/** * Verifies the OAuth request signature, sets the auth user * and access type (read-only or read-write) * * @param OAuthRequest $request the OAuth Request * * @return nothing */ function checkOAuthRequest($request) { $datastore = new ApiStatusNetOAuthDataStore(); $server = new OAuthServer($datastore); $hmac_method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($hmac_method); try { $server->verify_request($request); $consumer = $request->get_parameter('oauth_consumer_key'); $access_token = $request->get_parameter('oauth_token'); $app = Oauth_application::getByConsumerKey($consumer); if (empty($app)) { common_log(LOG_WARNING, 'Couldn\'t find the OAuth app for consumer key: ' . $consumer); throw new OAuthException('No application for that consumer key.'); } // set the source attr $this->source = $app->name; $appUser = Oauth_application_user::staticGet('token', $access_token); if (!empty($appUser)) { // If access_type == 0 we have either a request token // or a bad / revoked access token if ($appUser->access_type != 0) { // Set the access level for the api call $this->access = $appUser->access_type & Oauth_application::$writeAccess ? self::READ_WRITE : self::READ_ONLY; // Set the auth user if (Event::handle('StartSetApiUser', array(&$user))) { $this->auth_user = User::staticGet('id', $appUser->profile_id); Event::handle('EndSetApiUser', array($user)); } $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . "application '%s' (id: %d) with %s access."; common_log(LOG_INFO, sprintf($msg, $this->auth_user->nickname, $this->auth_user->id, $app->name, $app->id, ($this->access = self::READ_WRITE) ? 'read-write' : 'read-only')); } else { throw new OAuthException('Bad access token.'); } } else { // Also should not happen throw new OAuthException('No user for that token.'); } } catch (OAuthException $e) { common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); $this->clientError($e->getMessage(), 401, $this->format); exit; } }
/** * Verifies the OAuth request signature, sets the auth user * and access type (read-only or read-write) * * @param OAuthRequest $request the OAuth Request * * @return nothing */ function checkOAuthRequest($request) { $datastore = new ApiStatusNetOAuthDataStore(); $server = new OAuthServer($datastore); $hmac_method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($hmac_method); try { $server->verify_request($request); $consumer = $request->get_parameter('oauth_consumer_key'); $access_token = $request->get_parameter('oauth_token'); $app = Oauth_application::getByConsumerKey($consumer); if (empty($app)) { common_log(LOG_WARNING, 'API OAuth - Couldn\'t find the OAuth app for consumer key: ' . $consumer); // TRANS: OAuth exception thrown when no application is found for a given consumer key. throw new OAuthException(_('No application for that consumer key.')); } // set the source attr if ($app->name != 'anonymous') { $this->source = $app->name; } $appUser = Oauth_application_user::staticGet('token', $access_token); if (!empty($appUser)) { // If access_type == 0 we have either a request token // or a bad / revoked access token if ($appUser->access_type != 0) { // Set the access level for the api call $this->access = $appUser->access_type & Oauth_application::$writeAccess ? self::READ_WRITE : self::READ_ONLY; // Set the auth user if (Event::handle('StartSetApiUser', array(&$user))) { $user = User::staticGet('id', $appUser->profile_id); if (!empty($user)) { if (!$user->hasRight(Right::API)) { // TRANS: Authorization exception thrown when a user without API access tries to access the API. throw new AuthorizationException(_('Not allowed to use API.')); } } $this->auth_user = $user; // FIXME: setting the value returned by common_current_user() // There should probably be a better method for this. common_set_user() // does lots of session stuff. global $_cur; $_cur = $this->auth_user; Event::handle('EndSetApiUser', array($user)); } $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . "application '%s' (id: %d) with %s access."; common_log(LOG_INFO, sprintf($msg, $this->auth_user->nickname, $this->auth_user->id, $app->name, $app->id, ($this->access = self::READ_WRITE) ? 'read-write' : 'read-only')); } else { // TRANS: OAuth exception given when an incorrect access token was given for a user. throw new OAuthException(_('Bad access token.')); } } else { // Also should not happen. // TRANS: OAuth exception given when no user was found for a given token (no token was found). throw new OAuthException(_('No user for that token.')); } } catch (OAuthException $e) { $this->logAuthFailure($e->getMessage()); common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); $this->clientError($e->getMessage(), 401, $this->format); exit; } }