Added whitelist to OAuth consumer callback URLs to allow custom URL scheme

[kiatng]

…eme.

Description (*)

I need to do something similar to this stackoverflow, I need to provide OAuth to a mobile app, in which the callback URL looks like this myapp://call-back. It doesn't work without the fix in the stackoverflow, or this PR.

This PR does 2 things:

1. Remove the URL validation on Callback URL and Rejected Callback URL when saving OAuth Consumer in backend:
   
2. Use the Callback URL as a whitelist for custom scheme. This code ensures that the callback URL is either whitelisted or is a valid URL, so security is not compromised for custom URL schemes.

[fballiano]

where is the whitelist stored? is it intended like a list of protocols/urls that bypass the validate?

[kiatng]

where is the whitelist stored? is it intended like a list of protocols/urls that bypass the validate?

In the column callback_url in the table oauth_consumer.

Explanation

(I just learned this stuff, so this explanation is really for myself to digest the stuff.)

The callback URL is an optional param from the OAuth consumer (the client) to OAuth host. When it is not provided, OM as host will get it from the column callback_url in the table oauth_consumer. See

magento-lts/app/code/core/Mage/Oauth/Model/Server.php

Line 402 in 7a3e765

$callbackUrl = $this->_consumer->getCallbackUrl();

Original code before this PR:

Lines 399 - 406: If the OAuth consumer (client) doesn't provide the callback URL, it uses the URL from table oauth_consumer; otherwise, it uses the request param from the OAuth consumer (client). The URL is then saved in the table oauth_token. (Another possibility is oob, which is not affected by this PR. See this and this for more info.)

That's the behavior.

Now we need a way for mobile app with custom scheme to use OAuth. Currently, custom scheme such as myapp://call-back throws an exception, only schemes http:// and https:// are allowed. The suggested solution from this stackoverflow is to add the custom scheme to Zend_Uri, which works but it won't fly. Another idea is to disable URL validation in OAuth, but it may compromise security. A colleague suggested a whitelist of the custom scheme. For whitelist to work, the callback URL is a required param from the OAuth consumer, and the prefix must match what is stored in the column callback_url in the table oauth_consumer. Note that this value is set in the backend and required the Current Admin Password. So it is perfect to be used as whitelist. More importantly, using it as whitelist is BC, it doesn't affect URLs with standard schemes.