X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/7b384f03ab1d34fd3ebcc5ae3add25b3b5591e2e..fb4ea1a02ac5dc1b0ef444e0d63fafa8f756fa8d:/app/models/request_token.rb

diff --git a/app/models/request_token.rb b/app/models/request_token.rb
index d66fe6ce1..c0f019486 100644
--- a/app/models/request_token.rb
+++ b/app/models/request_token.rb
@@ -1,23 +1,44 @@
 class RequestToken < OauthToken
+  attr_accessor :provided_oauth_verifier
+
   def authorize!(user)
     return false if authorized?
     self.user = user
     self.authorized_at = Time.now
-    self.save
+    self.verifier = OAuth::Helper.generate_key(20)[0, 20] unless oauth10?
+    save
   end
-  
+
   def exchange!
     return false unless authorized?
+    return false unless oauth10? || verifier == provided_oauth_verifier
+
     RequestToken.transaction do
       params = { :user => user, :client_application => client_application }
       # copy the permissions from the authorised request token to the access token
-      client_application.permissions.each { |p| 
-        params[p] = read_attribute(p)
-      }
+      client_application.permissions.each do |p|
+        params[p] = self[p]
+      end
 
       access_token = AccessToken.create(params)
       invalidate!
       access_token
     end
   end
+
+  def to_query
+    if oauth10?
+      super
+    else
+      "#{super}&oauth_callback_confirmed=true"
+    end
+  end
+
+  def oob?
+    callback_url.nil? || callback_url.casecmp("oob").zero?
+  end
+
+  def oauth10?
+    (defined? OAUTH_10_SUPPORT) && OAUTH_10_SUPPORT && callback_url.blank?
+  end
 end