From e8d32637c16aaba887a3c2c54eab68ab92da7f5b Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 27 Mar 2013 20:48:15 +0000 Subject: [PATCH 1/1] Add javascript OAuth support --- Vendorfile | 7 + app/assets/javascripts/application.js | 1 + app/assets/javascripts/oauth.js | 32 ++++ app/controllers/application_controller.rb | 4 + app/controllers/site_controller.rb | 1 + app/views/layouts/_head.html.erb | 17 +- config/example.application.yml | 2 + vendor/assets/ohauth/ohauth.js | 86 ++++++++++ vendor/assets/ohauth/sha.js | 191 ++++++++++++++++++++++ 9 files changed, 334 insertions(+), 7 deletions(-) create mode 100644 app/assets/javascripts/oauth.js create mode 100644 vendor/assets/ohauth/ohauth.js create mode 100644 vendor/assets/ohauth/sha.js diff --git a/Vendorfile b/Vendorfile index d11ca37fc..197bf575b 100644 --- a/Vendorfile +++ b/Vendorfile @@ -25,4 +25,11 @@ folder 'vendor/assets' do file 'leaflet.osm.js', 'leaflet-osm.js' end end + + folder 'ohauth' do + from 'git://github.com/tmcw/ohauth.git' do + file 'ohauth.js' + file 'sha.js' + end + end end diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js index 8d6c13503..284ec77e6 100644 --- a/app/assets/javascripts/application.js +++ b/app/assets/javascripts/application.js @@ -10,6 +10,7 @@ //= require leaflet.pan //= require leaflet.zoom //= require i18n/translations +//= require oauth //= require osm //= require piwik //= require map diff --git a/app/assets/javascripts/oauth.js b/app/assets/javascripts/oauth.js new file mode 100644 index 000000000..73e1761f2 --- /dev/null +++ b/app/assets/javascripts/oauth.js @@ -0,0 +1,32 @@ +//= require sha +//= require ohauth + +$(document).ready(function () { + $.ajaxPrefilter(function(options, jqxhr) { + if (options.oauth) { + var ohauth = window.ohauth; + var url = options.url.replace(/\?$/, ""); + var params = { + oauth_consumer_key: OSM.oauth_consumer_key, + oauth_token: OSM.oauth_token, + oauth_signature_method: "HMAC-SHA1", + oauth_timestamp: ohauth.timestamp(), + oauth_nonce: ohauth.nonce() + }; + + for (var name in jqxhr.data) { + params[name] = jqxhr.data[name]; + } + + params.oauth_signature = ohauth.signature( + OSM.oauth_consumer_secret, + OSM.oauth_token_secret, + ohauth.baseString(options.type, url, params) + ); + + options.headers = { + Authorization: "OAuth " + ohauth.authHeader(params) + }; + } + }); +}); diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 4b2c70825..4ac3297c6 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -55,6 +55,10 @@ class ApplicationController < ActionController::Base end end + def require_oauth + @oauth = @user.access_token(OAUTH_KEY) if @user and defined? OAUTH_KEY + end + ## # requires the user to be logged in by the token or HTTP methods, or have an # OAuth token with the right capability. this method is a bit of a pain to call diff --git a/app/controllers/site_controller.rb b/app/controllers/site_controller.rb index 606143f4f..1ea3f7cb0 100644 --- a/app/controllers/site_controller.rb +++ b/app/controllers/site_controller.rb @@ -5,6 +5,7 @@ class SiteController < ApplicationController before_filter :authorize_web before_filter :set_locale before_filter :require_user, :only => [:edit] + before_filter :require_oauth, :only => [:index] def index unless STATUS == :database_readonly or STATUS == :database_offline diff --git a/app/views/layouts/_head.html.erb b/app/views/layouts/_head.html.erb index 19bed2bd3..84f566e81 100644 --- a/app/views/layouts/_head.html.erb +++ b/app/views/layouts/_head.html.erb @@ -25,16 +25,19 @@ I18n.defaultLocale = "<%= I18n.default_locale %>"; I18n.locale = "<%= I18n.locale %>"; I18n.fallbacks = true; - - <% if @user and !@user.home_lon.nil? and !@user.home_lat.nil? %> + <% if @user and !@user.home_lon.nil? and !@user.home_lat.nil? -%> OSM.home = <%= { :lat => @user.home_lat, :lon => @user.home_lon }.to_json.html_safe %>; - <% end %> - - <% if session[:location] %> + <% end -%> + <% if session[:location] -%> OSM.location = <%= session[:location].to_json.html_safe %>; - <% end %> - + <% end -%> OSM.preferred_editor = <%= preferred_editor.to_json.html_safe %>; + <% if @oauth -%> + OSM.oauth_token = "<%= @oauth.token %>"; + OSM.oauth_token_secret = "<%= @oauth.secret %>"; + OSM.oauth_consumer_key = "<%= @oauth.client_application.key %>"; + OSM.oauth_consumer_secret = "<%= @oauth.client_application.secret %>"; + <% end -%> <%= t 'layouts.project_name.title' %><%= ' | '+ @title if @title %> diff --git a/config/example.application.yml b/config/example.application.yml index b99e4a103..30f367f1c 100644 --- a/config/example.application.yml +++ b/config/example.application.yml @@ -76,6 +76,8 @@ defaults: &defaults default_editor: "potlatch2" # OAuth consumer key for Potlatch 2 #potlatch2_key: "" + # OAuth consumer key for the web site + #oauth_key: "" # Whether to require users to view the CTs before continuing to edit... require_terms_seen: false # Whether to require users to agree to the CTs before editing diff --git a/vendor/assets/ohauth/ohauth.js b/vendor/assets/ohauth/ohauth.js new file mode 100644 index 000000000..0497da87c --- /dev/null +++ b/vendor/assets/ohauth/ohauth.js @@ -0,0 +1,86 @@ +(function(context) { + +var ohauth = {}; + +ohauth.qsString = function(obj) { + return Object.keys(obj).sort().map(function(key) { + return encodeURIComponent(key) + '=' + + encodeURIComponent(obj[key]); + }).join('&'); +}; + +ohauth.sha = sha1(); + +ohauth.stringQs = function(str) { + return str.split('&').reduce(function(obj, pair){ + var parts = pair.split('='); + obj[parts[0]] = (null === parts[1]) ? + '' : decodeURIComponent(parts[1]); + return obj; + }, {}); +}; + +ohauth.rawxhr = function(method, url, data, headers, callback) { + var xhr = new XMLHttpRequest(), twoHundred = /^20\d$/; + xhr.onreadystatechange = function() { + if (4 == xhr.readyState && 0 !== xhr.status) { + if (twoHundred.test(xhr.status)) callback(null, xhr); + else return callback(xhr, null); + } + }; + xhr.onerror = function(e) { return callback(e, null); }; + xhr.open(method, url, true); + for (var h in headers) xhr.setRequestHeader(h, headers[h]); + xhr.send(data); +}; + +ohauth.xhr = function(method, url, auth, data, options, callback) { + var headers = (options && options.header) || { + 'Content-Type': 'application/x-www-form-urlencoded' + }; + headers.Authorization = 'OAuth ' + ohauth.authHeader(auth); + ohauth.rawxhr(method, url, auth, data, headers, callback); +}; + +ohauth.nonce = function() { + for (var o = ''; o.length < 6;) { + o += '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz'[Math.floor(Math.random() * 61)]; + } + return o; +}; + +ohauth.authHeader = function(obj) { + return Object.keys(obj).sort().map(function(key) { + return encodeURIComponent(key) + '="' + encodeURIComponent(obj[key]) + '"'; + }).join(', '); +}; + +ohauth.timestamp = function() { return ~~((+new Date()) / 1000); }; + +ohauth.percentEncode = function(s) { + return encodeURIComponent(s) + .replace(/\!/g, '%21').replace(/\'/g, '%27') + .replace(/\*/g, '%2A').replace(/\(/g, '%28').replace(/\)/g, '%29'); +}; + +ohauth.baseString = function(method, url, params) { + if (params.oauth_signature) delete params.oauth_signature; + return [ + method, + ohauth.percentEncode(url), + ohauth.percentEncode(ohauth.qsString(params))].join('&'); +}; + +ohauth.signature = function(oauth_secret, token_secret, baseString) { + return ohauth.sha.b64_hmac_sha1( + ohauth.percentEncode(oauth_secret) + '&' + + ohauth.percentEncode(token_secret), + baseString); +}; + +context.ohauth = ohauth; + +// export for npm/browserify compatibility +if (typeof module !== 'undefined') module.exports = ohauth; + +})(this); diff --git a/vendor/assets/ohauth/sha.js b/vendor/assets/ohauth/sha.js new file mode 100644 index 000000000..5b6aa65ba --- /dev/null +++ b/vendor/assets/ohauth/sha.js @@ -0,0 +1,191 @@ +/* + * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined + * in FIPS PUB 180-1 + * Version 2.1a Copyright Paul Johnston 2000 - 2002. + * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet + * Distributed under the BSD License + * See http://pajhome.org.uk/crypt/md5 for details. + */ + +function sha1() { + + /* + * Configurable variables. You may need to tweak these to be compatible with + * the server-side, but the defaults work in most cases. + */ + var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */ + var b64pad = "="; /* base-64 pad character. "=" for strict RFC compliance */ + var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */ + + /* + * These are the functions you'll usually want to call + * They take string arguments and return either hex or base-64 encoded strings + */ + function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));} + function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));} + function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));} + function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));} + function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));} + function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));} + + /* + * Perform a simple self-test to see if the VM is working + */ + function sha1_vm_test() { + return hex_sha1("abc") == "a9993e364706816aba3e25717850c26c9cd0d89d"; + } + + /* + * Calculate the SHA-1 of an array of big-endian words, and a bit length + */ + function core_sha1(x, len) { + /* append padding */ + x[len >> 5] |= 0x80 << (24 - len % 32); + x[((len + 64 >> 9) << 4) + 15] = len; + + var w = Array(80); + var a = 1732584193; + var b = -271733879; + var c = -1732584194; + var d = 271733878; + var e = -1009589776; + + for(var i = 0; i < x.length; i += 16) { + var olda = a; + var oldb = b; + var oldc = c; + var oldd = d; + var olde = e; + + for(var j = 0; j < 80; j++) { + if(j < 16) w[j] = x[i + j]; + else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1); + var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)), + safe_add(safe_add(e, w[j]), sha1_kt(j))); + e = d; + d = c; + c = rol(b, 30); + b = a; + a = t; + } + + a = safe_add(a, olda); + b = safe_add(b, oldb); + c = safe_add(c, oldc); + d = safe_add(d, oldd); + e = safe_add(e, olde); + } + return Array(a, b, c, d, e); + + } + + /* + * Perform the appropriate triplet combination function for the current + * iteration + */ + function sha1_ft(t, b, c, d) { + if(t < 20) return (b & c) | ((~b) & d); + if(t < 40) return b ^ c ^ d; + if(t < 60) return (b & c) | (b & d) | (c & d); + return b ^ c ^ d; + } + + /* + * Determine the appropriate additive constant for the current iteration + */ + function sha1_kt(t) { + return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 : + (t < 60) ? -1894007588 : -899497514; + } + + /* + * Calculate the HMAC-SHA1 of a key and some data + */ + function core_hmac_sha1(key, data) { + var bkey = str2binb(key); + if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz); + + var ipad = Array(16), opad = Array(16); + for(var i = 0; i < 16; i++) { + ipad[i] = bkey[i] ^ 0x36363636; + opad[i] = bkey[i] ^ 0x5C5C5C5C; + } + + var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz); + return core_sha1(opad.concat(hash), 512 + 160); + } + + /* + * Add integers, wrapping at 2^32. This uses 16-bit operations internally + * to work around bugs in some JS interpreters. + */ + function safe_add(x, y) { + var lsw = (x & 0xFFFF) + (y & 0xFFFF); + var msw = (x >> 16) + (y >> 16) + (lsw >> 16); + return (msw << 16) | (lsw & 0xFFFF); + } + + /* + * Bitwise rotate a 32-bit number to the left. + */ + function rol(num, cnt) { + return (num << cnt) | (num >>> (32 - cnt)); + } + + /* + * Convert an 8-bit or 16-bit string to an array of big-endian words + * In 8-bit function, characters >255 have their hi-byte silently ignored. + */ + function str2binb(str) { + var bin = Array(); + var mask = (1 << chrsz) - 1; + for(var i = 0; i < str.length * chrsz; i += chrsz) + bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i%32); + return bin; + } + + /* + * Convert an array of big-endian words to a string + */ + function binb2str(bin) { + var str = ""; + var mask = (1 << chrsz) - 1; + for(var i = 0; i < bin.length * 32; i += chrsz) + str += String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i%32)) & mask); + return str; + } + + /* + * Convert an array of big-endian words to a hex string. + */ + function binb2hex(binarray) { + var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; + var str = ""; + for(var i = 0; i < binarray.length * 4; i++) { + str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) + + hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF); + } + return str; + } + + /* + * Convert an array of big-endian words to a base-64 string + */ + function binb2b64(binarray) { + var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + var str = ""; + for(var i = 0; i < binarray.length * 4; i += 3) { + var triplet = (((binarray[i >> 2] >> 8 * (3 - i %4)) & 0xFF) << 16) + | (((binarray[i+1 >> 2] >> 8 * (3 - (i+1)%4)) & 0xFF) << 8 ) + | ((binarray[i+2 >> 2] >> 8 * (3 - (i+2)%4)) & 0xFF); + for(var j = 0; j < 4; j++) { + if(i * 8 + j * 6 > binarray.length * 32) str += b64pad; + else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F); + } + } + return str; + } + + return { b64_hmac_sha1: b64_hmac_sha1 }; +} + -- 2.43.2