Update ApiOauthRequestTokenAction to support OAuth 1.0a

This commit is contained in:
Zach Copley 2010-10-05 17:53:50 -07:00
parent f4f56eea3a
commit f97b863fd7
2 changed files with 67 additions and 12 deletions

View File

@ -2,7 +2,7 @@
/** /**
* StatusNet, the distributed open-source microblogging tool * StatusNet, the distributed open-source microblogging tool
* *
* Get an OAuth request token * Issue temporary OAuth credentials (a request token)
* *
* PHP version 5 * PHP version 5
* *
@ -34,7 +34,7 @@ if (!defined('STATUSNET')) {
require_once INSTALLDIR . '/lib/apioauth.php'; require_once INSTALLDIR . '/lib/apioauth.php';
/** /**
* Get an OAuth request token * Issue temporary OAuth credentials (a request token)
* *
* @category API * @category API
* @package StatusNet * @package StatusNet
@ -58,22 +58,23 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
{ {
parent::prepare($args); parent::prepare($args);
$this->callback = $this->arg('oauth_callback'); // XXX: support "force_login" parameter like Twitter? (Forces the user to enter
// their credentials to ensure the correct users account is authorized.)
if (!empty($this->callback)) {
common_debug("callback: $this->callback");
}
return true; return true;
} }
/** /**
* Class handler. * Handle a request for temporary OAuth credentials
*
* Make sure the request is kosher, then emit a set of temporary
* credentials -- AKA an unauthorized request token.
* *
* @param array $args array of arguments * @param array $args array of arguments
* *
* @return void * @return void
*/ */
function handle($args) function handle($args)
{ {
parent::handle($args); parent::handle($args);
@ -85,14 +86,63 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
$server->add_signature_method($hmac_method); $server->add_signature_method($hmac_method);
try { try {
$req = OAuthRequest::from_request(); $req = OAuthRequest::from_request();
// verify callback
if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
throw new OAuthException(
"You must provide a valid URL or 'oob' in oauth_callback.",
400
);
}
// check signature and issue a new request token
$token = $server->fetch_request_token($req); $token = $server->fetch_request_token($req);
print $token;
// return token to the client
$this->showRequestToken($token);
} catch (OAuthException $e) { } catch (OAuthException $e) {
common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
header('HTTP/1.1 401 Unauthorized');
header('Content-Type: text/html; charset=utf-8'); // Return 401 for for bad credentials or signature problems,
print $e->getMessage() . "\n"; // and 400 for missing or unsupported parameters
$code = $e->getCode();
$this->clientError($e->getMessage(), empty($code) ? 401 : $code, 'text');
}
}
/*
* Display temporary OAuth credentials
*/
function showRequestToken($token)
{
header('Content-Type: application/x-www-form-urlencoded');
print $token;
print '&oauth_callback_confirmed=true';
}
/* Make sure the callback parameter contains either a real URL
* or the string 'oob'.
*
* @todo Check for evil/banned URLs here
*
* @return boolean true or false
*/
function verifyCallback($callback)
{
if ($callback == "oob") {
common_debug("OAuth request token requested for out of bounds client.");
return true;
} else {
return Validate::uri(
$callback,
array('allowed_schemes' => array('http', 'https'))
);
} }
} }

View File

@ -77,6 +77,11 @@ class ApiOauthAction extends ApiAction
self::cleanRequest(); self::cleanRequest();
} }
/*
* Clean up the request so the OAuth library doesn't find
* any extra parameters or anything else it's not expecting.
* I'm looking at you, p parameter.
*/
static function cleanRequest() static function cleanRequest()
{ {
// kill evil effects of magical slashing // kill evil effects of magical slashing