evanp
commented
12 years ago Argh. I hadn't actually tested the 2-legged apps, and they were showing an error (due to my copy-and-pasting). Should be fixed now; I tested both 3-legged and 2-legged.
Closed evanp closed 12 years ago
evanp
commented
12 years ago Argh. I hadn't actually tested the 2-legged apps, and they were showing an error (due to my copy-and-pasting). Should be fixed now; I tested both 3-legged and 2-legged.
evanp
commented
12 years ago @ciaranj I sure hope this makes it in for the next release!
ciaranj
commented
12 years ago it will, it will :)
The validateNotReplay() method of the OAuthDataProvider interface takes an accessToken, a timestamp, and a nonce. Per http://tools.ietf.org/html/rfc5849#section-3.3 , "The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations."
However, for 2-legged oauth, an accessToken isn't provided, so the uniqueness can't be verified.
This patch adds another method, validateNotReplayClient() to the OAuthDataProvider interface. It's identical to validateNotReplay(), but it takes another parameter: the consumerKey. This is passed for 2- and 3-legged OAuth.
If the new method is not found, the old one will be used instead.