. * * @category API * @package StatusNet * @author Zach Copley * @copyright 2010 StatusNet, Inc. * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ if (!defined('STATUSNET')) { exit(1); } /** * Issue temporary OAuth credentials (a request token) * * @category API * @package StatusNet * @author Zach Copley * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ class ApiOAuthRequestTokenAction extends ApiOAuthAction { /** * Take arguments for running * * @param array $args $_REQUEST args * * @return boolean success flag */ function prepare($args) { parent::prepare($args); // XXX: support "force_login" parameter like Twitter? (Forces the user to enter // their credentials to ensure the correct users account is authorized.) return true; } /** * Handle a request for temporary OAuth credentials * * Make sure the request is kosher, then emit a set of temporary * credentials -- AKA an unauthorized request token. * * @param array $args array of arguments * * @return void */ function handle() { parent::handle(); $datastore = new ApiGNUsocialOAuthDataStore(); $server = new OAuthServer($datastore); $hmac_method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($hmac_method); try { $req = OAuthRequest::from_request(); // verify callback if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) { throw new OAuthException( "You must provide a valid URL or 'oob' in oauth_callback.", 400 ); } // check signature and issue a new request token $token = $server->fetch_request_token($req); common_log( LOG_INFO, sprintf( "API OAuth - Issued request token %s for consumer %s with oauth_callback %s", $token->key, $req->get_parameter('oauth_consumer_key'), "'" . $req->get_parameter('oauth_callback') ."'" ) ); // return token to the client $this->showRequestToken($token); } catch (OAuthException $e) { common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); // Return 401 for for bad credentials or signature problems, // and 400 for missing or unsupported parameters $code = $e->getCode(); $this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text'); } } /* * Display temporary OAuth credentials */ function showRequestToken($token) { header('Content-Type: application/x-www-form-urlencoded'); print $token; print '&oauth_callback_confirmed=true'; } /* Make sure the callback parameter contains either a real URL * or the string 'oob'. * * @todo Check for evil/banned URLs here * * @return boolean true or false */ function verifyCallback($callback) { if ($callback == "oob") { common_debug("OAuth request token requested for out of band client."); // XXX: Should we throw an error if a client is registered as a // web application but requests the pin based workflow? For now I'm // allowing the workflow to proceed and issuing a pin. --Zach return true; } else { return filter_var($callback, FILTER_VALIDATE_URL); } } }