Permalink
Browse files

oauth echo hacking

  • Loading branch information...
1 parent ecd7e68 commit de1ed88d9a9cad28ca5a9f2167406db0d3cdff78 @stevenhaddox committed Jul 28, 2010
Showing with 20 additions and 15 deletions.
  1. +0 −15 app/controllers/photos_controller.rb
  2. +20 −0 app/controllers/sessions_controller.rb
@@ -109,21 +109,6 @@ def format_is_xml?(format=nil)
end
def check_login
- require 'httparty'
- # header auth only for now; also lock down the auth provider endpoint so we can't spoof
- if(request.env["HTTP_X_AUTH_SERVICE_PROVIDER"] != 'https://api.twitter.com/1/account/verify_credentials.json' || request.env["HTTP_X_AUTH_SERVICE_PROVIDER"].blank?)
- current_user = nil
- else
- auth_service_provider = request.env["HTTP_X_AUTH_SERVICE_PROVIDER"]
- verify_credentials_authorization = request.env["HTTP_X_VERIFY_CREDENTIALS_AUTHORIZATION"]
- end
-
- auth_response = HTTParty.get(auth_service_provider, :format => :json, :headers => {'Authorization' => verify_credentials_authorization}) rescue nil
- if !auth_response['screen_name'].blank?
- current_user = User.find(:first, :conditions => {:login => auth_response['screen_name']})
- end
- logger.info(auth_response)
-
return true unless current_user.blank?
redirect_to login_path #redirect to a non SSL page to ensure we don't throw an error
end
@@ -45,5 +45,25 @@ def finalize
def oauth
@oauth ||= Twitter::OAuth.new(TWITTER['token'], TWITTER['secret'], :sign_in => true)
end
+
+ def _authenticate_oauth_echo
+ require 'httparty'
+ # header auth only for now; also lock down the auth provider endpoint so we can't spoof
+ if(request.env["HTTP_X_AUTH_SERVICE_PROVIDER"] != 'https://api.twitter.com/1/account/verify_credentials.json' || request.env["HTTP_X_AUTH_SERVICE_PROVIDER"].blank?)
+ return false
+ else
+ auth_service_provider = request.env["HTTP_X_AUTH_SERVICE_PROVIDER"]
+ verify_credentials_authorization = request.env["HTTP_X_VERIFY_CREDENTIALS_AUTHORIZATION"]
+ end
+
+ auth_response = HTTParty.get(auth_service_provider, :format => :json, :headers => {'Authorization' => verify_credentials_authorization}) rescue nil
+ if !auth_response['screen_name'].blank?
+ current_user = User.find(:first, :conditions => {:login => auth_response['screen_name']})
+ return current_user
+ end
+ logger.info(auth_response)
+ return false
+ end
+
end

0 comments on commit de1ed88

Please sign in to comment.