4 files changed, 122 insertions, 47 deletions

diff --git a/mediagoblin/oauth/__init__.py b/mediagoblin/oauth/__init__.py
index 719b56e7..6dfafea2 100644
--- a/mediagoblin/oauth/__init__.py
+++ b/mediagoblin/oauth/__init__.py
@@ -14,3 +14,9 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+# This represents a dummy ID for the Client, RequestToken and AccessToken
+# WARNING: Do not change these without providing a data migration to migrate
+#          existing dummy clients already in the database.
+DUMMY_CLIENT_ID = "dummy-client"
+DUMMY_ACCESS_TOKEN = "dummy-access-token"
+DUMMY_REQUEST_TOKEN = "dummy-request-token"
diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py
index 8229c47d..cdd8c842 100644
--- a/mediagoblin/oauth/oauth.py
+++ b/mediagoblin/oauth/oauth.py
@@ -13,14 +13,14 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import datetime
 
 from oauthlib.common import Request
-from oauthlib.oauth1 import RequestValidator 
+from oauthlib.oauth1 import RequestValidator
 
+from mediagoblin import oauth
 from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken
 
-
-
 class GMGRequestValidator(RequestValidator):
 
     enforce_ssl = False
@@ -29,14 +29,26 @@ class GMGRequestValidator(RequestValidator):
         self.POST = data
         super(GMGRequestValidator, self).__init__(*args, **kwargs)
 
+    def check_nonce(self, nonce):
+        """
+        This checks that the nonce given is a valid nonce
+
+        RequestValidator.check_nonce checks that it's between a maximum and
+        minimum length which, not only does pump.io not do this from what
+        I can see but there is nothing in rfc5849 which suggests a maximum or
+        minium length should be required so I'm removing that check
+        """
+        # Check the nonce only contains a subset of the safe characters.
+        return set(nonce) <= self.safe_characters
+
     def save_request_token(self, token, request):
         """ Saves request token in db """
         client_id = self.POST[u"oauth_consumer_key"]
 
         request_token = RequestToken(
-                token=token["oauth_token"],
-                secret=token["oauth_token_secret"],
-                )
+            token=token["oauth_token"],
+            secret=token["oauth_token_secret"],
+        )
         request_token.client = client_id
         if u"oauth_callback" in self.POST:
             request_token.callback = self.POST[u"oauth_callback"]
@@ -51,47 +63,82 @@ class GMGRequestValidator(RequestValidator):
     def save_access_token(self, token, request):
         """ Saves access token in db """
         access_token = AccessToken(
-                token=token["oauth_token"],
-                secret=token["oauth_token_secret"],
+            token=token["oauth_token"],
+            secret=token["oauth_token_secret"],
         )
         access_token.request_token = request.oauth_token
         request_token = RequestToken.query.filter_by(token=request.oauth_token).first()
-        access_token.user = request_token.user
+        access_token.actor = request_token.actor
         access_token.save()
 
     def get_realms(*args, **kwargs):
         """ Currently a stub - called when making AccessTokens """
         return list()
 
-    def validate_timestamp_and_nonce(self, client_key, timestamp, 
-                                     nonce, request, request_token=None, 
+    def validate_timestamp_and_nonce(self, client_key, timestamp,
+                                     nonce, request, request_token=None,
                                      access_token=None):
+        # RFC5849 (OAuth 1.0) section 3.3 says the timestamp is going
+        # to be seconds after the epoch, we need to convert for postgres
+        try:
+            timestamp = datetime.datetime.fromtimestamp(float(timestamp))
+        except ValueError:
+            # Well, the client must have passed up something ridiculous
+            return False
+
         nc = NonceTimestamp.query.filter_by(timestamp=timestamp, nonce=nonce)
         nc = nc.first()
         if nc is None:
             return True
-        
+
         return False
 
     def validate_client_key(self, client_key, request):
         """ Verifies client exists with id of client_key """
-        client = Client.query.filter_by(id=client_key).first()
+        client_query = Client.query.filter(Client.id != oauth.DUMMY_CLIENT_ID)
+        client = client_query.filter_by(id=client_key).first()
         if client is None:
             return False
-        
+
+        return True
+
+    def validate_verifier(self, token, verifier):
+        """ Verifies the verifier token is correct. """
+        request_token = RequestToken.query.filter_by(token=token).first()
+        if request_token is None:
+            return False
+
+        if request_token.verifier != verifier:
+            return False
+
         return True
 
     def validate_access_token(self, client_key, token, request):
         """ Verifies token exists for client with id of client_key """
-        client = Client.query.filter_by(id=client_key).first()
-        token = AccessToken.query.filter_by(token=token)
-        token = token.first()
+        # Get the client for the request
+        client_query = Client.query.filter(Client.id != oauth.DUMMY_CLIENT_ID)
+        client = client_query.filter_by(id=client_key).first()
 
-        if token is None:
+        # If the client is invalid then it's invalid
+        if client is None:
             return False
 
-        request_token = RequestToken.query.filter_by(token=token.request_token)
-        request_token = request_token.first()
+        # Look up the AccessToken
+        access_token_query = AccessToken.query.filter(
+            AccessToken.token != oauth.DUMMY_ACCESS_TOKEN
+        )
+        access_token = access_token_query.filter_by(token=token).first()
+
+        # If there isn't one - we can't validate.
+        if access_token is None:
+            return False
+
+        # Check that the client matches the on
+        request_token_query = RequestToken.query.filter(
+            RequestToken.token != oauth.DUMMY_REQUEST_TOKEN,
+            RequestToken.token == access_token.request_token
+        )
+        request_token = request_token_query.first()
 
         if client.id != request_token.client:
             return False
@@ -112,6 +159,18 @@ class GMGRequestValidator(RequestValidator):
         access_token = AccessToken.query.filter_by(token=token).first()
         return access_token.secret
 
+    @property
+    def dummy_client(self):
+        return oauth.DUMMY_CLIENT_ID
+
+    @property
+    def dummy_request_token(self):
+        return oauth.DUMMY_REQUEST_TOKEN
+
+    @property
+    def dummy_access_token(self):
+        return oauth.DUMMY_ACCESS_TOKEN
+
 class GMGRequest(Request):
     """
         Fills in data to produce a oauth.common.Request object from a
@@ -119,14 +178,14 @@ class GMGRequest(Request):
     """
 
     def __init__(self, request, *args, **kwargs):
-        """ 
+        """
             :param request: werkzeug request object
-            
+
             any extra params are passed to oauthlib.common.Request object
         """
         kwargs["uri"] = kwargs.get("uri", request.url)
         kwargs["http_method"] = kwargs.get("http_method", request.method)
-        kwargs["body"] = kwargs.get("body", request.get_data())
+        kwargs["body"] = kwargs.get("body", request.data)
         kwargs["headers"] = kwargs.get("headers", dict(request.headers))
 
         super(GMGRequest, self).__init__(*args, **kwargs)
diff --git a/mediagoblin/oauth/routing.py b/mediagoblin/oauth/routing.py
index e45077bb..7f2aa11d 100644
--- a/mediagoblin/oauth/routing.py
+++ b/mediagoblin/oauth/routing.py
@@ -18,25 +18,25 @@ from mediagoblin.tools.routing import add_route
 
 # client registration & oauth
 add_route(
-        "mediagoblin.oauth",
+        "mediagoblin.oauth.client_register",
         "/api/client/register",
         "mediagoblin.oauth.views:client_register"
         )
 
 add_route(
-        "mediagoblin.oauth",
+        "mediagoblin.oauth.request_token",
         "/oauth/request_token",
         "mediagoblin.oauth.views:request_token"
         )
 
 add_route(
-        "mediagoblin.oauth",
+        "mediagoblin.oauth.authorize",
         "/oauth/authorize",
         "mediagoblin.oauth.views:authorize",
         )
 
 add_route(
-        "mediagoblin.oauth",
+        "mediagoblin.oauth.access_token",
         "/oauth/access_token",
         "mediagoblin.oauth.views:access_token"
         )
diff --git a/mediagoblin/oauth/views.py b/mediagoblin/oauth/views.py
index f424576b..ef91eb91 100644
--- a/mediagoblin/oauth/views.py
+++ b/mediagoblin/oauth/views.py
@@ -15,8 +15,11 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import datetime
-import string
+import urllib
 
+import six
+
+from oauthlib.oauth1.rfc5849.utils import UNICODE_ASCII_CHARACTER_SET
 from oauthlib.oauth1 import (RequestTokenEndpoint, AuthorizationEndpoint,
                              AccessTokenEndpoint)
 
@@ -37,8 +40,6 @@ from mediagoblin.db.models import NonceTimestamp, Client, RequestToken
 
 # possible client types
 CLIENT_TYPES = ["web", "native"] # currently what pump supports
-OAUTH_ALPHABET = (string.ascii_letters.decode('ascii') +
-    string.digits.decode('ascii'))
 
 @csrf_exempt
 def client_register(request):
@@ -107,8 +108,8 @@ def client_register(request):
             return json_response({"error": error}, status=400)
 
         # generate the client_id and client_secret
-        client_id = random_string(22, OAUTH_ALPHABET)
-        client_secret = random_string(43, OAUTH_ALPHABET)
+        client_id = random_string(22, UNICODE_ASCII_CHARACTER_SET)
+        client_secret = random_string(43, UNICODE_ASCII_CHARACTER_SET)
         expirey = 0 # for now, lets not have it expire
         expirey_db = None if expirey == 0 else expirey
         application_type = data["application_type"]
@@ -125,21 +126,21 @@ def client_register(request):
         error = "Invalid registration type"
         return json_response({"error": error}, status=400)
 
-    logo_url = data.get("logo_url", client.logo_url)
-    if logo_url is not None and not validate_url(logo_url):
-        error = "Logo URL {0} is not a valid URL.".format(logo_url)
+    logo_uri = data.get("logo_uri", client.logo_url)
+    if logo_uri is not None and not validate_url(logo_uri):
+        error = "Logo URI {0} is not a valid URI.".format(logo_uri)
         return json_response(
                 {"error": error},
                 status=400
                 )
     else:
-        client.logo_url = logo_url
+        client.logo_url = logo_uri
 
     client.application_name = data.get("application_name", None)
 
     contacts = data.get("contacts", None)
     if contacts is not None:
-        if type(contacts) is not unicode:
+        if not isinstance(contacts, six.text_type):
             error = "Contacts must be a string of space-seporated email addresses."
             return json_response({"error": error}, status=400)
 
@@ -155,7 +156,7 @@ def client_register(request):
 
     redirect_uris = data.get("redirect_uris", None)
     if redirect_uris is not None:
-        if type(redirect_uris) is not unicode:
+        if not isinstance(redirect_uris, six.text_type):
             error = "redirect_uris must be space-seporated URLs."
             return json_response({"error": error}, status=400)
 
@@ -190,10 +191,6 @@ def request_token(request):
         error = "Could not decode data."
         return json_response({"error": error}, status=400)
 
-    if data == "":
-        error = "Unknown Content-Type"
-        return json_response({"error": error}, status=400)
-
     if not data and request.headers:
         data = request.headers
 
@@ -214,7 +211,7 @@ def request_token(request):
         error = "Invalid client_id"
         return json_response({"error": error}, status=400)
 
-   # make request token and return to client
+    # make request token and return to client
     request_validator = GMGRequestValidator(authorization)
     rv = RequestTokenEndpoint(request_validator)
     tokens = rv.create_request_token(request, authorization)
@@ -252,12 +249,13 @@ def authorize(request):
 
     if oauth_request.verifier is None:
         orequest = GMGRequest(request)
+        orequest.resource_owner_key = token
         request_validator = GMGRequestValidator()
         auth_endpoint = AuthorizationEndpoint(request_validator)
         verifier = auth_endpoint.create_verifier(orequest, {})
         oauth_request.verifier = verifier["oauth_verifier"]
 
-    oauth_request.user = request.user.id
+    oauth_request.actor = request.user.id
     oauth_request.save()
 
     # find client & build context
@@ -316,10 +314,13 @@ def authorize_finish(request):
             oauth_request.verifier
             )
 
+    # It's come from the OAuth headers so it'll be encoded.
+    redirect_url = urllib.unquote(oauth_request.callback)
+
     return redirect(
             request,
             querystring=querystring,
-            location=oauth_request.callback
+            location=redirect_url
             )
 
 @csrf_exempt
@@ -333,10 +334,19 @@ def access_token(request):
         error = "Missing required parameter."
         return json_response({"error": error}, status=400)
 
-
+    request.resource_owner_key = parsed_tokens["oauth_consumer_key"]
     request.oauth_token = parsed_tokens["oauth_token"]
     request_validator = GMGRequestValidator(data)
+
+    # Check that the verifier is valid
+    verifier_valid = request_validator.validate_verifier(
+        token=request.oauth_token,
+        verifier=parsed_tokens["oauth_verifier"]
+    )
+    if not verifier_valid:
+        error = "Verifier code or token incorrect"
+        return json_response({"error": error}, status=401)
+
     av = AccessTokenEndpoint(request_validator)
     tokens = av.create_access_token(request, {})
     return form_response(tokens)
-