OAuth Provider

[carols10cents]

This makes rstat.us an OAuth provider and uses oauth for all the twitter api endpoints that exist so far.

Tomorrow I'm going to set this up on rstatus-staging and put up some sample code on using it in a client situation, but I wanted to get the PR in before this code withers on a branch all by its lonesome any longer.

This uses the doorkeeper gem: https://github.com/applicake/doorkeeper And the railscast on doorkeeper was extremely helpful: http://railscasts.com/episodes/353-oauth-with-doorkeeper?view=asciicast

Please anyone and everyone review this as it involves security and would benefit from as many eyes as posssible! If you see something, say something!! ;) :heart:

[carols10cents]

Oh and this is to be committed to the twitter-api branch, just wanted to make that super clear.

[steveklabnik]

:D

[carols10cents]

Ok this code is now up at https://rstatus-staging.herokuapp.com

I added a link in the footer to a "Developers" page: https://rstatus-staging.herokuapp.com/developers

It's very minimal right now, basically just a way to get to the page to create an application and get oauth tokens with a tiny bit of explanation :)

I also added a link to users' profile edit pages to get to the page that lists applications you've authorized -- I thought about putting this inline in edit profile, but I feel kind of like that page is getting cluttered anyway and... a link was easier and I'm lazy :)

[steveklabnik]

One neat thing that we might want to think about in the future is echoing GitHub's authorization API: you can use basic auth to request an oauth token, so you don't have to go through the full oauth dance. :)

[wilkie]

You can use basic auth to acquire an application token. However, the reason this is secure is that the random handshaking oauth uses to ensure no replay attacks can occur is superseded by ssl. So, if you do this, ensure that you check that the credentials are correct AND that the request was made over ssl. This cannot be used on any nodes that elect not to have an ssl cert. :)

[steveklabnik]

Link for the uninformed: http://developer.github.com/v3/oauth/#non-web-application-flow

OAuth would also require ssl, and therefore shouldn't be on any nodes that elect not to have it.

[wilkie]

OAuth is equivalent basically to basic auth + ssl in terms of attack area. You attack the initial handshake for OAuth, or you attack the initial handshake for ssl, and you could see the information passed on subsequent requests. shrug If people elect not to have SSL, OAuth is severely better than nothing, and due to using a random number and an HMAC can be used without SSL. Pessimistically speaking, both approaches are rather broken on a security level, but do obscure passwords in the common case. Also, the government probably has every SSL private key. :) :) :C

[steveklabnik]

I'm pretty sure that the spec says to reject requests that aren't over SSL, and so it won't even work, not 'it's not secure.'

I should really double-check that, though.

[wilkie]

Yeah, totally. It will be insecure if the eavesdropper witnesses the handshake. SSL is broken if the eavesdropper can inject a cert or knows the private key. shrug :) But SSL would solve the problem of witnessing the key exchange at the OAuth layer by pushing the problem down a layer. It is theoretically impossible to solve the key exchange problem, so OAuth placed it out-of-scope and gives responsibility to SSL, which solves it poorly. :D :D :D

_OAuth says that SSL MUST be used to get the tokensecret, which makes sense, so you'd be correct that it should reject requests not over SSL regardless. Hmm, in that case, is OAuth nothing more than a glorified redirect? I now have newfound lulz over that spec.

[carols10cents]

I've moved the discussion of using basic auth to get an oauth token to a new issue: #694

What do yinz think about this pull req? ;)

Here's a gist of a tiny client app that proves doing the oauth dance and posting through the json api with an auth token works: https://gist.github.com/3928840

[Nakort]

:+1:

[wilkie]

Go ahead and merge manually, @carols10cents. Just make a note that we should audit the security of the OAuth stuff at the end especially with respect to correct SSL encapsulation (and override of requiring it).