aboutsummaryrefslogtreecommitdiffstats
path: root/mediagoblin/federation/oauth.py
diff options
context:
space:
mode:
authorxray7224 <xray7224@googlemail.com>2013-07-14 16:24:04 +0100
committerxray7224 <xray7224@googlemail.com>2013-07-14 16:24:04 +0100
commitcfe7054c13880657fdcb95068a734554ff847cea (patch)
tree88c6be2332cff83b929d0cb14611b66dffdfb9a0 /mediagoblin/federation/oauth.py
parente49263564b0ee8859c43e2716fcedab6e80bf164 (diff)
downloadmediagoblin-cfe7054c13880657fdcb95068a734554ff847cea.tar.lz
mediagoblin-cfe7054c13880657fdcb95068a734554ff847cea.tar.xz
mediagoblin-cfe7054c13880657fdcb95068a734554ff847cea.zip
Using nonce now, preventing OAuth replay attacks
Diffstat (limited to 'mediagoblin/federation/oauth.py')
-rw-r--r--mediagoblin/federation/oauth.py9
1 files changed, 7 insertions, 2 deletions
diff --git a/mediagoblin/federation/oauth.py b/mediagoblin/federation/oauth.py
index 846b0794..ea0fea2c 100644
--- a/mediagoblin/federation/oauth.py
+++ b/mediagoblin/federation/oauth.py
@@ -18,7 +18,7 @@ from oauthlib.common import Request
from oauthlib.oauth1 import (AuthorizationEndpoint, RequestValidator,
RequestTokenEndpoint, AccessTokenEndpoint)
-from mediagoblin.db.models import Client, RequestToken, AccessToken
+from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken
@@ -65,7 +65,12 @@ class GMGRequestValidator(RequestValidator):
def validate_timestamp_and_nonce(self, client_key, timestamp,
nonce, request, request_token=None,
access_token=None):
- return True # TODO!!! - SECURITY RISK IF NOT DONE
+ nc = NonceTimestamp.query.filter_by(timestamp=timestamp, nonce=nonce)
+ nc = nc.first()
+ if nc is None:
+ return True
+
+ return False
def validate_client_key(self, client_key, request):
""" Verifies client exists with id of client_key """
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-13 09:53:20 +0000