search

marig345 / oauth-php

Automatically exported from code.google.com/p/oauth-php
MIT License
0 stars 0 forks source link

Can't exchange request token for access token using 1.0 spec #41

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I'm trying to test a pretty basic server implementation of oauth-php by using a 
local copy of the 
OAuth Test Client like the one here:
http://term.ie/oauth/example/client.php

I am able to successfully register, request_token, and I believe authorize. 
When I authorize, I get 
redirected to a URL like:
http://local.example.com/api/2.0/oauth-test/example/client.php?
key=332c57147a4f05949f055f06688a719a04beaddd9&secret=3b3d266a2911029939c3485565c
60ab9&token=2e2e8a5020a21adb4b1b31a4bb580c1a04beade04&token_secret=a9223c7a7d3ac
3
26c9443178f704f220&endpoint=http%3A%2F%2Flocal.example.com%2Fapi%2F2.0%2Fauthori
ze&oa
uth_token=2e2e8a5020a21adb4b1b31a4bb580c1a04beade04&oauth_verifier=63de358f4b

When I then try to hit access_token I get:
OAuth Verification Failed: Can't exchange request token 
"2e2e8a5020a21adb4b1b31a4bb580c1a04beade04" for access token. No such token or 
not 
authorized

Digging further, it's because in 
OAuthStoreSql->exchangeConsumerRequestForAccessToken()...
UPDATE oauth_server_token SET ost_token  = 
'f8206fbd6f29de068589ad0f3891913304beae904', 
ost_token_secret    = '4af13cf0ab3e13594c7cf262243fb979', ost_token_type     = 
'access', 
ost_timestamp    = NOW(), ost_token_ttl = '9999-12-31' WHERE ost_token = 
'2e2e8a5020a21adb4b1b31a4bb580c1a04beade04' AND ost_token_type = 'request' AND 
ost_authorized = 1 AND ost_token_ttl >= NOW() AND ost_verifier = '0'

Does not return a row, because it's looking for ost_verifier = 0 but in the 
database the ost_verifier = 
'63de358f4b'.

Is this library is *expecting* 1.0a rather than allowing 1.0?

It appears that either the database should not have held the ost_verifier to be 
a non-zero value or 
that exchangeConsumerRequestForAccessToken() should not have ost_verifier in 
the WHERE clause 
if the input is empty.

Original issue reported on code.google.com by philfreo on 17 May 2010 at 6:22

GoogleCodeExporter commented 9 years ago 
Seems to be the same issue as i mentioned here: ConsumerHowTo - Comment by 
fiedler.andre, May 08, 2010

Would really be great if someone fixes this. (and put a sample test 
server/client combination into the repository)

Original comment by fiedler....@gmail.com on 17 May 2010 at 8:01

GoogleCodeExporter commented 9 years ago 
I'm checking this right now.

Original comment by brunobg%...@gtempaccount.com on 18 May 2010 at 1:31

GoogleCodeExporter commented 9 years ago 
Can confirm, that bugfix from philfreo is working! Just replace line 1350 (and 
following) in OAuthStoreSQL.php with these:

[code]
 if (isset($options['verifier'])) {
    $verifier = $options['verifier'];

    // 1.0a Compatibility : check token against oauth_verifier
    $this->query('
                UPDATE oauth_server_token
                SET ost_token           = \'%s\',
                    ost_token_secret    = \'%s\',
                    ost_token_type      = \'access\',
                    ost_timestamp       = NOW(),
                    ost_token_ttl       = '.$ttl_sql.'
                WHERE ost_token      = \'%s\'
                  AND ost_token_type = \'request\'
                  AND ost_authorized = 1
                  AND ost_token_ttl  >= NOW()
                  AND ost_verifier = \'%s\'
                ', $new_token, $new_secret, $token, $verifier);
 } else {

    // 1.0
    $this->query('
                UPDATE oauth_server_token
                SET ost_token           = \'%s\',
                    ost_token_secret    = \'%s\',
                    ost_token_type      = \'access\',
                    ost_timestamp       = NOW(),
                    ost_token_ttl       = '.$ttl_sql.'
                WHERE ost_token      = \'%s\'
                  AND ost_token_type = \'request\'
                  AND ost_authorized = 1
                  AND ost_token_ttl  >= NOW()
                ', $new_token, $new_secret, $token);
 }
[/code]

Original comment by fiedler....@gmail.com on 25 May 2010 at 12:09

GoogleCodeExporter commented 9 years ago 
Ähm, i have to correct me. Its working better, but now i have to authorize the 
consumer for every request! There 
should one more bug.

Original comment by fiedler....@gmail.com on 25 May 2010 at 6:15

GoogleCodeExporter commented 9 years ago 
@philfreo

I´ve checked and fixed the bug you mentioned. Can you test this again? It 
seems there´s one more bug... but didn´t get this by now. :(

Original comment by fiedler....@gmail.com on 9 Jun 2010 at 8:53

GoogleCodeExporter commented 9 years ago 
Ok, I tested again. I think this works now! closed :o)

Original comment by fiedler....@gmail.com on 10 Jun 2010 at 8:58