/**
* Throw an exception if the nonce has been validated previously.
*
* @return the earliest point in time at which a call to releaseGarbage will actually release some
* garbage, or null to indicate there's nothing currently stored that will become garbage in
* future.
*/
protected Date validateNonce(OAuthMessage message, long timestamp, long currentTimeMsec)
throws IOException, OAuthProblemException {
UsedNonce nonce =
new UsedNonce(
timestamp,
message.getParameter(OAuth.OAUTH_NONCE),
message.getConsumerKey(),
message.getToken());
/*
* The OAuth standard requires the token to be omitted from the stored
* nonce. But I include it, to harmonize with a Consumer that generates
* nonces using several independent computers, each with its own token.
*/
boolean valid = false;
synchronized (usedNonces) {
valid = usedNonces.add(nonce);
}
if (!valid) {
throw new OAuthProblemException(OAuth.Problems.NONCE_USED);
}
return removeOldNonces(currentTimeMsec);
}
private OAuthEntry getValidatedEntry(OAuthMessage requestMessage)
throws IOException, ServletException, OAuthException, URISyntaxException {
OAuthEntry entry = dataStore.getEntry(requestMessage.getToken());
if (entry == null) throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
if (entry.type != OAuthEntry.Type.REQUEST)
throw new OAuthProblemException(OAuth.Problems.TOKEN_USED);
if (entry.isExpired()) throw new OAuthProblemException(OAuth.Problems.TOKEN_EXPIRED);
// find consumer key, compare with supplied value, if present.
if (requestMessage.getConsumerKey() == null) {
OAuthProblemException e = new OAuthProblemException(OAuth.Problems.PARAMETER_ABSENT);
e.setParameter(OAuth.Problems.OAUTH_PARAMETERS_ABSENT, OAuth.OAUTH_CONSUMER_KEY);
throw e;
}
String consumerKey = entry.consumerKey;
if (!consumerKey.equals(requestMessage.getConsumerKey()))
throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_REFUSED);
OAuthConsumer consumer = dataStore.getConsumer(consumerKey);
if (consumer == null) throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
OAuthAccessor accessor = new OAuthAccessor(consumer);
accessor.requestToken = entry.token;
accessor.tokenSecret = entry.tokenSecret;
VALIDATOR.validateMessage(requestMessage, accessor);
return entry;
}
/////////////////////
// deal with authorization request
private void authorizeRequestToken(
HttpServletRequest servletRequest, HttpServletResponse servletResponse)
throws ServletException, IOException, OAuthException, URISyntaxException {
OAuthMessage requestMessage = OAuthServlet.getMessage(servletRequest, null);
if (requestMessage.getToken() == null) {
// MALFORMED REQUEST
servletResponse.sendError(
HttpServletResponse.SC_BAD_REQUEST, "Authentication token not found");
return;
}
OAuthEntry entry = dataStore.getEntry(requestMessage.getToken());
if (entry == null) {
servletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, "OAuth Entry not found");
return;
}
OAuthConsumer consumer = dataStore.getConsumer(entry.consumerKey);
// Extremely rare case where consumer dissappears
if (consumer == null) {
servletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, "consumer for entry not found");
return;
}
// A flag to deal with protocol flaws in OAuth/1.0
Boolean securityThreat_2009_1 = !entry.callbackUrlSigned;
// Check for a callback in the oauth entry
String callback = entry.callbackUrl;
if (callback == null) {
// see if there's a callback in the url params
callback = requestMessage.getParameter(OAuth.OAUTH_CALLBACK);
}
if (callback == null) {
// see if the consumer has a callback
callback = consumer.callbackURL;
}
// The token is disabled if you try to convert to an access token prior to authorization
if (entry.type == OAuthEntry.Type.DISABLED) {
servletResponse.sendError(
HttpServletResponse.SC_FORBIDDEN, "This token is disabled, please reinitate login");
return;
}
// Redirect to a UI flow if the token is not authorized
if (!entry.authorized) {
// TBD -- need to decode encrypted payload somehow..
if (this.oauthAuthorizeAction.startsWith("http")) {
// Redirect to authorization page with params
// Supply standard set of params
// TBD
} else {
// Use internal forward to a jsp page
servletRequest.setAttribute("OAUTH_DATASTORE", dataStore);
servletRequest.setAttribute("OAUTH_ENTRY", entry);
servletRequest.setAttribute("CALLBACK", callback);
servletRequest.setAttribute("TOKEN", entry.token);
servletRequest.setAttribute("CONSUMER", consumer);
servletRequest.setAttribute("SECURITY_THREAT_2009_1", securityThreat_2009_1);
servletRequest
.getRequestDispatcher(oauthAuthorizeAction)
.forward(servletRequest, servletResponse);
}
return;
}
// If we're here then the entry has been authorized
// redirect to callback
if (callback == null || "oob".equals(callback)) {
// consumer did not specify a callback
servletResponse.setContentType("text/plain");
PrintWriter out = servletResponse.getWriter();
out.write("Token successfully authorized.\n");
if (entry.callbackToken != null) {
// Usability fail.
out.write("Please enter code " + entry.callbackToken + " at the consumer.");
}
} else {
callback = OAuth.addParameters(callback, OAuth.OAUTH_TOKEN, entry.token);
// Add user_id to the callback
callback = OAuth.addParameters(callback, "user_id", entry.userId);
if (entry.callbackToken != null) {
callback =
OAuth.addParameters(callback, OAuthConstants.OAUTH_VERIFIER, entry.callbackToken);
}
servletResponse.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
servletResponse.setHeader("Location", callback);
}
}