search

BluesZhang / gdata-objectivec-client

Automatically exported from code.google.com/p/gdata-objectivec-client
Other
0 stars 0 forks source link

Reusing GDataOAuthAuthentication with GDataOAuthSignIn fails due to stale token secret #48

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Instantiate a GDataOAuthAuthentication object.
2. Perform a sign in: -[GDataOAuthSignIn startSigningIn], e.g. via 
GDataOAuthViewControllerTouch.
3. Later on, repeat step 2.

What is the expected output? What do you see instead?
A fresh sign-in sequence should happen, starting with obtaining a new OAuth 
request token.  Instead, the 
request token GET request gets signed by the request (or access) token secret 
previously obtained in step 2, 
leading to an incorrect signature.  This results in the server rejecting the 
new token request.

The fix is very simple, as shown below:

--- a/Libraries/gdata-objectivec-client/OAuth/GDataOAuthSignIn.m
+++ b/Libraries/gdata-objectivec-client/OAuth/GDataOAuthSignIn.m
@@ -156,8 +156,11 @@ const NSTimeInterval kDefaultNetworkLossTimeoutInterval = 
30.0;
 - (BOOL)startSigningIn {
   // the authentication object won't have an access token until the access
   // fetcher successfully finishes; any auth token held before then is a request
-  // token
+  // token.  We need to clear the token and secret so that the initial request
+  // doesn't get signed with an old token secret.
   [auth_ setHasAccessToken:NO];
+  [auth_ setToken:nil];
+  [auth_ setTokenSecret:nil];

   // start fetching a request token
   NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:requestURL_];

Original issue reported on code.google.com by danieldickison@gmail.com on 8 May 2010 at 7:12

GoogleCodeExporter commented 9 years ago 
I can't reproduce this. Nor do I understand it, since the token request isn't 
signed with the token or the token 
secret (the -tokenRequestKeys method lists what parameters the request request 
is signed with), and if the 
request succeeds, then the response (to requestFetcher:finishedWithData:) 
includes both a token and token 
secret, which immediately get saved together into the auth object.

Original comment by gregrobbins on 11 May 2010 at 2:04

GoogleCodeExporter commented 9 years ago 
-tokenRequestKeys includes kOAuthSignatureKey, which causes 
-paramsForKeys:request: to call -signatureForParams:request:, which then 
creates a signature using 
the private key _and_ the currently stored token secret (line 281 of 
GDataOAuthAuthentication.m).  Here's the relevant backtrace.

#4  +[GDataOAuthAuthentication HMACSHA1HashForConsumerSecret:tokenSecret:body:] 
(self=0x5bd74, _cmd=0x4d9d6, consumerSecret=0x595c8, 
tokenSecret=0x0, body=0x727b2f0) at /Users/ddickison/src/iPhone 
Apps/Etsy/Libraries/gdata-objectivec-client/OAuth/GDataOAuthAuthentication.m:897
#5  0x0003e9dd in -[GDataOAuthAuthentication signatureForParams:request:] 
(self=0x7254120, _cmd=0x4dea1, params=0x727a2f0, request=0x727a250) at 
/Users/ddickison/src/iPhone 
Apps/Etsy/Libraries/gdata-objectivec-client/OAuth/GDataOAuthAuthentication.m:283
#6  0x0003e379 in -[GDataOAuthAuthentication paramsForKeys:request:] 
(self=0x7254120, _cmd=0x4debd, keys=0x727a2c0, request=0x727a250) at 
/Users/ddickison/src/iPhone 
Apps/Etsy/Libraries/gdata-objectivec-client/OAuth/GDataOAuthAuthentication.m:179
#7  0x0003f9ba in -[GDataOAuthAuthentication 
addAuthorizationHeaderToRequest:forKeys:] (self=0x7254120, _cmd=0x4dd05, 
request=0x727a250, 
keys=0x727a2c0) at /Users/ddickison/src/iPhone 
Apps/Etsy/Libraries/gdata-objectivec-client/OAuth/GDataOAuthAuthentication.m:558
#8  0x0003f3a9 in -[GDataOAuthAuthentication addRequestTokenHeaderToRequest:] 
(self=0x7254120, _cmd=0x4de23, request=0x727a250) at 
/Users/ddickison/src/iPhone 
Apps/Etsy/Libraries/gdata-objectivec-client/OAuth/GDataOAuthAuthentication.m:472
#9  0x0003c81f in -[GDataOAuthSignIn startSigningIn] (self=0x7270ce0, 
_cmd=0x4d30a) at /Users/ddickison/src/iPhone 
Apps/Etsy/Libraries/gdata-objectivec-
client/OAuth/GDataOAuthSignIn.m:167

Original comment by danieldickison@gmail.com on 11 May 2010 at 3:06

GoogleCodeExporter commented 9 years ago 
Thank you for the elaboration, and for reporting the issue. I can reproduce the 
problem now.

Change submitted: 
http://code.google.com/p/gdata-objectivec-client/source/detail?r=527

Original comment by gregrobbins on 11 May 2010 at 7:57