diff options
| author | Christopher Allan Webber <cwebber@dustycloud.org> | 2015-12-20 09:05:00 -0600 |
|---|---|---|
| committer | Christopher Allan Webber <cwebber@dustycloud.org> | 2015-12-20 09:05:00 -0600 |
| commit | 76a8e720e5076fedfadf5582af85e3426cef04d1 (patch) | |
| tree | 6ea5bc36092c5e32dd1153383f76221b30de5d39 /mediagoblin/oauth | |
| parent | 86d01f0816d3ccfb481a0e4218aa68d8e780c4f1 (diff) | |
| parent | 86ee2d1a0e9057e26add65807191fc28b0eec568 (diff) | |
| download | mediagoblin-76a8e720e5076fedfadf5582af85e3426cef04d1.tar.lz mediagoblin-76a8e720e5076fedfadf5582af85e3426cef04d1.tar.xz mediagoblin-76a8e720e5076fedfadf5582af85e3426cef04d1.zip | |
Merge branch 'stable'
Diffstat (limited to 'mediagoblin/oauth')
| -rw-r--r-- | mediagoblin/oauth/oauth.py | 11 | ||||
| -rw-r--r-- | mediagoblin/oauth/views.py | 10 |
2 files changed, 21 insertions, 0 deletions
diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py index f6a1bf4b..cdd8c842 100644 --- a/mediagoblin/oauth/oauth.py +++ b/mediagoblin/oauth/oauth.py @@ -102,6 +102,17 @@ class GMGRequestValidator(RequestValidator): return True + def validate_verifier(self, token, verifier): + """ Verifies the verifier token is correct. """ + request_token = RequestToken.query.filter_by(token=token).first() + if request_token is None: + return False + + if request_token.verifier != verifier: + return False + + return True + def validate_access_token(self, client_key, token, request): """ Verifies token exists for client with id of client_key """ # Get the client for the request diff --git a/mediagoblin/oauth/views.py b/mediagoblin/oauth/views.py index 9d7a877b..ef91eb91 100644 --- a/mediagoblin/oauth/views.py +++ b/mediagoblin/oauth/views.py @@ -337,6 +337,16 @@ def access_token(request): request.resource_owner_key = parsed_tokens["oauth_consumer_key"] request.oauth_token = parsed_tokens["oauth_token"] request_validator = GMGRequestValidator(data) + + # Check that the verifier is valid + verifier_valid = request_validator.validate_verifier( + token=request.oauth_token, + verifier=parsed_tokens["oauth_verifier"] + ) + if not verifier_valid: + error = "Verifier code or token incorrect" + return json_response({"error": error}, status=401) + av = AccessTokenEndpoint(request_validator) tokens = av.create_access_token(request, {}) return form_response(tokens) |