diff options
-rw-r--r-- | mediagoblin/db/models.py | 14 | ||||
-rw-r--r-- | mediagoblin/federation/oauth.py | 9 | ||||
-rw-r--r-- | mediagoblin/federation/views.py | 10 |
3 files changed, 28 insertions, 5 deletions
diff --git a/mediagoblin/db/models.py b/mediagoblin/db/models.py index b6ae533e..74dea44e 100644 --- a/mediagoblin/db/models.py +++ b/mediagoblin/db/models.py @@ -161,6 +161,16 @@ class AccessToken(Base): updated = Column(DateTime, nullable=False, default=datetime.datetime.now) +class NonceTimestamp(Base): + """ + A place the timestamp and nonce can be stored - this is for OAuth1 + """ + __tablename__ = "core__nonce_timestamps" + + nonce = Column(Unicode, nullable=False, primary_key=True) + timestamp = Column(DateTime, nullable=False, primary_key=True) + + class MediaEntry(Base, MediaEntryMixin): """ TODO: Consider fetching the media_files using join @@ -636,8 +646,8 @@ with_polymorphic( [ProcessingNotification, CommentNotification]) MODELS = [ - User, Client, RequestToken, AccessToken, MediaEntry, Tag, MediaTag, - MediaComment, Collection, CollectionItem, MediaFile, FileKeynames, + User, Client, RequestToken, AccessToken, NonceTimestamp, MediaEntry, Tag, + MediaTag, MediaComment, Collection, CollectionItem, MediaFile, FileKeynames, MediaAttachmentFile, ProcessingMetaData, Notification, CommentNotification, ProcessingNotification, CommentSubscription] diff --git a/mediagoblin/federation/oauth.py b/mediagoblin/federation/oauth.py index 846b0794..ea0fea2c 100644 --- a/mediagoblin/federation/oauth.py +++ b/mediagoblin/federation/oauth.py @@ -18,7 +18,7 @@ from oauthlib.common import Request from oauthlib.oauth1 import (AuthorizationEndpoint, RequestValidator, RequestTokenEndpoint, AccessTokenEndpoint) -from mediagoblin.db.models import Client, RequestToken, AccessToken +from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken @@ -65,7 +65,12 @@ class GMGRequestValidator(RequestValidator): def validate_timestamp_and_nonce(self, client_key, timestamp, nonce, request, request_token=None, access_token=None): - return True # TODO!!! - SECURITY RISK IF NOT DONE + nc = NonceTimestamp.query.filter_by(timestamp=timestamp, nonce=nonce) + nc = nc.first() + if nc is None: + return True + + return False def validate_client_key(self, client_key, request): """ Verifies client exists with id of client_key """ diff --git a/mediagoblin/federation/views.py b/mediagoblin/federation/views.py index c538f4cb..aae9d55a 100644 --- a/mediagoblin/federation/views.py +++ b/mediagoblin/federation/views.py @@ -32,7 +32,7 @@ from mediagoblin.federation.forms import AuthorizeForm from mediagoblin.federation.exceptions import ValidationException from mediagoblin.federation.oauth import GMGRequestValidator, GMGRequest from mediagoblin.federation.tools.request import decode_authorization_header -from mediagoblin.db.models import Client, RequestToken, AccessToken +from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken # possible client types client_types = ["web", "native"] # currently what pump supports @@ -215,6 +215,14 @@ def request_token(request): rv = RequestTokenEndpoint(request_validator) tokens = rv.create_request_token(request, authorization) + # store the nonce & timestamp before we return back + nonce = authorization[u"oauth_nonce"] + timestamp = authorization[u"oauth_timestamp"] + timestamp = datetime.datetime.fromtimestamp(int(timestamp)) + + nc = NonceTimestamp(nonce=nonce, timestamp=timestamp) + nc.save() + return form_response(tokens) class WTFormData(dict): |