get rid of callback nonce

darcs-hash:20080602201707-84dde-400855b57fcf01e597494143cc78092351043b91.gz
This commit is contained in:
Evan Prodromou 2008-06-02 16:17:07 -04:00
parent 7b24d101c0
commit e103c8b6ea
2 changed files with 7 additions and 15 deletions

View File

@ -33,14 +33,7 @@ class FinishremotesubscribeAction extends Action {
return;
}
$nonce = $this->trimmed('nonce');
if (!$omb) {
common_user_error(_t('No nonce returned!'));
return;
}
$omb = $_SESSION[$nonce];
$omb = $_SESSION['oauth_authorization_request'];
if (!$omb) {
common_user_error(_t('Not expecting this response!'));
@ -173,7 +166,7 @@ class FinishremotesubscribeAction extends Action {
}
# Clear the data
unset($_SESSION[$nonce]);
unset($_SESSION['oauth_authorization_request']);
# If we show subscriptions in reverse chron order, this should
# show up close to the top of the page
@ -187,7 +180,7 @@ class FinishremotesubscribeAction extends Action {
$con = omb_oauth_consumer();
$tok = new OAuthToken($omb['token'], $omb['secret']);
$url = $omb[OAUTH_ENDPOINT_ACCESS][0];
$url = omb_service_uri($omb[OAUTH_ENDPOINT_ACCESS]);
# XXX: Is this the right thing to do? Strip off GET params and make them
# POST params? Seems wrong to me.

View File

@ -336,10 +336,9 @@ class RemotesubscribeAction extends Action {
$req->set_parameter('omb_listenee_avatar', $avatar->url);
}
$nonce = $this->make_nonce();
$req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe',
array('nonce' => $nonce)));
# XXX: add a nonce to prevent replay attacks
$req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe'));
# XXX: test to see if endpoint accepts this signature method
@ -351,7 +350,7 @@ class RemotesubscribeAction extends Action {
$omb['token'] = $token;
$omb['secret'] = $secret;
$_SESSION[$nonce] = $omb;
$_SESSION['oauth_authorization_request'] = $omb;
# Redirect to authorization service