def access_token(request):
oauth_request = get_oauth_request(request)
if oauth_request is None:
return INVALID_PARAMS_RESPONSE
missing_params = require_params(oauth_request, ("oauth_token", "oauth_verifier"))
if missing_params is not None:
return missing_params
try:
request_token = store.get_request_token(request, oauth_request, oauth_request["oauth_token"])
except InvalidTokenError:
return HttpResponseBadRequest("Invalid request token.")
try:
consumer = store.get_consumer(request, oauth_request, oauth_request["oauth_consumer_key"])
except InvalidConsumerError:
return HttpResponseBadRequest("Invalid consumer.")
if not verify_oauth_request(request, oauth_request, consumer, request_token):
return HttpResponseBadRequest("Could not verify OAuth request.")
if oauth_request.get("oauth_verifier", None) != request_token.verifier:
return HttpResponseBadRequest("Invalid OAuth verifier.")
if not request_token.is_approved:
return HttpResponseBadRequest("Request Token not approved by the user.")
access_token = store.create_access_token(request, oauth_request, consumer, request_token)
ret = urlencode({"oauth_token": access_token.key, "oauth_token_secret": access_token.secret})
return HttpResponse(ret, content_type="application/x-www-form-urlencoded")
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
if 'oauth_token' not in request.REQUEST:
return HttpResponseBadRequest('No request token specified.')
oauth_request = get_oauth_request(request)
try:
request_token = store.get_request_token(request, oauth_request,
request.REQUEST['oauth_token'])
except InvalidTokenError:
logging.info('Oauth error: could not authorize user %s with token %s' %
(request.user, request.REQUEST['oauth_token']))
return HttpResponseBadRequest('Invalid request token.')
consumer = store.get_consumer_for_request_token(request, oauth_request,
request_token)
if request.method == 'POST':
form = form_class(request.POST)
if request.session.get('oauth',
'') == request_token.key and form.is_valid():
request.session['oauth'] = ''
if form.cleaned_data['authorize_access']:
request_token = store.authorize_request_token(
request, oauth_request, request_token)
args = {'oauth_token': request_token.key}
else:
args = {'error': _('Access not granted by user.')}
if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
response = HttpResponseRedirect(
'%s&%s' %
(request_token.get_callback_url(), urlencode(args)))
else:
# try to get custom callback view
callback_view_str = getattr(
settings, OAUTH_CALLBACK_VIEW,
'oauth_provider.views.fake_callback_view')
try:
callback_view = get_callable(callback_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % callback_view_str
response = callback_view(request, **args)
else:
response = send_oauth_error(oauth.Error(_('Action not allowed.')))
else:
# try to get custom authorize view
authorize_view_str = getattr(
settings, OAUTH_AUTHORIZE_VIEW,
'oauth_provider.views.default_authorize_view')
try:
authorize_view = get_callable(authorize_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % authorize_view_str
params = oauth_request.get_normalized_parameters()
# set the oauth flag
request.session['oauth'] = request_token.key
response = authorize_view(request, request_token,
request_token.get_callback_url(), params)
return response
def access_token(request):
oauth_request = get_oauth_request(request)
if oauth_request is None:
return INVALID_PARAMS_RESPONSE
missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier'))
if missing_params is not None:
return missing_params
try:
request_token = store.get_request_token(request, oauth_request, oauth_request['oauth_token'])
except InvalidTokenError:
return HttpResponseBadRequest('Invalid request token.')
try:
consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key'])
except InvalidConsumerError:
return HttpResponseBadRequest('Invalid consumer.')
if not verify_oauth_request(request, oauth_request, consumer, request_token):
return HttpResponseBadRequest('Could not verify OAuth request.')
if oauth_request.get('oauth_verifier', None) != request_token.verifier:
return HttpResponseBadRequest('Invalid OAuth verifier.')
if not request_token.is_approved:
return HttpResponseBadRequest('Request Token not approved by the user.')
access_token = store.create_access_token(request, oauth_request, consumer, request_token)
ret = urlencode({
'oauth_token': access_token.key,
'oauth_token_secret': access_token.secret
})
return HttpResponse(ret, content_type='application/x-www-form-urlencoded')
def access_token(request):
oauth_request = get_oauth_request(request)
missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier'))
if missing_params is not None:
return missing_params
try:
request_token = store.get_request_token(request, oauth_request, oauth_request['oauth_token'])
except InvalidTokenError:
return HttpResponseBadRequest('Invalid request token.')
try:
consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key'])
except InvalidConsumerError:
return HttpResponseBadRequest('Invalid consumer.')
if not verify_oauth_request(request, oauth_request, consumer, request_token):
return HttpResponseBadRequest('Could not verify OAuth request.')
if oauth_request.get('oauth_verifier', None) != request_token.verifier:
return HttpResponseBadRequest('Invalid OAuth verifier.')
if not request_token.is_approved:
return HttpResponseBadRequest('Request Token not approved by the user.')
access_token = store.create_access_token(request, oauth_request, consumer, request_token)
ret = urlencode({
'oauth_token': access_token.key,
'oauth_token_secret': access_token.secret
})
return HttpResponse(ret, content_type='application/x-www-form-urlencoded')
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
if 'oauth_token' not in request.REQUEST:
return oauth_error_response('No request token specified.', status_code=httplib.BAD_REQUEST)
oauth_request = get_oauth_request(request)
try:
request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token'])
except InvalidTokenError:
return oauth_error_response('Invalid request token.', status_code=httplib.BAD_REQUEST)
consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)
if request.method == 'POST':
form = form_class(request.POST)
if request.session.get('oauth', '') == request_token.key and form.is_valid():
request.session['oauth'] = ''
if form.cleaned_data['authorize_access']:
request_token.name = form.cleaned_data.get("client_name", getattr(settings, "OAUTH_PROVIDER_TOKEN_DEFAULT_NAME", "Unnamed"))
request_token = store.authorize_request_token(request, oauth_request, request_token)
args = { 'oauth_token': request_token.key }
else:
args = { 'error': _('Access not granted by user.') }
if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
response = HttpResponseRedirect('%s&%s' % (request_token.get_callback_url(), urlencode(args)))
else:
# try to get custom callback view
if request_token.callback == OUT_OF_BAND:
callback_view_str = getattr(settings, OAUTH_PROVIDER_OUT_OF_BAND_CALLBACK_VIEW,
'oauth_provider.views.fake_out_of_band_callback_view')
else:
# try to get custom callback view
callback_view_str = getattr(settings, OAUTH_PROVIDER_CALLBACK_VIEW,
'oauth_provider.views.fake_callback_view')
try:
callback_view = get_callable(callback_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % callback_view_str
response = callback_view(request, request_token, **args)
else:
response = oauth_error_response(oauth.Error(_('Action not allowed.')))
else:
# try to get custom authorize view
authorize_view_str = getattr(settings, OAUTH_PROVIDER_AUTHORIZE_VIEW,
'oauth_provider.views.default_authorize_view')
try:
authorize_view = get_callable(authorize_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % authorize_view_str
params = oauth_request.get_normalized_parameters()
# set the oauth flag
request.session['oauth'] = request_token.key
response = authorize_view(request, request_token, request_token.get_callback_url(), params)
return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
if 'oauth_token' not in request.REQUEST:
return HttpResponseBadRequest('No request token specified.')
oauth_request = get_oauth_request(request)
try:
request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token'])
except InvalidTokenError:
return HttpResponseBadRequest('Invalid request token.')
consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)
if request.method == 'POST':
form = form_class(request.POST)
if request.session.get('oauth', '') == request_token.key and form.is_valid():
request.session['oauth'] = ''
if form.cleaned_data['authorize_access']:
request_token = store.authorize_request_token(request, oauth_request, request_token)
args = { 'oauth_token': request_token }
else:
args = { 'error': _('Access not granted by user.') }
if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
response = HttpResponseRedirect(request_token.get_callback_url(args))
else:
# try to get custom callback view
callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW,
'oauth_provider.views.fake_callback_view')
try:
callback_view = get_callable(callback_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % callback_view_str
response = callback_view(request, **args)
else:
response = send_oauth_error(oauth.Error(_('Action not allowed.')))
else:
# try to get custom authorize view
authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW,
'oauth_provider.views.fake_authorize_view')
try:
authorize_view = get_callable(authorize_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % authorize_view_str
params = oauth_request.get_normalized_parameters()
# set the oauth flag
request.session['oauth'] = request_token.key
response = authorize_view(request, request_token, request_token.get_callback_url(), params)
return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
if "oauth_token" not in request.REQUEST:
return HttpResponseBadRequest("No request token specified.")
oauth_request = get_oauth_request(request)
try:
request_token = store.get_request_token(request, oauth_request, request.REQUEST["oauth_token"])
except InvalidTokenError:
return HttpResponseBadRequest("Invalid request token.")
consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)
if request.method == "POST":
form = form_class(request.POST)
if request.session.get("oauth", "") == request_token.key and form.is_valid():
request.session["oauth"] = ""
if form.cleaned_data["authorize_access"]:
request_token = store.authorize_request_token(request, oauth_request, request_token)
args = {"oauth_token": request_token.key}
else:
args = {"error": _("Access not granted by user.")}
if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
response = HttpResponseRedirect("%s&%s" % (request_token.get_callback_url(), urlencode(args)))
else:
# try to get custom callback view
callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW, "oauth_provider.views.fake_callback_view")
try:
callback_view = get_callable(callback_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % callback_view_str
response = callback_view(request, **args)
else:
response = send_oauth_error(oauth.Error(_("Action not allowed.")))
else:
# try to get custom authorize view
authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, "oauth_provider.views.fake_authorize_view")
try:
authorize_view = get_callable(authorize_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % authorize_view_str
params = oauth_request.get_normalized_parameters()
# set the oauth flag
request.session["oauth"] = request_token.key
response = authorize_view(request, request_token, request_token.get_callback_url(), params)
return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
if 'oauth_token' not in request.REQUEST:
return HttpResponseBadRequest('No request token specified.')
oauth_request = get_oauth_request(request)
try:
request_token = store.get_request_token(request, oauth_request,
request.REQUEST['oauth_token'])
except InvalidTokenError:
return HttpResponse('Invalid request token: %s' %
request.REQUEST['oauth_token'],
status=401)
consumer = store.get_consumer_for_request_token(request, oauth_request,
request_token)
# LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER
if request.user != consumer.user:
return HttpResponseForbidden('Invalid user for this client.')
if request.method == 'POST':
form = form_class(request.POST)
if request.session.get('oauth',
'') == request_token.key and form.is_valid():
request.session['oauth'] = ''
if form.cleaned_data['authorize_access']:
request_token = store.authorize_request_token(
request, oauth_request, request_token)
args = {'oauth_token': request_token.key}
else:
args = {'error': _('Access not granted by user.')}
if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
callback_url = request_token.get_callback_url(args)
if UNSAFE_REDIRECTS:
response = UnsafeRedirect(callback_url)
else:
response = HttpResponseRedirect(callback_url)
else:
# try to get custom callback view
callback_view_str = getattr(
settings, OAUTH_CALLBACK_VIEW,
'oauth_provider.views.fake_callback_view')
try:
view_callable = get_callable(callback_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % callback_view_str
# try to treat it as Class Based View (CBV)
try:
callback_view = view_callable.as_view()
except AttributeError:
# if it appears not to be CBV treat it like FBV
callback_view = view_callable
response = callback_view(request, **args)
else:
response = send_oauth_error(oauth.Error(_('Action not allowed.')))
else:
# try to get custom authorize view
authorize_view_str = getattr(
settings, OAUTH_AUTHORIZE_VIEW,
'oauth_provider.views.fake_authorize_view')
try:
view_callable = get_callable(authorize_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % authorize_view_str
# try to treat it as Class Based View (CBV)
try:
authorize_view = view_callable.as_view()
except AttributeError:
# if it appears not to be CBV treat it like FBV
authorize_view = view_callable
params = oauth_request.get_normalized_parameters()
# set the oauth flag
request.session['oauth'] = request_token.key
response = authorize_view(request, request_token,
request_token.get_callback_url(), params)
return response
def access_token(request):
oauth_request = get_oauth_request(request)
if oauth_request is None:
return HttpResponseBadRequest('Invalid request parameters.')
# Consumer
try:
consumer = store.get_consumer(request, oauth_request,
oauth_request['oauth_consumer_key'])
except InvalidConsumerError:
return HttpResponseBadRequest('Invalid consumer.')
is_xauth = is_xauth_request(oauth_request)
if not is_xauth:
# Check Parameters
missing_params = require_params(oauth_request,
('oauth_token', 'oauth_verifier'))
if missing_params is not None:
return missing_params
# Check Request Token
try:
request_token = store.get_request_token(
request, oauth_request, oauth_request['oauth_token'])
except InvalidTokenError:
return HttpResponse('Invalid request token: %s' %
oauth_request['oauth_token'],
status=401)
if not request_token.is_approved:
return HttpResponse('Request Token not approved by the user.',
status=401)
# Verify Signature
if not verify_oauth_request(request, oauth_request, consumer,
request_token):
return HttpResponseBadRequest('Could not verify OAuth request.')
# Check Verifier
if oauth_request.get('oauth_verifier', None) != request_token.verifier:
return HttpResponseBadRequest('Invalid OAuth verifier.')
else: # xAuth
# Check Parameters
missing_params = require_params(
oauth_request,
('x_auth_username', 'x_auth_password', 'x_auth_mode'))
if missing_params is not None:
return missing_params
# Check if Consumer allows xAuth
if not consumer.xauth_allowed:
return HttpResponseBadRequest('xAuth not allowed for this method')
# Check Signature
if not verify_oauth_request(request, oauth_request, consumer):
return HttpResponseBadRequest('Could not verify xAuth request.')
user = authenticate(
x_auth_username=oauth_request.get_parameter('x_auth_username'),
x_auth_password=oauth_request.get_parameter('x_auth_password'),
x_auth_mode=oauth_request.get_parameter('x_auth_mode'))
if not user:
return HttpResponseBadRequest(
'xAuth username or password is not valid')
else:
request.user = user
# Handle Request Token
try:
#request_token = store.create_request_token(request, oauth_request, consumer, oauth_request.get('oauth_callback'))
request_token = store.create_request_token(request, oauth_request,
consumer, OUT_OF_BAND)
request_token = store.authorize_request_token(
request, oauth_request, request_token)
except oauth.Error, err:
return send_oauth_error(err)
def access_token(request):
oauth_request = get_oauth_request(request)
if oauth_request is None:
return INVALID_PARAMS_RESPONSE
# Consumer
try:
consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key'])
except InvalidConsumerError:
return HttpResponseBadRequest('Invalid consumer.')
is_xauth = is_xauth_request(oauth_request)
if not is_xauth:
# Check Parameters
missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier'))
if missing_params is not None:
return missing_params
# Check Request Token
try:
request_token = store.get_request_token(request, oauth_request, oauth_request['oauth_token'])
except InvalidTokenError:
return HttpResponseBadRequest('Invalid request token.')
if not request_token.is_approved:
return HttpResponseBadRequest('Request Token not approved by the user.')
# Verify Signature
if not verify_oauth_request(request, oauth_request, consumer, request_token):
return HttpResponseBadRequest('Could not verify OAuth request.')
# Check Verifier
if oauth_request.get('oauth_verifier', None) != request_token.verifier:
return HttpResponseBadRequest('Invalid OAuth verifier.')
else: # xAuth
# Check Parameters
missing_params = require_params(oauth_request, ('x_auth_username', 'x_auth_password', 'x_auth_mode'))
if missing_params is not None:
return missing_params
# Check if Consumer allows xAuth
if not consumer.xauth_allowed:
return HttpResponseBadRequest('xAuth not allowed for this method')
# Check Signature
if not verify_oauth_request(request, oauth_request, consumer):
return HttpResponseBadRequest('Could not verify xAuth request.')
# Check Username/Password
if is_xauth and not verify_xauth_request(request, oauth_request):
return HttpResponseBadRequest('xAuth username or password is not valid')
# Handle Request Token
try:
#request_token = store.create_request_token(request, oauth_request, consumer, oauth_request.get('oauth_callback'))
request_token = store.create_request_token(request, oauth_request, consumer, OUT_OF_BAND)
request_token = store.authorize_request_token(request, oauth_request, request_token)
except oauth.Error, err:
return send_oauth_error(err)
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
if 'oauth_token' not in request.REQUEST:
return oauth_error_response('No request token specified.',
status_code=httplib.BAD_REQUEST)
oauth_request = get_oauth_request(request)
try:
request_token = store.get_request_token(request, oauth_request,
request.REQUEST['oauth_token'])
except InvalidTokenError:
return oauth_error_response('Invalid request token.',
status_code=httplib.BAD_REQUEST)
consumer = store.get_consumer_for_request_token(request, oauth_request,
request_token)
if request.method == 'POST':
form = form_class(request.POST)
if request.session.get('oauth',
'') == request_token.key and form.is_valid():
request.session['oauth'] = ''
if form.cleaned_data['authorize_access']:
request_token.name = form.cleaned_data.get(
"client_name",
getattr(settings, "OAUTH_PROVIDER_TOKEN_DEFAULT_NAME",
"Unnamed"))
request_token = store.authorize_request_token(
request, oauth_request, request_token)
args = {'oauth_token': request_token.key}
else:
args = {'error': _('Access not granted by user.')}
if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
response = HttpResponseRedirect(
'%s&%s' %
(request_token.get_callback_url(), urlencode(args)))
else:
# try to get custom callback view
if request_token.callback == OUT_OF_BAND:
callback_view_str = getattr(
settings, OAUTH_PROVIDER_OUT_OF_BAND_CALLBACK_VIEW,
'oauth_provider.views.fake_out_of_band_callback_view')
else:
# try to get custom callback view
callback_view_str = getattr(
settings, OAUTH_PROVIDER_CALLBACK_VIEW,
'oauth_provider.views.fake_callback_view')
try:
callback_view = get_callable(callback_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % callback_view_str
response = callback_view(request, request_token, **args)
else:
response = oauth_error_response(
oauth.Error(_('Action not allowed.')))
else:
# try to get custom authorize view
authorize_view_str = getattr(
settings, OAUTH_PROVIDER_AUTHORIZE_VIEW,
'oauth_provider.views.default_authorize_view')
try:
authorize_view = get_callable(authorize_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % authorize_view_str
params = oauth_request.get_normalized_parameters()
# set the oauth flag
request.session['oauth'] = request_token.key
response = authorize_view(request, request_token,
request_token.get_callback_url(), params)
return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
if request.method.lower() == "get":
if "oauth_token" not in request.GET:
return HttpResponseBadRequest("No request token specified.")
incoming_token = request.GET["oauth_token"]
elif request.method.lower() == "post":
if "oauth_token" not in request.POST:
return HttpResponseBadRequest("No request token specified.")
incoming_token = request.POST["oauth_token"]
oauth_request = get_oauth_request(request)
try:
request_token = store.get_request_token(request, oauth_request, incoming_token)
except InvalidTokenError:
return HttpResponse("Invalid request token: %s" % incoming_token, status=401)
consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)
# LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER
if request.user != consumer.user:
return HttpResponseForbidden("Invalid user for this client.")
if request.method == "POST":
form = form_class(request.POST)
if request.session.get("oauth", "") == request_token.key and form.is_valid():
request.session["oauth"] = ""
if form.cleaned_data["authorize_access"]:
request_token = store.authorize_request_token(request, oauth_request, request_token)
args = {"oauth_token": request_token.key}
else:
args = {"error": _("Access not granted by user.")}
if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
callback_url = request_token.get_callback_url(args)
if UNSAFE_REDIRECTS:
response = UnsafeRedirect(callback_url)
else:
response = HttpResponseRedirect(callback_url)
else:
# try to get custom callback view
callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW, "oauth_provider.views.fake_callback_view")
try:
view_callable = get_callable(callback_view_str)
except AttributeError:
raise Exception("%s view doesn't exist." % callback_view_str)
# try to treat it as Class Based View (CBV)
try:
callback_view = view_callable.as_view()
except AttributeError:
# if it appears not to be CBV treat it like FBV
callback_view = view_callable
response = callback_view(request, **args)
else:
response = send_oauth_error(
"https" if request.is_secure() else "http",
get_current_site(request).domain,
oauth.Error(_("Action not allowed.")),
)
else:
# try to get custom authorize view
authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, "oauth_provider.views.fake_authorize_view")
try:
view_callable = get_callable(authorize_view_str)
except AttributeError:
raise Exception("%s view doesn't exist." % authorize_view_str)
# try to treat it as Class Based View (CBV)
try:
authorize_view = view_callable.as_view()
except AttributeError:
# if it appears not to be CBV treat it like FBV
authorize_view = view_callable
params = oauth_request.get_normalized_parameters()
# set the oauth flag
request.session["oauth"] = request_token.key
response = authorize_view(request, request_token, request_token.get_callback_url(), params)
return response
def access_token(request):
oauth_request = get_oauth_request(request)
if oauth_request is None:
return HttpResponseBadRequest("Invalid request parameters.")
# Consumer
try:
consumer = store.get_consumer(request, oauth_request, oauth_request["oauth_consumer_key"])
except InvalidConsumerError:
return HttpResponseBadRequest("Invalid consumer.")
is_xauth = is_xauth_request(oauth_request)
if not is_xauth:
# Check Parameters
missing_params = require_params(oauth_request, ("oauth_token", "oauth_verifier"))
if missing_params is not None:
return missing_params
# Check Request Token
try:
request_token = store.get_request_token(request, oauth_request, oauth_request["oauth_token"])
except InvalidTokenError:
return HttpResponse("Invalid request token: %s" % oauth_request["oauth_token"], status=401)
if not request_token.is_approved:
return HttpResponse("Request Token not approved by the user.", status=401)
# Verify Signature
if not verify_oauth_request(request, oauth_request, consumer, request_token):
return HttpResponseBadRequest("Could not verify OAuth request.")
# Check Verifier
if oauth_request.get("oauth_verifier", None) != request_token.verifier:
return HttpResponseBadRequest("Invalid OAuth verifier.")
else: # xAuth
# Check Parameters
missing_params = require_params(oauth_request, ("x_auth_username", "x_auth_password", "x_auth_mode"))
if missing_params is not None:
return missing_params
# Check if Consumer allows xAuth
if not consumer.xauth_allowed:
return HttpResponseBadRequest("xAuth not allowed for this method")
# Check Signature
if not verify_oauth_request(request, oauth_request, consumer):
return HttpResponseBadRequest("Could not verify xAuth request.")
user = authenticate(
x_auth_username=oauth_request.get_parameter("x_auth_username"),
x_auth_password=oauth_request.get_parameter("x_auth_password"),
x_auth_mode=oauth_request.get_parameter("x_auth_mode"),
)
if not user:
return HttpResponseBadRequest("xAuth username or password is not valid")
else:
request.user = user
# Handle Request Token
try:
# request_token = store.create_request_token(request, oauth_request, consumer, oauth_request.get('oauth_callback'))
request_token = store.create_request_token(request, oauth_request, consumer, OUT_OF_BAND)
request_token = store.authorize_request_token(request, oauth_request, request_token)
except oauth.Error as err:
return send_oauth_error("https" if request.is_secure() else "http", get_current_site(request).domain, err)
access_token = store.create_access_token(request, oauth_request, consumer, request_token)
ret = urlencode({"oauth_token": access_token.key, "oauth_token_secret": access_token.secret})
return HttpResponse(ret, content_type="application/x-www-form-urlencoded")
def user_authorization(request, form_class=AuthClientForm):
if 'oauth_token' not in request.REQUEST:
return HttpResponseBadRequest('No request token specified.')
oauth_request = get_oauth_request(request)
try:
request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token'])
except InvalidTokenError:
return HttpResponse('Invalid request token: %s' % request.REQUEST['oauth_token'], status=401)
consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)
# LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER
if request.user != consumer.user:
return HttpResponseForbidden('Invalid user for this client.')
if request.method == 'POST':
form = form_class(request.POST)
if request.session.get('oauth', '') == request_token.key and form.is_valid():
request.session['oauth'] = ''
if form.cleaned_data['authorize_access']:
request_token = store.authorize_request_token(request, oauth_request, request_token)
args = { 'oauth_token': request_token.key }
else:
args = { 'error': _('Access not granted by user.') }
if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
callback_url = request_token.get_callback_url(args)
if UNSAFE_REDIRECTS:
response = UnsafeRedirect(callback_url)
else:
response = HttpResponseRedirect(callback_url)
else:
# try to get custom callback view
callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW,
'oauth_provider.views.fake_callback_view')
try:
view_callable = get_callable(callback_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % callback_view_str
# try to treat it as Class Based View (CBV)
try:
callback_view = view_callable.as_view()
except AttributeError:
# if it appears not to be CBV treat it like FBV
callback_view = view_callable
response = callback_view(request, **args)
else:
response = send_oauth_error(oauth.Error(_('Action not allowed.')))
else:
# try to get custom authorize view
authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW,
'oauth_provider.views.fake_authorize_view')
try:
view_callable = get_callable(authorize_view_str)
except AttributeError:
raise Exception, "%s view doesn't exist." % authorize_view_str
# try to treat it as Class Based View (CBV)
try:
authorize_view = view_callable.as_view()
except AttributeError:
# if it appears not to be CBV treat it like FBV
authorize_view = view_callable
params = oauth_request.get_normalized_parameters()
# set the oauth flag
request.session['oauth'] = request_token.key
response = authorize_view(request, request_token, request_token.get_callback_url(), params)
return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
if request.method.lower() == 'get':
if 'oauth_token' not in request.GET:
return HttpResponseBadRequest('No request token specified.')
incoming_token = request.GET['oauth_token']
elif request.method.lower() == 'post':
if 'oauth_token' not in request.POST:
return HttpResponseBadRequest('No request token specified.')
incoming_token = request.POST['oauth_token']
oauth_request = get_oauth_request(request)
try:
request_token = store.get_request_token(request, oauth_request,
incoming_token)
except InvalidTokenError:
return HttpResponse('Invalid request token: %s' % incoming_token,
status=401)
consumer = store.get_consumer_for_request_token(request, oauth_request,
request_token)
# LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER
# CLATOOLKIT CHANGE - MULTIPLE USERS CAN HAVE MULTIPLE CONSUMERS
if not consumer.attached_to_user(request.user):
return HttpResponseForbidden('Invalid user for this client.')
if request.method == 'POST':
form = form_class(request.POST)
print 'request.session.oauth == request_token.key? %s' % (
request.session.get('oauth', '') == request_token.key)
print 'session: %s and request_token: %s' % (request.session.get(
'oauth', ''), request_token.key)
print 'form valid? %s' % form.is_valid()
if not form.is_valid():
print 'form errors: %s' % form.errors
if request.session.get('oauth',
'') == request_token.key and form.is_valid():
request.session['oauth'] = ''
if form.cleaned_data['authorize_access']:
request_token = store.authorize_request_token(
request, oauth_request, request_token)
args = {
'oauth_token': request_token.key,
'user': request.GET.get('clau', None)
}
else:
args = {'error': _('Access not granted by user.')}
print 'callback url: %s' % (request_token.callback)
# print 'new callback url: %s' % (request_token.callback)
if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
callback_url = request_token.get_callback_url(args)
#cla-user = request.GET.get('clau', None)
#print 'got CLA user: %s' % (cla-user)
if UNSAFE_REDIRECTS:
response = UnsafeRedirect(
callback_url) #+'?user=%s' % cla-user)
else:
response = HttpResponseRedirect(
callback_url) #+'?user=%s' % cla-user)
else:
print "We're in here..."
# try to get custom callback view
callback_view_str = getattr(
settings, OAUTH_CALLBACK_VIEW,
'oauth_provider.views.fake_callback_view')
try:
view_callable = get_callable(callback_view_str)
except AttributeError:
raise Exception("%s view doesn't exist." %
callback_view_str)
# try to treat it as Class Based View (CBV)
try:
callback_view = view_callable.as_view()
except AttributeError:
# if it appears not to be CBV treat it like FBV
callback_view = view_callable
response = callback_view(request, **args)
else:
response = send_oauth_error(
'https' if request.is_secure() else 'http',
get_current_site(request).domain,
oauth.Error(_('Action not allowed.')))
else:
# try to get custom authorize view
authorize_view_str = getattr(
settings, OAUTH_AUTHORIZE_VIEW,
'oauth_provider.views.fake_authorize_view')
try:
view_callable = get_callable(authorize_view_str)
except AttributeError:
raise Exception("%s view doesn't exist." % authorize_view_str)
# try to treat it as Class Based View (CBV)
try:
authorize_view = view_callable.as_view()
except AttributeError:
# if it appears not to be CBV treat it like FBV
authorize_view = view_callable
params = oauth_request.get_normalized_parameters()
# set the oauth flag
request.session['oauth'] = request_token.key
response = authorize_view(request, request_token,
request_token.get_callback_url(), params)
return response