Bug: Robot application id is not checked in Oauth verification

[GoogleCodeExporter]

There's no check in the robot app id corresponds to the registered Oauth 
consumer secret/key in the verification process. 
To reproduce - register appdomain1 robot with Active API.
then deploy and do the verification in constructor.
Create new wave with this robot - observe that new wave created and 
appdomain1@appspot.com robot is the creator and participant(still Ok)
then take the same Eclipse project, deploy it to appdomain2 - without changing 
consumer key/secret or registering robot for appdomain2.
do the verification in the constructor with key/secret of appdomain1.
Observe that the wave created by appdomain1@appsot.com, even that the actual 
robot that created it resides on appdomain2(and not registered).
It actually means that if you managed somehow to get someone other user Active 
API stuff - you can fake  this robot, anything done by faking robot will look 
like done by original robot. The events sent by Wave arrive to faking robot.

Original issue reported on code.google.com by vega113 on 13 Jun 2010 at 4:16

[GoogleCodeExporter]

Once someone has the OAuth token/secret they can make requests as that robot, 
which is why it is important to keep the token/secret secured.

Original comment by joe.gregorio@gmail.com on 17 Jun 2010 at 12:43

• Changed state: Invalid

[GoogleCodeExporter]

So, what you say it's actually a feature? Then why it is important to register 
the robot from the domain appdoamin1? 

Original comment by vega113 on 18 Jun 2010 at 2:00

[GoogleCodeExporter]

Yes, it is a feature. It's how OAuth works.

I'm not sure what your second question means.

Please post in the forum for further clarification:
http://code.google.com/apis/wave/forum.html

Original comment by pamela.fox on 20 Jun 2010 at 2:23