diff options
Diffstat (limited to 'mediagoblin/oauth/oauth.py')
| -rw-r--r-- | mediagoblin/oauth/oauth.py | 55 |
1 files changed, 42 insertions, 13 deletions
diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py index c7951734..f6a1bf4b 100644 --- a/mediagoblin/oauth/oauth.py +++ b/mediagoblin/oauth/oauth.py @@ -18,6 +18,7 @@ import datetime from oauthlib.common import Request from oauthlib.oauth1 import RequestValidator +from mediagoblin import oauth from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken class GMGRequestValidator(RequestValidator): @@ -45,9 +46,9 @@ class GMGRequestValidator(RequestValidator): client_id = self.POST[u"oauth_consumer_key"] request_token = RequestToken( - token=token["oauth_token"], - secret=token["oauth_token_secret"], - ) + token=token["oauth_token"], + secret=token["oauth_token_secret"], + ) request_token.client = client_id if u"oauth_callback" in self.POST: request_token.callback = self.POST[u"oauth_callback"] @@ -62,12 +63,12 @@ class GMGRequestValidator(RequestValidator): def save_access_token(self, token, request): """ Saves access token in db """ access_token = AccessToken( - token=token["oauth_token"], - secret=token["oauth_token_secret"], + token=token["oauth_token"], + secret=token["oauth_token_secret"], ) access_token.request_token = request.oauth_token request_token = RequestToken.query.filter_by(token=request.oauth_token).first() - access_token.user = request_token.user + access_token.actor = request_token.actor access_token.save() def get_realms(*args, **kwargs): @@ -94,7 +95,8 @@ class GMGRequestValidator(RequestValidator): def validate_client_key(self, client_key, request): """ Verifies client exists with id of client_key """ - client = Client.query.filter_by(id=client_key).first() + client_query = Client.query.filter(Client.id != oauth.DUMMY_CLIENT_ID) + client = client_query.filter_by(id=client_key).first() if client is None: return False @@ -102,15 +104,30 @@ class GMGRequestValidator(RequestValidator): def validate_access_token(self, client_key, token, request): """ Verifies token exists for client with id of client_key """ - client = Client.query.filter_by(id=client_key).first() - token = AccessToken.query.filter_by(token=token) - token = token.first() + # Get the client for the request + client_query = Client.query.filter(Client.id != oauth.DUMMY_CLIENT_ID) + client = client_query.filter_by(id=client_key).first() + + # If the client is invalid then it's invalid + if client is None: + return False - if token is None: + # Look up the AccessToken + access_token_query = AccessToken.query.filter( + AccessToken.token != oauth.DUMMY_ACCESS_TOKEN + ) + access_token = access_token_query.filter_by(token=token).first() + + # If there isn't one - we can't validate. + if access_token is None: return False - request_token = RequestToken.query.filter_by(token=token.request_token) - request_token = request_token.first() + # Check that the client matches the on + request_token_query = RequestToken.query.filter( + RequestToken.token != oauth.DUMMY_REQUEST_TOKEN, + RequestToken.token == access_token.request_token + ) + request_token = request_token_query.first() if client.id != request_token.client: return False @@ -131,6 +148,18 @@ class GMGRequestValidator(RequestValidator): access_token = AccessToken.query.filter_by(token=token).first() return access_token.secret + @property + def dummy_client(self): + return oauth.DUMMY_CLIENT_ID + + @property + def dummy_request_token(self): + return oauth.DUMMY_REQUEST_TOKEN + + @property + def dummy_access_token(self): + return oauth.DUMMY_ACCESS_TOKEN + class GMGRequest(Request): """ Fills in data to produce a oauth.common.Request object from a |