pitbulk / oauth-php Goto Github PK

The codes does not seem to be compatible with OAuth Core 1.0 Revision A

A service provider should be able to set the accepted signature methods.
For example I would like to accept PLAINTEXT only for SSL encrypted requests.

proposal:
extend OAuthRequestVerifier with a method
OAuthRequestVerifier->setAcceptedSignatureMethod() taking an array of
strings (the signature methods), saving this in a class variable. if null
is passed all supported methods are accepted and there is no filtering.

OAuthRequestVerifier->verify should check this value and filter the request
signature method and throw an error (just like how it is node in
OAuthRequest for available methods).

alternatively the opposite could be done and a ->setDeniedSignatureMethod()
added and filtering upon that.

-ueli

I'm having a problem getting oAuth requests to work when the request URL
includes a querystring parameter.  Any idea what might be happening?

Thanks.

1.  Setup two requests - one with a querystring parameter and one with just
a URL.

2.  Run each of the requests.

3.  The request without the querystring parameter runs fine and returns the
expected output.  When a querystring parameter is included in the oAuth
request URL the error Verification of signature failed (signature base
string was ...) is returned.

The change is in OAuthUtil::get_headers()
...
 else if (strtolower($key) == "content_type")
      {
          $out["Content-Type"] = $value;
      }
...


With this change, the function is now:


public static function get_headers() {

    if (function_exists('apache_request_headers')) {
      // we need this to get the actual Authorization: header
      // because apache tends to tell us it doesn't exist
      return apache_request_headers();
    }
    // otherwise we don't have apache and are just going to have to hope
    // that $_SERVER actually contains what we need
    $out = array();
    foreach ($_SERVER as $key => $value) {
      if (substr($key, 0, 5) == "HTTP_") {
        // this is chaos, basically it is just there to capitalize the first
        // letter of every word that is not an initial HTTP and strip HTTP
        // code from przemek
        $key = str_replace(
          " ",
          "-",
          ucwords(strtolower(str_replace("_", " ", substr($key, 5))))
        );

        $out[$key] = $value;
      } else if (strtolower($key) == "content_type")
      {
          $out["Content-Type"] = $value;
      }
    }
    return $out;
  }

What steps will reproduce the problem?
1. move library files to server that supports PHP
2. fill in key, secret and url data into /example/client/twolegged.php

What is the expected output? What do you see instead?
Should get a successful response from foursquare's api.

What version of the product are you using? On what operating system?
revision 98

Please provide any additional information below.
Exceptionexception 'OAuthException2' with message 'Request failed with 
code 401: <?xml version="1.0" encoding="UTF-8"?>
<unauthorized>TOKEN_EXPIRED</unauthorized> 
/library/OAuthRequester.php:117

I created a new Store for mysqli. As far as I could test it is working
properly. Please add the new code to the next release.

Shinig seems to be attaching a trailing & to the uri with a signed request.
This casued RSA_SHA1 signatrue verification to not work. I implemented a
fix by not adding the paramater with an empty name in OAuthRequest,
parseUri but there is probably a better way.

[deleted issue]

Title says it all.

Nobody uses mysql_ these days. Mysqli_ or PDO should be supported, e.g. via a 
simple wrapper class.

What steps will reproduce the problem?
1. install OAuth from pecl
2. include this library

Result: Fatal error: Cannot redeclare class OAuthException, because it
clashes with http://php.net/manual/en/class.oauthexception.php

To fix this issue, extend line 147 in OAuthServer.php :


   $this->session->set('verify_oauth_callback', ($rs['callback_url'] ? $rs['callback_url'] : $this-
>getParam('oauth_callback', true)));

like this:

   $this->session->set('verify_oauth_callback', ($rs['callback_url'] && $rs['callback_url'] != 'oob' ? 
$rs['callback_url'] : $this->getParam('oauth_callback', true)));

Thanks! André

in OAuthStoreMySQL->getConsumer() function before the return statement
there is a user_id check:

http://code.google.com/p/oauth-php/source/browse/trunk/library/store/OAuthStoreM
ySQL.php#1122
if (!$user_is_admin && !empty($r['user_id']) && $r['user_id'] != $user_id)

the $r doesn't exist and i believe it's a typo for $c. 
It should be:
if (!$user_is_admin && !empty($c['user_id']) && $c['user_id'] != $user_id)

What version of the product are you using? On what operating system?
98

Please provide any additional information below.
Currently the doRequest() method allows for custom curl options, but this
is lacking inside requestRequestToken() and requestAccessToken()

Today foursquare was updating their service. Therefore their servers could
not be reached within the PHP max_execution_time (30 secs in this case).
This resulted in my entire application going down.
I looked but didn't find for a setting that allowed me to set a timeout for
the request. When a timeout occurs it should throw an exception which I can
catch and handle appropriately.
I would like to know if I misread the code. Otherwise this would be a
feature request.
Any feedback is welcome. Thank you in advance.

When using the MySQL store, I didn't find an easy way to specify all of the 
parameters (username, 
password, host, database name) in the code. Some parameters can be easily set 
as part of default 
config, but others cannot.

What version of the product are you using? On what operating system?
Revisions 96 and 120

Please provide any additional information below.
I have patched revision 120 with a means of doing this if you are interested in 
looking at it.  I don't 
claim that it is the best, but it works.

What steps will reproduce the problem?
1. Make HTTP request with query string as part of get e.g. 
http://dev.local/index?id=1
2. Signature verification fails

What is the expected output? What do you see instead?
Expect to see response, instead the signature verification fails.

What version of the product are you using? On what operating system?
Tested on revision 98 and 122 from SVN, running server on Ubuntu 10.04.

Please provide any additional information below.
If I change the request URL to http://dev.local/index/id/1 then everything 
works, but I have a 
large amount of code already using "standard" query strings.  I would like to 
be able to re-use 
that code instead of re-writing it.

This might be my misunderstanding of the OAuth specs and of the library,
but if I use 2-legged oauth to generate headers, the $token_type should be
FALSE.

In OAuthStoreSQL.php Line 119, if $token_type is FALSE, then it does not
return the ost_usa_id_ref as user_id, like it does for other $token_types.

If each user is given a unique consumer_key and consumer_secret, is there
reason I cannot identify the a user using 2-legged oauth? 

What steps will reproduce the problem?
1. Signup and make a call to the Google API
2. Add two different scopes, such as Analytics 
(https://www.google.com/analytics/feeds) and Youtube (http://gdata.youtube.com)
3. Get an error because it's the same consumer key but different server URIs

What is the expected output? What do you see instead?
- Expected to be allowed to make the calls regardless of the server, but it was 
not so.

What version of the product are you using? On what operating system?
- oauth-php-98.tar.gz, Mac OS X

Please provide any additional information below.
- Is there some way that I'm missing that can accomplish this?

Fatal error: Class 'OAuthException22' not found in
...\lib\oauth\store\OAuthStoreMySQL.php on line 774

It would be nice to not be reliant on $_SESSION. The "store" stuff could be 
used for it instead.

We are working on an application that supports both 2-legged oauth and
3-legged oauth. For the 2-legged, each consumer is associated with a user,
while with the 3-legged, each consumer will be associated with an
application. Since the users and applications table do not share an
auto-increment ID, I would like to prefix my usa_id_ref with 'u####' for
user consumers and 'a###' for application consumers.

Is there any reason why usa_id_ref is limited to integers? If so, is there
an alternative for supporting two types of consumers?

In example/server/www/services.xrds.php, it uses PHP short tags in several 
places, like:

<URI>http://<?=$server?>/oauth/request_token</URI>

For open source projects, it's best to use the typical php tags since many 
servers have short tags 
disabled.

<URI>http://<?php echo $server; ?>/oauth/request_token</URI>

If you'd like to make me a committer, I can submit small changes like these 
myself.

To fix this issue, replace Line 177 in OAuthServer.php :

    $verify_oauth_callback = $this->session->get('verify_oauth_token');

with this Line:

    $verify_oauth_callback = $this->session->get('verify_oauth_callback');

Thanks! ;o)

What steps will reproduce the problem?
1. Attempt to use OAuthStoreMySQL in such a way that an exception is thrown.

What is the expected output? What do you see instead?
The exception should be thrown, but PHP dies with an attempt to throw
OAuthException22, which does not exist.

What version of the product are you using? On what operating system?
This is revision 75 of SVN on debian linux.

Please provide any additional information below.
This problem was caused by revision 67, probably some runaway sed script. 
A patch is attached.

What steps will reproduce the problem?
1. Get a request Token, 
2. Authorize the token
3. Access (hello)

What is the expected output? What do you see instead?
"Hello, world!"

Sometimes i see 
"OAuth Verification Failed: Verification of signature failed (signature base 
string was 
"GET&http%3A%2F%2Foauth%2Fhello&oauth_consumer_key%3Db613c535385ba5d852e453c31cd
39a180497bdbf5%26oauth_nonce%3D3254DD7C-183F-4CB1-9D20-
580FE2BBDFAF%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1232855178%26oauth_token%3Df81508e5447e12e7c484b6c2d3
391e410497bdf1c%26oauth_version%3D1.0")."

What version of the product are you using? On what operating system?
oauth-php-r50.tar.gz

What steps will reproduce the problem?
1.use https://twitter.com/oauth/request_token/ for request_token_uri
2.try to use OAuthRequester::requestRequestToken
3.

What is the expected output? What do you see instead?
Fatal error: Uncaught exception 'OAuthException2' with message 'No answer 
from the server "https://twitter.com/oauth/request_token/" while requesting 
a request token' 

What version of the product are you using? On what operating system?


Please provide any additional information below.
Curl ssl options are not set , could be quick fixed by adding 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

The osr_callback_uri field is never used. One would expect it to be used as
the default oauth_callback parameter in authorizeVerify.

It seems that OAuthStoreMySQL::getConsumerAccessToken,
OAuthStoreMySQL::listConsumers and OAuthStoreMySQL::listConsumerTokens just
need to have "osr_callback_uri as callback_uri" added to the SELECTs.

With Facebook officially supporting OAuth2.0, it'd be nice if this library 
supported it as well, both 
client and server.

I don't know what all the changes are yet, but here's the spec:
http://github.com/theRazorBlade/draft-ietf-oauth/raw/master/draft-ietf-oauth.txt

Project admins should add availbility to download .zip file of this 
project, because now, it is impossible to unzip archive, coz i am in 
internet cafe with guest rights that does'nt have winRAR or other archiver 
installed :)

What steps will reproduce the problem?

1. Download the source at r130
$ svn checkout -r 130 http://oauth-php.googlecode.com/svn/trunk/ 
oauth-php-read-only

2. Run the test
$ php oauth-php-read-only/test/oauth_test.php

What is the expected output? What do you see instead?

Expected:
Performing OAuth module tests.

See also: http://wiki.oauth.net/TestCases

***** Parameter Encoding *****

***** Normalize Request Parameters *****

***** Base String *****

***** HMAC-SHA1 *****
Request signing
***** HMAC-SHA1 *****
Request verification

***** Yahoo! test case ******



Seen:
Performing OAuth module tests.

See also: http://wiki.oauth.net/TestCases

***** Parameter Encoding *****

***** Normalize Request Parameters *****


Assertion failed in 
/Users/simonreekie/Tmp/oauth-php-read-only/test/oauth_test.php:90
   $req->getNormalizedParams() == 'a=x%20y&b=x%21y'

***** Base String *****


Assertion failed in 
/Users/simonreekie/Tmp/oauth-php-read-only/test/oauth_test.php:106
   $req->signatureBaseString() == 'POST&https%3A%2F%2Fphotos.example.net%2Frequest_token&oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dhsu94j3884jdopsl%26oauth_signature_method%3DPLAINTEXT%26oauth_timestamp%3D1191242090%26oauth_version%3D1.0'

***** HMAC-SHA1 *****
Request signing
***** HMAC-SHA1 *****
Request verification

***** Yahoo! test case ******



What version of the product are you using? On what operating system?

Tests fail from r102 to r130, last working tests appears to be r101
PHP 5.3.1 on MacBook, Darwin Kernel Version 10.3.0

Please provide any additional information below.

I'm assuming the tests do not require updated schema to support oauth_verifier. 
All tests were run against a schema created from an r98 download.

It appears that OAuthStorePDO->sql_escape_string() should have says "return 
$s;" in the first 
conditional block.

From what I could see in the source files, this function only gets called
in parseUri()

Could this be made optional, based on whether the extension is loaded (or a
function_exists() even), since Unicode hostnames aren't that popular yet ;-)

What steps will reproduce the problem?
1. When the consumer try to request an access token. I try to pass the
verifier string in the options array:
$oauth_verifier = $_GET["oauth_verifier"];
$tokens = OAuthRequester::requestAccessToken($consumer_key, $oauth_token,
$usr_id, 'GET',array("oauth_verifier"=>$oauth_verifier));
2. The requestAccessToken function is not send this parameter.
3. Then the server is not able to exchange the request token.

What is the expected output? What do you see instead?
The Consumer must send the oauth_verifier to the server

What version of the product are you using? On what operating system?
At revision: 34167
Consumer : Windows XP (WampServer)
Server : LAMP 
Please provide any additional information below.
A posible solution :
In the requestAccessToken function add this code:
if (isset($options['oauth_verifier']))
        {
            $oauth->setParam('oauth_verifier', $options['oauth_verifier']);
        }

What steps will reproduce the problem?
1. Authenticate as specified at http://code.google.com/p/oauth-
php/wiki/ConsumerHowTo#Three-legged_OAuth
2. Authenticate as above to the same server + consumer_key combo, with a 
different user_id, but 
using the same credentials on the OAuth server. The server returns the same 
access token 
(Twitter does this)

What is the expected output? What do you see instead?
Exception: Received duplicate token "****" for the same consumer_key "***g"     

What version of the product are you using? On what operating system?
r98 Mac OS X

Please provide any additional information below.
The use-case of this is when OAuth is the primary method of authentication for 
the site. Because 
of this user_ids are not know before login, and so much be generated before 
each login.

What steps will reproduce the problem?
1. make a request for a server that's unavailable

What is the expected output? What do you see instead?
Expected: An exception with the curl error message
Actually: An empty string as the ['body'] of doRequest()

What version of the product are you using? On what operating system?
98

Please provide any additional information below.
The result from curl_exec() should be caught by comparing it to false.

How can I add additional information to a request token?

The first step of the protocol allows a SP to add additional parameters (I
would like to add required_access=someaccessright) to the request. This
value should be then associated with a request token. 

I see no way how I can get a token before calling $server->requestToken(),
which itself exits before returning. My solution is to overwrite
$server->requestToken() and save the additional data in my own table.

Is there a better way to do this? Any chance something like this will make
it into future releases?

Thanks

What steps will reproduce the problem?
1. Set up your test system using 8888 as Apache port.
2. Create an index.php containing:
    require_once('oauth-php/OAuthServer.php');
    $_OAS = new OAuthServer();
    $token = $_OAS->requestToken();
    echo $token;
    return;
3. Try to access the index.php with no parameters.

What is the expected output? What do you see instead?
Expected output would be "OAuth Verification Failed: Can't verify request, 
missing 
oauth_consumer_key or oauth_token". What I'm seeing in PHP's error-log is: "PHP 
Fatal error: 
Uncaught exception 'OAuthException' with message 'Unsupported characters in 
host name' in 
/Users/devilx/Documents/Dropbox/Projects/M3/backend/oauth-php/OAuthRequest.php:5
22".

What version of the product are you using? On what operating system?
r64. Mac OS X with MAMP.


Please provide any additional information below.
See the attachment, I've just patched the according Library-file. Would be 
nice, if you would 
include it in your next release. Thank you. :-)

When the mysql_connect fails the OAuthStoreMySQL initializer should abandon 
with an error 
message.

Now it silently fails, giving SQL errors when the database is accessed.

What steps will reproduce the problem?
1. Followed the INSTALL file and unpacked scripts and setup database ok
2. Hit 'logon' page and 'logged in successfully'
3. Hit 'register' and was not logged on

What is the expected output? What do you see instead?

I expected to have the $_SESSION['authorized'] set ok and move on to
registering the server, but it appears to have not stored the session.


What version of the product are you using? On what operating system?

oauth-php-r50 on PHP Version 5.2.4 running on Linux

What steps will reproduce the problem?
1. Make some stub implementations of the missing functions in
OAuthSignatureMethod_RSA_SHA1.php
2. Attempt an OAuth token request

What is the expected output? What do you see instead?
OAuth server should accept signature method.  However, the signature method
is rejected because the code has changed it to RSA_SHA1; the hyphen has
become an underscore.

What version of the product are you using? On what operating system?
This is revision 75 on debian linux.

Please provide any additional information below.
The code which converts the signature method into a class filename changes
all non-alphanumeric characters into underscores.  This remains the case
when the variable is passed to the server.  A patch is attached which
rectifies the problem by introducing a temporary variable.

What steps will reproduce the problem?
1. require_once('OAuthStoreAnyMeta.php')

What is the expected output? What do you see instead?
Success. Instead: PHP Fatal error:  require_once(): Failed opening required 
'<root>/includes/store/../../../../core/inc/any_database.inc.php'

What version of the product are you using? On what operating system?
r64. OS X.

Please provide any additional information below.
Removing the include works to _load_ the file, but I doubt the classes will 
work.

What steps will reproduce the problem?
> 1. refer to the code, http://docs.google.com/Doc?id=dcs6v3h8_20grb3k8gr

What is the expected output? What do you see instead?
> The page should redirect to authorization page, But I've got a 400 error
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=UTF-8
Date: Mon, 08 Sep 2008 06:14:30 GMT
Expires: Mon, 08 Sep 2008 06:14:30 GMT
Cache-Control: private, max-age=0
Content-Length: 48
Server: GFE/1.3

parameter_absent
oauth_parameters_absent:scope

What version of the product are you using? On what operating system?
>oauth-php-r17

Please provide any additional information below.

In examples/server/core/init.php, function assert_logged_in(), line 94, the
assertion returns without calling exit(). 

Because of this, it appears that when a user tries to begin the oauth
dance, he is never redirected to the login screen but directly on to the
callback url. 

This looks like a bug in the test server?

Hi there, my application functioned with one active user, but failed with
multiple users. I traced it back to line 324 in OAuthtStoreSQL.php.

$ocr_id = $this->query_one('
  SELECT ocr_id
  FROM oauth_consumer_registry
  WHERE ocr_consumer_key = \'%s\'
  ', $consumer_key);

I think a user ID is missing and it should be:

$ocr_id = $this->query_one('
  SELECT ocr_id
  FROM oauth_consumer_registry
  WHERE ocr_consumer_key = \'%s\' 
  AND ocr_usa_id_ref = \'%s\'
  ', $consumer_key, $user_id);

Please correct me if I'm wrong.

to set up consumer side, Mysql seems to be required. oauth requester should
not need mysql. 

can we setup consumer without having to use mysql at all or any other database

thank you very much

Implement a function to get the application ID or the consumer_key from
OAuthRequestVerifier

 $req = new OAuthRequestVerifier();
 $registeredClient = $req->verify();

 $user_id = $registeredClient['user_id'];
 $consumer_key = $registeredClient['consumer_key'];
 $app_id = $registeredClient['id'];

So that someone can get the client information when "Checking A Request For
Authorization" [http://code.google.com/p/oauth-php/wiki/ServerHowTo]

I'm trying to test a pretty basic server implementation of oauth-php by using a 
local copy of the 
OAuth Test Client like the one here:
http://term.ie/oauth/example/client.php

I am able to successfully register, request_token, and I believe authorize. 
When I authorize, I get 
redirected to a URL like:
http://local.example.com/api/2.0/oauth-test/example/client.php?
key=332c57147a4f05949f055f06688a719a04beaddd9&secret=3b3d266a2911029939c3485565c
60ab9&token=2e2e8a5020a21adb4b1b31a4bb580c1a04beade04&token_secret=a9223c7a7d3ac
3
26c9443178f704f220&endpoint=http%3A%2F%2Flocal.example.com%2Fapi%2F2.0%2Fauthori
ze&oa
uth_token=2e2e8a5020a21adb4b1b31a4bb580c1a04beade04&oauth_verifier=63de358f4b

When I then try to hit access_token I get:
OAuth Verification Failed: Can't exchange request token 
"2e2e8a5020a21adb4b1b31a4bb580c1a04beade04" for access token. No such token or 
not 
authorized

Digging further, it's because in 
OAuthStoreSql->exchangeConsumerRequestForAccessToken()...
UPDATE oauth_server_token SET ost_token  = 
'f8206fbd6f29de068589ad0f3891913304beae904', 
ost_token_secret    = '4af13cf0ab3e13594c7cf262243fb979', ost_token_type     = 
'access', 
ost_timestamp    = NOW(), ost_token_ttl = '9999-12-31' WHERE ost_token = 
'2e2e8a5020a21adb4b1b31a4bb580c1a04beade04' AND ost_token_type = 'request' AND 
ost_authorized = 1 AND ost_token_ttl >= NOW() AND ost_verifier = '0'

Does not return a row, because it's looking for ost_verifier = 0 but in the 
database the ost_verifier = 
'63de358f4b'.

Is this library is *expecting* 1.0a rather than allowing 1.0?

It appears that either the database should not have held the ost_verifier to be 
a non-zero value or 
that exchangeConsumerRequestForAccessToken() should not have ost_verifier in 
the WHERE clause 
if the input is empty.

From freeklijten in the wiki:

In the addServerToken function of OAuthStoreMySQL.php the server id is
aquired trough the following query:

$ocr_id = $this->query_one('
        SELECT ocr_id
        FROM oauth_consumer_registry
        WHERE ocr_consumer_key = \'%s\'
                ', $consumer_key);

Googles OAuth implementation supports non-registered applications to be
allowed to interact with its API's by using "anonymous" as consumer key and
consumer secret. In this case multiple users can be associated with the
same consumer key resulting in the first server found in above query being
used while inserting token.

I don't know if this is a bug or me using the wrong constructs but I hope
someone can clarify this for me.

Replace:

if (isset($_SERVER['HTTP_HOST']))
{
    $ps_pre = parse_url($_SERVER['HTTP_HOST']);
    $ps['host'] = $ps_pre['host'];
    if(isset($ps_pre['port'])) $ps['port'] = $ps_pre['port'];
}
else
{
    $ps['host'] = '';
}


With:

$ps_pre = array_merge(array('path' => '', 'query' => ''),
parse_url('OA://uth' . $_SERVER['REQUEST_URI']));
$ps['host'] = $ps_pre['host'];


Will fix this Problem. :o)

You use the function getallheaders() a couple of time in the OAuth library.
This only works in Apache. I've created a function which also works in
Lighttpd and Apache PHP FastCGI.

Here you can find it: http://pastie.org/855575


I've put it in the class OAuthRequest as static method. And replaced all
getallheaders() with OAuthRequest::getAllHeaders();