@@ -1 +1,7 @@ -I am a sample OAuth provider built against a vanilla Rails 2.0.x app that does not use acts_as_authenticated. It merely shows how your application could be OAuth-enabled and does not validate tokens or do anything particularly fancy with them. +I am a sample OAuth provider built against a vanilla Rails 2.0.x app that does +not use acts_as_authenticated. It merely shows how your application could be +OAuth-enabled and does not validate tokens or do anything particularly fancy +with them. + +Note: this is effectively pseudo-code, so don't expect it to work out of the +box. README @@ -21,14 +21,19 @@ protected @oauth_consumer end + def oauth_request_proxy + @oauth_request_proxy + end + def oauth_token @oauth_token end # verifies a request token request def verify_oauth_consumer_signature - valid = OAuth::Signature.verify(request) do |token, consumer_key| - @oauth_consumer = OauthConsumer.find_by_key(consumer_key) + valid = OAuth::Signature.verify(request) do |request_proxy| + @request_proxy = request_proxy + @oauth_consumer = OauthConsumer.find_by_key(request_proxy.oauth_consumer_key) # return the token secret and the consumer secret [nil, oauth_consumer.secret] @@ -52,8 +57,9 @@ private # Implement this for your own application using app-specific models def verify_oauth_signature - valid = OAuth::Signature.verify(request) do |token| - @oauth_token = OauthToken.find_by_token(token, :include => :consumer) + valid = OAuth::Signature.verify(request) do |request_proxy| + @request_proxy = request_proxy + @oauth_token = OauthToken.find_by_token(request_proxy.oauth_token, :include => :consumer) @oauth_consumer = @oauth_token.consumer # return the token secret and the consumer secret app/controllers/application.rb @@ -1,32 +1,49 @@ class OauthController < ApplicationController before_filter :verify_oauth_consumer_signature, :only => :request_token before_filter :verify_oauth_request_token, :only => :access_token - + def access_token # TODO this does a straight token exchange # in a real application, you'd want to ensure that the request token has been authorized - + consumer = oauth_token.consumer - + + # check the verifier + raise Exception if oauth_token.verifier != oauth_request_proxy.oauth_verifier + # destroy the existing request token oauth_token.destroy - + # create a new access token # this is where an existing access token for an app would be loaded in order to share it between devices token = consumer.access_tokens.create! - + render :text => "oauth_token=#{token.token}&oauth_token_secret=#{token.secret}" end - + def authorize # TODO implement me + + token = OauthRequestToken.find_by_token(params[:oauth_token]) + + return unless request.post? + + # generate a random 16-character string + chars = ("0".."9").to_a + ("a".."z").to_a + s = "" + 16.times { s << chars[rand(36)] } + + token.update_attributes(:validated => true, :verifier => s) + + # Note: this doesn't work for callbacks that already contain ?'s + redirect_to token.callback_url + "?oauth_verifier=#{s}" end - + def request_token consumer = OauthConsumer.find(:first) - - token = consumer.request_tokens.create! - - render :text => "oauth_token=#{token.token}&oauth_token_secret=#{token.secret}" + + token = consumer.request_tokens.create!(:callback_url => oauth_request_proxy.oauth_callback) + + render :text => "oauth_token=#{token.token}&oauth_token_secret=#{token.secret}&oauth_callback_confirmed=true" end end app/controllers/oauth_controller.rb @@ -6,6 +6,9 @@ class CreateOauthTokens < ActiveRecord::Migration t.string :token t.string :secret t.string :type + t.boolean :validated, :null => false, :default => false + t.string :callback_url + t.string :verifier t.timestamps end end db/migrate/001_create_oauth_tokens.rb 6d3d7d1edccb780db672bd1d16a33aad7cfb2b2b Seth Fitzsimmons seth@mojodna.net http://github.com/mojodna/sample-oauth-provider/commit/c66208aeafec4034f953d5fac68f0c1b618d79c1 c66208aeafec4034f953d5fac68f0c1b618d79c1 2009-05-26T22:10:03-07:00 2009-05-26T22:08:53-07:00 support for OAuth 1.0a 7d8400ee7afa47545d7ea74000d2dab45fe38e82 Seth Fitzsimmons seth@mojodna.net