOauthRequestTokenAction extends ApiOauthAction

        try {

-            $req   = OAuthRequest::from_request();
+            $req = OAuthRequest::from_request();

            // verify callback
            if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
@ -137,6 +137,11 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
    {
        if ($callback == "oob") {
            common_debug("OAuth request token requested for out of bounds client.");
+
+            // XXX: Should we throw an error if a client is registered as a
+            // web application but requests the pin based workflow? For now I'm
+            // allowing the workflow to proceed and issuing a pin. --Zach
+
            return true;
        } else {
            return Validate::uri(