get rid of callback nonce

darcs-hash:20080602201707-84dde-400855b57fcf01e597494143cc78092351043b91.gz

actions/finishremotesubscribe.php

@@ -33,14 +33,7 @@ class FinishremotesubscribeAction extends Action {
 		    return;
 		}
 		
-		$nonce = $this->trimmed('nonce');
-		
-		if (!$omb) {
-			common_user_error(_t('No nonce returned!'));
-			return;
-		}
-		
-		$omb = $_SESSION[$nonce];
+		$omb = $_SESSION['oauth_authorization_request'];
 		
 		if (!$omb) {
 			common_user_error(_t('Not expecting this response!'));
@@ -173,7 +166,7 @@ class FinishremotesubscribeAction extends Action {
 		}
 
 		# Clear the data
-		unset($_SESSION[$nonce]);
+		unset($_SESSION['oauth_authorization_request']);
 		
 		# If we show subscriptions in reverse chron order, this should
 		# show up close to the top of the page
@@ -187,7 +180,7 @@ class FinishremotesubscribeAction extends Action {
 		$con = omb_oauth_consumer();
 		$tok = new OAuthToken($omb['token'], $omb['secret']);
 
-		$url = $omb[OAUTH_ENDPOINT_ACCESS][0];
+		$url = omb_service_uri($omb[OAUTH_ENDPOINT_ACCESS]);
 		
 		# XXX: Is this the right thing to do? Strip off GET params and make them
 		# POST params? Seems wrong to me.

actions/remotesubscribe.php

@@ -336,10 +336,9 @@ class RemotesubscribeAction extends Action {
 			$req->set_parameter('omb_listenee_avatar', $avatar->url);
 		}
 
-		$nonce = $this->make_nonce();
+		# XXX: add a nonce to prevent replay attacks
 		
-		$req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe',
-															   array('nonce' => $nonce)));
+		$req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe'));
 
 		# XXX: test to see if endpoint accepts this signature method
 
@@ -351,7 +350,7 @@ class RemotesubscribeAction extends Action {
 		$omb['token'] = $token;
 		$omb['secret'] = $secret;
 
-		$_SESSION[$nonce] = $omb;
+		$_SESSION['oauth_authorization_request'] = $omb;
 
 		# Redirect to authorization service