From 1c3a9ee62b7d1a0dc97d52b1a498be1339d49ebf Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 10 Sep 2010 10:31:44 +0100
Subject: [PATCH] Update oauth models and controllers for OAuth 1.0a support

---
 app/controllers/oauth_controller.rb           | 12 +++++++--
 app/models/client_application.rb              | 23 +++++++++++++---
 app/models/request_token.rb                   | 27 +++++++++++++++++--
 config/example.application.yml                |  2 ++
 ...0910084426_add_callback_to_oauth_tokens.rb | 11 ++++++++
 5 files changed, 67 insertions(+), 8 deletions(-)
 create mode 100644 db/migrate/20100910084426_add_callback_to_oauth_tokens.rb

diff --git a/app/controllers/oauth_controller.rb b/app/controllers/oauth_controller.rb
index 4b539b1fd..260f9ecfe 100644
--- a/app/controllers/oauth_controller.rb
+++ b/app/controllers/oauth_controller.rb
@@ -52,9 +52,17 @@ class OauthController < ApplicationController
 
         if any_auth
           @token.authorize!(@user)
-          redirect_url = params[:oauth_callback] || @token.client_application.callback_url
+          if @token.oauth10?
+            redirect_url = params[:oauth_callback] || @token.client_application.callback_url
+          else
+            redirect_url = @token.oob? ? @token.client_application.callback_url : @token.callback_url
+          end
           if redirect_url
-            redirect_to "#{redirect_url}?oauth_token=#{@token.token}"
+            if @token.oauth10?
+              redirect_to "#{redirect_url}?oauth_token=#{@token.token}"
+            else
+              redirect_to "#{redirect_url}?oauth_token=#{@token.token}&oauth_verifier=#{@token.verifier}"
+            end
           else
             render :action => "authorize_success"
           end
diff --git a/app/models/client_application.rb b/app/models/client_application.rb
index d3799abe0..9474a0137 100644
--- a/app/models/client_application.rb
+++ b/app/models/client_application.rb
@@ -6,6 +6,21 @@ class ClientApplication < ActiveRecord::Base
   validates_uniqueness_of :key
   before_validation_on_create :generate_keys
   
+  validates_format_of :url, :with => /\Ahttp(s?):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i
+  validates_format_of :support_url, :with => /\Ahttp(s?):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
+  validates_format_of :callback_url, :with => /\Ahttp(s?):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
+
+  attr_accessor :token_callback_url
+  
+  def self.find_token(token_key)
+    token = OauthToken.find_by_token(token_key, :include => :client_application)
+    if token && token.authorized?
+      token
+    else
+      nil
+    end
+  end
+
   def self.verify_request(request, options = {}, &block)
     begin
       signature = OAuth::Signature.build(request, options, &block)
@@ -35,7 +50,7 @@ class ClientApplication < ActiveRecord::Base
   end
     
   def create_request_token
-    RequestToken.create :client_application => self
+    RequestToken.create :client_application => self, :callback_url => self.token_callback_url
   end
 
   # the permissions that this client would like from the user
@@ -52,8 +67,8 @@ protected
                  :allow_write_api, :allow_read_gpx, :allow_write_gpx ]
 
   def generate_keys
-    @oauth_client = oauth_server.generate_consumer_credentials
-    self.key = @oauth_client.key
-    self.secret = @oauth_client.secret
+    oauth_client = oauth_server.generate_consumer_credentials
+    self.key = oauth_client.key
+    self.secret = oauth_client.secret
   end
 end
diff --git a/app/models/request_token.rb b/app/models/request_token.rb
index d66fe6ce1..0044dde26 100644
--- a/app/models/request_token.rb
+++ b/app/models/request_token.rb
@@ -1,17 +1,23 @@
 class RequestToken < OauthToken
+
+  attr_accessor :provided_oauth_verifier
+
   def authorize!(user)
     return false if authorized?
     self.user = user
     self.authorized_at = Time.now
+    self.verifier = OAuth::Helper.generate_key(16)[0,20] unless oauth10?
     self.save
   end
-  
+
   def exchange!
     return false unless authorized?
+    return false unless oauth10? || verifier == provided_oauth_verifier
+
     RequestToken.transaction do
       params = { :user => user, :client_application => client_application }
       # copy the permissions from the authorised request token to the access token
-      client_application.permissions.each { |p| 
+      client_application.permissions.each { |p|
         params[p] = read_attribute(p)
       }
 
@@ -20,4 +26,21 @@ class RequestToken < OauthToken
       access_token
     end
   end
+
+  def to_query
+    if oauth10?
+      super
+    else
+      "#{super}&oauth_callback_confirmed=true"
+    end
+  end
+
+  def oob?
+    self.callback_url=='oob'
+  end
+
+  def oauth10?
+    (defined? OAUTH_10_SUPPORT) && OAUTH_10_SUPPORT && self.callback_url.blank?
+  end
+
 end
diff --git a/config/example.application.yml b/config/example.application.yml
index 25df99d26..9b00beb58 100644
--- a/config/example.application.yml
+++ b/config/example.application.yml
@@ -53,6 +53,8 @@ standard_settings: &standard_settings
   gpx_image_dir: "/home/osm/images"
   # Location of data for file columns
   #file_column_root: ""
+  # Enable legacy OAuth 1.0 support
+  oauth_10_support: true
 
 development:
   <<: *standard_settings
diff --git a/db/migrate/20100910084426_add_callback_to_oauth_tokens.rb b/db/migrate/20100910084426_add_callback_to_oauth_tokens.rb
new file mode 100644
index 000000000..179b80fab
--- /dev/null
+++ b/db/migrate/20100910084426_add_callback_to_oauth_tokens.rb
@@ -0,0 +1,11 @@
+class AddCallbackToOauthTokens < ActiveRecord::Migration
+  def self.up
+    add_column :oauth_tokens, :callback_url, :string
+    add_column :oauth_tokens, :verifier, :string, :limit => 20
+  end
+
+  def self.down
+    remove_column :oauth_tokens, :callback_url
+    remove_column :oauth_tokens, :verifier
+  end
+end
-- 
2.43.2