2 files changed, 34 insertions, 12 deletions

diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py
index 8a60392c..c7951734 100644
--- a/mediagoblin/oauth/oauth.py
+++ b/mediagoblin/oauth/oauth.py
@@ -13,6 +13,7 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import datetime
 
 from oauthlib.common import Request
 from oauthlib.oauth1 import RequestValidator
@@ -27,6 +28,18 @@ class GMGRequestValidator(RequestValidator):
         self.POST = data
         super(GMGRequestValidator, self).__init__(*args, **kwargs)
 
+    def check_nonce(self, nonce):
+        """
+        This checks that the nonce given is a valid nonce
+
+        RequestValidator.check_nonce checks that it's between a maximum and
+        minimum length which, not only does pump.io not do this from what
+        I can see but there is nothing in rfc5849 which suggests a maximum or
+        minium length should be required so I'm removing that check
+        """
+        # Check the nonce only contains a subset of the safe characters.
+        return set(nonce) <= self.safe_characters
+
     def save_request_token(self, token, request):
         """ Saves request token in db """
         client_id = self.POST[u"oauth_consumer_key"]
@@ -64,6 +77,14 @@ class GMGRequestValidator(RequestValidator):
     def validate_timestamp_and_nonce(self, client_key, timestamp,
                                      nonce, request, request_token=None,
                                      access_token=None):
+        # RFC5849 (OAuth 1.0) section 3.3 says the timestamp is going
+        # to be seconds after the epoch, we need to convert for postgres
+        try:
+            timestamp = datetime.datetime.fromtimestamp(float(timestamp))
+        except ValueError:
+            # Well, the client must have passed up something ridiculous
+            return False
+
         nc = NonceTimestamp.query.filter_by(timestamp=timestamp, nonce=nonce)
         nc = nc.first()
         if nc is None:
diff --git a/mediagoblin/oauth/views.py b/mediagoblin/oauth/views.py
index 90ad5bbf..1b4787d6 100644
--- a/mediagoblin/oauth/views.py
+++ b/mediagoblin/oauth/views.py
@@ -15,7 +15,9 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import datetime
-import string
+import urllib
+
+import six
 
 from oauthlib.oauth1.rfc5849.utils import UNICODE_ASCII_CHARACTER_SET
 from oauthlib.oauth1 import (RequestTokenEndpoint, AuthorizationEndpoint,
@@ -124,21 +126,21 @@ def client_register(request):
         error = "Invalid registration type"
         return json_response({"error": error}, status=400)
 
-    logo_url = data.get("logo_url", client.logo_url)
-    if logo_url is not None and not validate_url(logo_url):
-        error = "Logo URL {0} is not a valid URL.".format(logo_url)
+    logo_uri = data.get("logo_uri", client.logo_url)
+    if logo_uri is not None and not validate_url(logo_uri):
+        error = "Logo URI {0} is not a valid URI.".format(logo_uri)
         return json_response(
                 {"error": error},
                 status=400
                 )
     else:
-        client.logo_url = logo_url
+        client.logo_url = logo_uri
 
     client.application_name = data.get("application_name", None)
 
     contacts = data.get("contacts", None)
     if contacts is not None:
-        if type(contacts) is not unicode:
+        if not isinstance(contacts, six.text_type):
             error = "Contacts must be a string of space-seporated email addresses."
             return json_response({"error": error}, status=400)
 
@@ -154,7 +156,7 @@ def client_register(request):
 
     redirect_uris = data.get("redirect_uris", None)
     if redirect_uris is not None:
-        if type(redirect_uris) is not unicode:
+        if not isinstance(redirect_uris, six.text_type):
             error = "redirect_uris must be space-seporated URLs."
             return json_response({"error": error}, status=400)
 
@@ -189,10 +191,6 @@ def request_token(request):
         error = "Could not decode data."
         return json_response({"error": error}, status=400)
 
-    if data == "":
-        error = "Unknown Content-Type"
-        return json_response({"error": error}, status=400)
-
     if not data and request.headers:
         data = request.headers
 
@@ -316,10 +314,13 @@ def authorize_finish(request):
             oauth_request.verifier
             )
 
+    # It's come from the OAuth headers so it'll be encoded.
+    redirect_url = urllib.unquote(oauth_request.callback)
+
     return redirect(
             request,
             querystring=querystring,
-            location=oauth_request.callback
+            location=redirect_url
             )
 
 @csrf_exempt