diff options
Diffstat (limited to 'mediagoblin/oauth/oauth.py')
| -rw-r--r-- | mediagoblin/oauth/oauth.py | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py index 8a60392c..c7951734 100644 --- a/mediagoblin/oauth/oauth.py +++ b/mediagoblin/oauth/oauth.py @@ -13,6 +13,7 @@ # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import datetime from oauthlib.common import Request from oauthlib.oauth1 import RequestValidator @@ -27,6 +28,18 @@ class GMGRequestValidator(RequestValidator): self.POST = data super(GMGRequestValidator, self).__init__(*args, **kwargs) + def check_nonce(self, nonce): + """ + This checks that the nonce given is a valid nonce + + RequestValidator.check_nonce checks that it's between a maximum and + minimum length which, not only does pump.io not do this from what + I can see but there is nothing in rfc5849 which suggests a maximum or + minium length should be required so I'm removing that check + """ + # Check the nonce only contains a subset of the safe characters. + return set(nonce) <= self.safe_characters + def save_request_token(self, token, request): """ Saves request token in db """ client_id = self.POST[u"oauth_consumer_key"] @@ -64,6 +77,14 @@ class GMGRequestValidator(RequestValidator): def validate_timestamp_and_nonce(self, client_key, timestamp, nonce, request, request_token=None, access_token=None): + # RFC5849 (OAuth 1.0) section 3.3 says the timestamp is going + # to be seconds after the epoch, we need to convert for postgres + try: + timestamp = datetime.datetime.fromtimestamp(float(timestamp)) + except ValueError: + # Well, the client must have passed up something ridiculous + return False + nc = NonceTimestamp.query.filter_by(timestamp=timestamp, nonce=nonce) nc = nc.first() if nc is None: |