asimkumar2222 / oauth-php Goto Github PK

in OAuthStoreMySQL->getConsumer() function before the return statement
there is a user_id check:

http://code.google.com/p/oauth-php/source/browse/trunk/library/store/OAuthStoreM
ySQL.php#1122
if (!$user_is_admin && !empty($r['user_id']) && $r['user_id'] != $user_id)

the $r doesn't exist and i believe it's a typo for $c. 
It should be:
if (!$user_is_admin && !empty($c['user_id']) && $c['user_id'] != $user_id)

What steps will reproduce the problem?
1. Make some stub implementations of the missing functions in
OAuthSignatureMethod_RSA_SHA1.php
2. Attempt an OAuth token request

What is the expected output? What do you see instead?
OAuth server should accept signature method.  However, the signature method
is rejected because the code has changed it to RSA_SHA1; the hyphen has
become an underscore.

What version of the product are you using? On what operating system?
This is revision 75 on debian linux.

Please provide any additional information below.
The code which converts the signature method into a class filename changes
all non-alphanumeric characters into underscores.  This remains the case
when the variable is passed to the server.  A patch is attached which
rectifies the problem by introducing a temporary variable.

The change is in OAuthUtil::get_headers()
...
 else if (strtolower($key) == "content_type")
      {
          $out["Content-Type"] = $value;
      }
...


With this change, the function is now:


public static function get_headers() {

    if (function_exists('apache_request_headers')) {
      // we need this to get the actual Authorization: header
      // because apache tends to tell us it doesn't exist
      return apache_request_headers();
    }
    // otherwise we don't have apache and are just going to have to hope
    // that $_SERVER actually contains what we need
    $out = array();
    foreach ($_SERVER as $key => $value) {
      if (substr($key, 0, 5) == "HTTP_") {
        // this is chaos, basically it is just there to capitalize the first
        // letter of every word that is not an initial HTTP and strip HTTP
        // code from przemek
        $key = str_replace(
          " ",
          "-",
          ucwords(strtolower(str_replace("_", " ", substr($key, 5))))
        );

        $out[$key] = $value;
      } else if (strtolower($key) == "content_type")
      {
          $out["Content-Type"] = $value;
      }
    }
    return $out;
  }

It would be nice to not be reliant on $_SESSION. The "store" stuff could be 
used for it instead.

What steps will reproduce the problem?
1. Attempt to use OAuthStoreMySQL in such a way that an exception is thrown.

What is the expected output? What do you see instead?
The exception should be thrown, but PHP dies with an attempt to throw
OAuthException22, which does not exist.

What version of the product are you using? On what operating system?
This is revision 75 of SVN on debian linux.

Please provide any additional information below.
This problem was caused by revision 67, probably some runaway sed script. 
A patch is attached.

The codes does not seem to be compatible with OAuth Core 1.0 Revision A

A service provider should be able to set the accepted signature methods.
For example I would like to accept PLAINTEXT only for SSL encrypted requests.

proposal:
extend OAuthRequestVerifier with a method
OAuthRequestVerifier->setAcceptedSignatureMethod() taking an array of
strings (the signature methods), saving this in a class variable. if null
is passed all supported methods are accepted and there is no filtering.

OAuthRequestVerifier->verify should check this value and filter the request
signature method and throw an error (just like how it is node in
OAuthRequest for available methods).

alternatively the opposite could be done and a ->setDeniedSignatureMethod()
added and filtering upon that.

-ueli

What steps will reproduce the problem?
1. Get a request Token, 
2. Authorize the token
3. Access (hello)

What is the expected output? What do you see instead?
"Hello, world!"

Sometimes i see 
"OAuth Verification Failed: Verification of signature failed (signature base 
string was 
"GET&http%3A%2F%2Foauth%2Fhello&oauth_consumer_key%3Db613c535385ba5d852e453c31cd
39a180497bdbf5%26oauth_nonce%3D3254DD7C-183F-4CB1-9D20-
580FE2BBDFAF%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1232855178%26oauth_token%3Df81508e5447e12e7c484b6c2d3
391e410497bdf1c%26oauth_version%3D1.0")."

What version of the product are you using? On what operating system?
oauth-php-r50.tar.gz

What steps will reproduce the problem?
1. Set up your test system using 8888 as Apache port.
2. Create an index.php containing:
    require_once('oauth-php/OAuthServer.php');
    $_OAS = new OAuthServer();
    $token = $_OAS->requestToken();
    echo $token;
    return;
3. Try to access the index.php with no parameters.

What is the expected output? What do you see instead?
Expected output would be "OAuth Verification Failed: Can't verify request, 
missing 
oauth_consumer_key or oauth_token". What I'm seeing in PHP's error-log is: "PHP 
Fatal error: 
Uncaught exception 'OAuthException' with message 'Unsupported characters in 
host name' in 
/Users/devilx/Documents/Dropbox/Projects/M3/backend/oauth-php/OAuthRequest.php:5
22".

What version of the product are you using? On what operating system?
r64. Mac OS X with MAMP.


Please provide any additional information below.
See the attachment, I've just patched the according Library-file. Would be 
nice, if you would 
include it in your next release. Thank you. :-)

How can I add additional information to a request token?

The first step of the protocol allows a SP to add additional parameters (I
would like to add required_access=someaccessright) to the request. This
value should be then associated with a request token. 

I see no way how I can get a token before calling $server->requestToken(),
which itself exits before returning. My solution is to overwrite
$server->requestToken() and save the additional data in my own table.

Is there a better way to do this? Any chance something like this will make
it into future releases?

Thanks

Shinig seems to be attaching a trailing & to the uri with a signed request.
This casued RSA_SHA1 signatrue verification to not work. I implemented a
fix by not adding the paramater with an empty name in OAuthRequest,
parseUri but there is probably a better way.

Title says it all.

Nobody uses mysql_ these days. Mysqli_ or PDO should be supported, e.g. via a 
simple wrapper class.

to set up consumer side, Mysql seems to be required. oauth requester should
not need mysql. 

can we setup consumer without having to use mysql at all or any other database

thank you very much

When the mysql_connect fails the OAuthStoreMySQL initializer should abandon 
with an error 
message.

Now it silently fails, giving SQL errors when the database is accessed.

Implement a function to get the application ID or the consumer_key from
OAuthRequestVerifier

 $req = new OAuthRequestVerifier();
 $registeredClient = $req->verify();

 $user_id = $registeredClient['user_id'];
 $consumer_key = $registeredClient['consumer_key'];
 $app_id = $registeredClient['id'];

So that someone can get the client information when "Checking A Request For
Authorization" [http://code.google.com/p/oauth-php/wiki/ServerHowTo]

From freeklijten in the wiki:

In the addServerToken function of OAuthStoreMySQL.php the server id is
aquired trough the following query:

$ocr_id = $this->query_one('
        SELECT ocr_id
        FROM oauth_consumer_registry
        WHERE ocr_consumer_key = \'%s\'
                ', $consumer_key);

Googles OAuth implementation supports non-registered applications to be
allowed to interact with its API's by using "anonymous" as consumer key and
consumer secret. In this case multiple users can be associated with the
same consumer key resulting in the first server found in above query being
used while inserting token.

I don't know if this is a bug or me using the wrong constructs but I hope
someone can clarify this for me.

What steps will reproduce the problem?
1. Followed the INSTALL file and unpacked scripts and setup database ok
2. Hit 'logon' page and 'logged in successfully'
3. Hit 'register' and was not logged on

What is the expected output? What do you see instead?

I expected to have the $_SESSION['authorized'] set ok and move on to
registering the server, but it appears to have not stored the session.


What version of the product are you using? On what operating system?

oauth-php-r50 on PHP Version 5.2.4 running on Linux

I created a new Store for mysqli. As far as I could test it is working
properly. Please add the new code to the next release.

What steps will reproduce the problem?
> 1. refer to the code, http://docs.google.com/Doc?id=dcs6v3h8_20grb3k8gr

What is the expected output? What do you see instead?
> The page should redirect to authorization page, But I've got a 400 error
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=UTF-8
Date: Mon, 08 Sep 2008 06:14:30 GMT
Expires: Mon, 08 Sep 2008 06:14:30 GMT
Cache-Control: private, max-age=0
Content-Length: 48
Server: GFE/1.3

parameter_absent
oauth_parameters_absent:scope

What version of the product are you using? On what operating system?
>oauth-php-r17

Please provide any additional information below.

Project admins should add availbility to download .zip file of this 
project, because now, it is impossible to unzip archive, coz i am in 
internet cafe with guest rights that does'nt have winRAR or other archiver 
installed :)

Fatal error: Class 'OAuthException22' not found in
...\lib\oauth\store\OAuthStoreMySQL.php on line 774

What steps will reproduce the problem?
1. require_once('OAuthStoreAnyMeta.php')

What is the expected output? What do you see instead?
Success. Instead: PHP Fatal error:  require_once(): Failed opening required 
'<root>/includes/store/../../../../core/inc/any_database.inc.php'

What version of the product are you using? On what operating system?
r64. OS X.

Please provide any additional information below.
Removing the include works to _load_ the file, but I doubt the classes will 
work.

Replace:

if (isset($_SERVER['HTTP_HOST']))
{
    $ps_pre = parse_url($_SERVER['HTTP_HOST']);
    $ps['host'] = $ps_pre['host'];
    if(isset($ps_pre['port'])) $ps['port'] = $ps_pre['port'];
}
else
{
    $ps['host'] = '';
}


With:

$ps_pre = array_merge(array('path' => '', 'query' => ''),
parse_url('OA://uth' . $_SERVER['REQUEST_URI']));
$ps['host'] = $ps_pre['host'];


Will fix this Problem. :o)

What steps will reproduce the problem?
1. install OAuth from pecl
2. include this library

Result: Fatal error: Cannot redeclare class OAuthException, because it
clashes with http://php.net/manual/en/class.oauthexception.php

[deleted issue]

The osr_callback_uri field is never used. One would expect it to be used as
the default oauth_callback parameter in authorizeVerify.

It seems that OAuthStoreMySQL::getConsumerAccessToken,
OAuthStoreMySQL::listConsumers and OAuthStoreMySQL::listConsumerTokens just
need to have "osr_callback_uri as callback_uri" added to the SELECTs.

I'm having a problem getting oAuth requests to work when the request URL
includes a querystring parameter.  Any idea what might be happening?

Thanks.

1.  Setup two requests - one with a querystring parameter and one with just
a URL.

2.  Run each of the requests.

3.  The request without the querystring parameter runs fine and returns the
expected output.  When a querystring parameter is included in the oAuth
request URL the error Verification of signature failed (signature base
string was ...) is returned.