2 files changed, 16 insertions, 3 deletions

diff --git a/mediagoblin/federation/oauth.py b/mediagoblin/federation/oauth.py
index 846b0794..ea0fea2c 100644
--- a/mediagoblin/federation/oauth.py
+++ b/mediagoblin/federation/oauth.py
@@ -18,7 +18,7 @@ from oauthlib.common import Request
 from oauthlib.oauth1 import (AuthorizationEndpoint, RequestValidator, 
                              RequestTokenEndpoint, AccessTokenEndpoint)
 
-from mediagoblin.db.models import Client, RequestToken, AccessToken
+from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken
 
 
 
@@ -65,7 +65,12 @@ class GMGRequestValidator(RequestValidator):
     def validate_timestamp_and_nonce(self, client_key, timestamp, 
                                      nonce, request, request_token=None, 
                                      access_token=None):
-        return True # TODO!!! - SECURITY RISK IF NOT DONE
+        nc = NonceTimestamp.query.filter_by(timestamp=timestamp, nonce=nonce)
+        nc = nc.first()
+        if nc is None:
+            return True
+        
+        return False
 
     def validate_client_key(self, client_key, request):
         """ Verifies client exists with id of client_key """
diff --git a/mediagoblin/federation/views.py b/mediagoblin/federation/views.py
index c538f4cb..aae9d55a 100644
--- a/mediagoblin/federation/views.py
+++ b/mediagoblin/federation/views.py
@@ -32,7 +32,7 @@ from mediagoblin.federation.forms import AuthorizeForm
 from mediagoblin.federation.exceptions import ValidationException
 from mediagoblin.federation.oauth import GMGRequestValidator, GMGRequest
 from mediagoblin.federation.tools.request import decode_authorization_header
-from mediagoblin.db.models import Client, RequestToken, AccessToken
+from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken
 
 # possible client types
 client_types = ["web", "native"] # currently what pump supports
@@ -215,6 +215,14 @@ def request_token(request):
     rv = RequestTokenEndpoint(request_validator)
     tokens = rv.create_request_token(request, authorization)
 
+    # store the nonce & timestamp before we return back
+    nonce = authorization[u"oauth_nonce"]
+    timestamp = authorization[u"oauth_timestamp"]
+    timestamp = datetime.datetime.fromtimestamp(int(timestamp))
+
+    nc = NonceTimestamp(nonce=nonce, timestamp=timestamp)
+    nc.save()
+
     return form_response(tokens)
 
 class WTFormData(dict):