From cfe7054c13880657fdcb95068a734554ff847cea Mon Sep 17 00:00:00 2001
From: xray7224 <xray7224@googlemail.com>
Date: Sun, 14 Jul 2013 16:24:04 +0100
Subject: Using nonce now, preventing OAuth replay attacks

---
 mediagoblin/federation/oauth.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'mediagoblin/federation/oauth.py')

diff --git a/mediagoblin/federation/oauth.py b/mediagoblin/federation/oauth.py
index 846b0794..ea0fea2c 100644
--- a/mediagoblin/federation/oauth.py
+++ b/mediagoblin/federation/oauth.py
@@ -18,7 +18,7 @@ from oauthlib.common import Request
 from oauthlib.oauth1 import (AuthorizationEndpoint, RequestValidator, 
                              RequestTokenEndpoint, AccessTokenEndpoint)
 
-from mediagoblin.db.models import Client, RequestToken, AccessToken
+from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken
 
 
 
@@ -65,7 +65,12 @@ class GMGRequestValidator(RequestValidator):
     def validate_timestamp_and_nonce(self, client_key, timestamp, 
                                      nonce, request, request_token=None, 
                                      access_token=None):
-        return True # TODO!!! - SECURITY RISK IF NOT DONE
+        nc = NonceTimestamp.query.filter_by(timestamp=timestamp, nonce=nonce)
+        nc = nc.first()
+        if nc is None:
+            return True
+        
+        return False
 
     def validate_client_key(self, client_key, request):
         """ Verifies client exists with id of client_key """
-- 
cgit v1.2.3