开发者

Rails oauth-plugin: multiple strategies causes duplicate nonce error

开发者 https://www.devze.com 2023-03-01 08:19 出处:网络
I have a controller action that may be hit by the client with a oauth client token (no authenticated user), or may be hit by an authorized client with an access

I have a controller action that may be hit by the client with a oauth client token (no authenticated user), or may be hit by an authorized client with an access token (for a specific user). I want to set up a nice little before filter to accomodate this. I tried:

oauthenticate :strategies => [:oauth10_request_token, :oauth10_access_token], 
              :interactive => false, 
              :only => [:wonky_action] 

If I try to hit this action with an access-token request, then it complains because it tries to remember the OauthNonce twice. Here's what my ClientApplication.verify_request method looks like:

def self.verify_request(request, options = {}, &block) 
    begin 
        signature = OAuth::Signature.build(request, options, &block) 
        nonce = OauthNonce.remember(signature.request.nonce, signature.request.timestamp) 
        unless nonce 
            Rails.logger.warn "Oauth request failing because of invalid nonce." 
            return false 
        end 
        value = signature.verify 
        unless value 
            Rails.logger.warn "Signature verification failed." 
        end 
        value 
    rescue OAuth::Signature::UnknownSignatureMethod => e 
        false 
    end 
end

Looking at this, the behavior is no surprise. It runs through the oauth10_request_token method, and remembers the nonce without a problem, but the token is not a request tok开发者_JAVA技巧en, so it fails. Then, it tries to run through oauth10_access_token, and when it calls verify_request the second time, it tries to remember a nonce that we've already remembered.

The best solution I can come up with is to separate the Nonce-remembering from the rest of the request verification. In other words, the server would verify the nonce first, and then do the signature verification (or whatever else verify_request wants to do) as many times as it pleases.

I don't see a clear way to do this without forking Pelle's application_controller_methods file, but I'm hoping I'm just missing the obvious fix that one of you will suggest! Thanks for your help! In case you're interested, I'm using rails3 with pelle's oauth-plugin and his fork of oauth:

gem 'oauth', :git => "http://github.com/pelle/oauth.git", :require => 'oauth/server' 
gem "oauth-plugin", :git => 'https://github.com/pelle/oauth-plugin.git', :branch => 'rails3'
0

精彩评论

暂无评论...
验证码 换一张
取 消