aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--mediagoblin/db/models.py14
-rw-r--r--mediagoblin/federation/oauth.py9
-rw-r--r--mediagoblin/federation/views.py10
3 files changed, 28 insertions, 5 deletions
diff --git a/mediagoblin/db/models.py b/mediagoblin/db/models.py
index b6ae533e..74dea44e 100644
--- a/mediagoblin/db/models.py
+++ b/mediagoblin/db/models.py
@@ -161,6 +161,16 @@ class AccessToken(Base):
updated = Column(DateTime, nullable=False, default=datetime.datetime.now)
+class NonceTimestamp(Base):
+ """
+ A place the timestamp and nonce can be stored - this is for OAuth1
+ """
+ __tablename__ = "core__nonce_timestamps"
+
+ nonce = Column(Unicode, nullable=False, primary_key=True)
+ timestamp = Column(DateTime, nullable=False, primary_key=True)
+
+
class MediaEntry(Base, MediaEntryMixin):
"""
TODO: Consider fetching the media_files using join
@@ -636,8 +646,8 @@ with_polymorphic(
[ProcessingNotification, CommentNotification])
MODELS = [
- User, Client, RequestToken, AccessToken, MediaEntry, Tag, MediaTag,
- MediaComment, Collection, CollectionItem, MediaFile, FileKeynames,
+ User, Client, RequestToken, AccessToken, NonceTimestamp, MediaEntry, Tag,
+ MediaTag, MediaComment, Collection, CollectionItem, MediaFile, FileKeynames,
MediaAttachmentFile, ProcessingMetaData, Notification, CommentNotification,
ProcessingNotification, CommentSubscription]
diff --git a/mediagoblin/federation/oauth.py b/mediagoblin/federation/oauth.py
index 846b0794..ea0fea2c 100644
--- a/mediagoblin/federation/oauth.py
+++ b/mediagoblin/federation/oauth.py
@@ -18,7 +18,7 @@ from oauthlib.common import Request
from oauthlib.oauth1 import (AuthorizationEndpoint, RequestValidator,
RequestTokenEndpoint, AccessTokenEndpoint)
-from mediagoblin.db.models import Client, RequestToken, AccessToken
+from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken
@@ -65,7 +65,12 @@ class GMGRequestValidator(RequestValidator):
def validate_timestamp_and_nonce(self, client_key, timestamp,
nonce, request, request_token=None,
access_token=None):
- return True # TODO!!! - SECURITY RISK IF NOT DONE
+ nc = NonceTimestamp.query.filter_by(timestamp=timestamp, nonce=nonce)
+ nc = nc.first()
+ if nc is None:
+ return True
+
+ return False
def validate_client_key(self, client_key, request):
""" Verifies client exists with id of client_key """
diff --git a/mediagoblin/federation/views.py b/mediagoblin/federation/views.py
index c538f4cb..aae9d55a 100644
--- a/mediagoblin/federation/views.py
+++ b/mediagoblin/federation/views.py
@@ -32,7 +32,7 @@ from mediagoblin.federation.forms import AuthorizeForm
from mediagoblin.federation.exceptions import ValidationException
from mediagoblin.federation.oauth import GMGRequestValidator, GMGRequest
from mediagoblin.federation.tools.request import decode_authorization_header
-from mediagoblin.db.models import Client, RequestToken, AccessToken
+from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken
# possible client types
client_types = ["web", "native"] # currently what pump supports
@@ -215,6 +215,14 @@ def request_token(request):
rv = RequestTokenEndpoint(request_validator)
tokens = rv.create_request_token(request, authorization)
+ # store the nonce & timestamp before we return back
+ nonce = authorization[u"oauth_nonce"]
+ timestamp = authorization[u"oauth_timestamp"]
+ timestamp = datetime.datetime.fromtimestamp(int(timestamp))
+
+ nc = NonceTimestamp(nonce=nonce, timestamp=timestamp)
+ nc.save()
+
return form_response(tokens)
class WTFormData(dict):