Ejemplo n.º 1
0
def access_token(request):
    oauth_request = get_oauth_request(request)

    if oauth_request is None:
        return INVALID_PARAMS_RESPONSE

    missing_params = require_params(oauth_request, ("oauth_token", "oauth_verifier"))
    if missing_params is not None:
        return missing_params

    try:
        request_token = store.get_request_token(request, oauth_request, oauth_request["oauth_token"])
    except InvalidTokenError:
        return HttpResponseBadRequest("Invalid request token.")
    try:
        consumer = store.get_consumer(request, oauth_request, oauth_request["oauth_consumer_key"])
    except InvalidConsumerError:
        return HttpResponseBadRequest("Invalid consumer.")

    if not verify_oauth_request(request, oauth_request, consumer, request_token):
        return HttpResponseBadRequest("Could not verify OAuth request.")

    if oauth_request.get("oauth_verifier", None) != request_token.verifier:
        return HttpResponseBadRequest("Invalid OAuth verifier.")

    if not request_token.is_approved:
        return HttpResponseBadRequest("Request Token not approved by the user.")

    access_token = store.create_access_token(request, oauth_request, consumer, request_token)

    ret = urlencode({"oauth_token": access_token.key, "oauth_token_secret": access_token.secret})
    return HttpResponse(ret, content_type="application/x-www-form-urlencoded")
Ejemplo n.º 2
0
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
    if 'oauth_token' not in request.REQUEST:
        return HttpResponseBadRequest('No request token specified.')

    oauth_request = get_oauth_request(request)

    try:
        request_token = store.get_request_token(request, oauth_request,
                                                request.REQUEST['oauth_token'])
    except InvalidTokenError:
        logging.info('Oauth error: could not authorize user %s with token %s' %
                     (request.user, request.REQUEST['oauth_token']))
        return HttpResponseBadRequest('Invalid request token.')

    consumer = store.get_consumer_for_request_token(request, oauth_request,
                                                    request_token)

    if request.method == 'POST':
        form = form_class(request.POST)
        if request.session.get('oauth',
                               '') == request_token.key and form.is_valid():
            request.session['oauth'] = ''
            if form.cleaned_data['authorize_access']:
                request_token = store.authorize_request_token(
                    request, oauth_request, request_token)
                args = {'oauth_token': request_token.key}
            else:
                args = {'error': _('Access not granted by user.')}
            if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
                response = HttpResponseRedirect(
                    '%s&%s' %
                    (request_token.get_callback_url(), urlencode(args)))
            else:
                # try to get custom callback view
                callback_view_str = getattr(
                    settings, OAUTH_CALLBACK_VIEW,
                    'oauth_provider.views.fake_callback_view')
                try:
                    callback_view = get_callable(callback_view_str)
                except AttributeError:
                    raise Exception, "%s view doesn't exist." % callback_view_str
                response = callback_view(request, **args)
        else:
            response = send_oauth_error(oauth.Error(_('Action not allowed.')))
    else:
        # try to get custom authorize view
        authorize_view_str = getattr(
            settings, OAUTH_AUTHORIZE_VIEW,
            'oauth_provider.views.default_authorize_view')
        try:
            authorize_view = get_callable(authorize_view_str)
        except AttributeError:
            raise Exception, "%s view doesn't exist." % authorize_view_str
        params = oauth_request.get_normalized_parameters()
        # set the oauth flag
        request.session['oauth'] = request_token.key
        response = authorize_view(request, request_token,
                                  request_token.get_callback_url(), params)

    return response
Ejemplo n.º 3
0
def access_token(request):
    oauth_request = get_oauth_request(request)
    if oauth_request is None:
        return INVALID_PARAMS_RESPONSE

    missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier'))
    if missing_params is not None:
        return missing_params

    try:
        request_token = store.get_request_token(request, oauth_request, oauth_request['oauth_token'])
    except InvalidTokenError:
        return HttpResponseBadRequest('Invalid request token.')
    try:
        consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key'])
    except InvalidConsumerError:
        return HttpResponseBadRequest('Invalid consumer.')

    if not verify_oauth_request(request, oauth_request, consumer, request_token):
        return HttpResponseBadRequest('Could not verify OAuth request.')

    if oauth_request.get('oauth_verifier', None) != request_token.verifier:
        return HttpResponseBadRequest('Invalid OAuth verifier.')

    if not request_token.is_approved:
        return HttpResponseBadRequest('Request Token not approved by the user.')

    access_token = store.create_access_token(request, oauth_request, consumer, request_token)

    ret = urlencode({
        'oauth_token': access_token.key,
        'oauth_token_secret': access_token.secret
    })
    return HttpResponse(ret, content_type='application/x-www-form-urlencoded')
Ejemplo n.º 4
0
def access_token(request):
    oauth_request = get_oauth_request(request)

    missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier'))
    if missing_params is not None:
        return missing_params

    try:
        request_token = store.get_request_token(request, oauth_request, oauth_request['oauth_token'])
    except InvalidTokenError:
        return HttpResponseBadRequest('Invalid request token.')
    try:
        consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key'])
    except InvalidConsumerError:
        return HttpResponseBadRequest('Invalid consumer.')

    if not verify_oauth_request(request, oauth_request, consumer, request_token):
        return HttpResponseBadRequest('Could not verify OAuth request.')

    if oauth_request.get('oauth_verifier', None) != request_token.verifier:
        return HttpResponseBadRequest('Invalid OAuth verifier.')

    if not request_token.is_approved:
        return HttpResponseBadRequest('Request Token not approved by the user.')

    access_token = store.create_access_token(request, oauth_request, consumer, request_token)

    ret = urlencode({
        'oauth_token': access_token.key,
        'oauth_token_secret': access_token.secret
    })
    return HttpResponse(ret, content_type='application/x-www-form-urlencoded')
Ejemplo n.º 5
0
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
    if 'oauth_token' not in request.REQUEST:
        return oauth_error_response('No request token specified.', status_code=httplib.BAD_REQUEST)

    oauth_request = get_oauth_request(request)

    try:
        request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token'])
    except InvalidTokenError:
        return oauth_error_response('Invalid request token.', status_code=httplib.BAD_REQUEST)

    consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)

    if request.method == 'POST':
        form = form_class(request.POST)
        if request.session.get('oauth', '') == request_token.key and form.is_valid():
            request.session['oauth'] = ''
            if form.cleaned_data['authorize_access']:
                request_token.name = form.cleaned_data.get("client_name", getattr(settings, "OAUTH_PROVIDER_TOKEN_DEFAULT_NAME", "Unnamed"))
                request_token = store.authorize_request_token(request, oauth_request, request_token)
                args = { 'oauth_token': request_token.key }
            else:
                args = { 'error': _('Access not granted by user.') }

            if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
                response = HttpResponseRedirect('%s&%s' % (request_token.get_callback_url(), urlencode(args)))
            else:
                # try to get custom callback view
                if request_token.callback == OUT_OF_BAND:
                    callback_view_str = getattr(settings, OAUTH_PROVIDER_OUT_OF_BAND_CALLBACK_VIEW,
                        'oauth_provider.views.fake_out_of_band_callback_view')
                else:
                    # try to get custom callback view
                    callback_view_str = getattr(settings, OAUTH_PROVIDER_CALLBACK_VIEW,
                        'oauth_provider.views.fake_callback_view')

                try:
                    callback_view = get_callable(callback_view_str)
                except AttributeError:
                    raise Exception, "%s view doesn't exist." % callback_view_str
                response = callback_view(request, request_token, **args)
        else:
            response = oauth_error_response(oauth.Error(_('Action not allowed.')))
    else:
        # try to get custom authorize view
        authorize_view_str = getattr(settings, OAUTH_PROVIDER_AUTHORIZE_VIEW,
                                    'oauth_provider.views.default_authorize_view')
        try:
            authorize_view = get_callable(authorize_view_str)
        except AttributeError:
            raise Exception, "%s view doesn't exist." % authorize_view_str
        params = oauth_request.get_normalized_parameters()
        # set the oauth flag
        request.session['oauth'] = request_token.key
        response = authorize_view(request, request_token, request_token.get_callback_url(), params)
        
    return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
    if 'oauth_token' not in request.REQUEST:
        return HttpResponseBadRequest('No request token specified.')

    oauth_request = get_oauth_request(request)

    try:
        request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token'])
    except InvalidTokenError:
        return HttpResponseBadRequest('Invalid request token.')

    consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)

    if request.method == 'POST':
        form = form_class(request.POST)
        if request.session.get('oauth', '') == request_token.key and form.is_valid():
            request.session['oauth'] = ''
            if form.cleaned_data['authorize_access']:
                request_token = store.authorize_request_token(request, oauth_request, request_token)
                args = { 'oauth_token': request_token }
            else:
                args = { 'error': _('Access not granted by user.') }
            
            if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
                response = HttpResponseRedirect(request_token.get_callback_url(args))
            else:
                # try to get custom callback view
                callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW, 
                                    'oauth_provider.views.fake_callback_view')
                try:
                    callback_view = get_callable(callback_view_str)
                except AttributeError:
                    raise Exception, "%s view doesn't exist." % callback_view_str
                response = callback_view(request, **args)
        else:
            response = send_oauth_error(oauth.Error(_('Action not allowed.')))
    else:
        # try to get custom authorize view
        authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, 
                                    'oauth_provider.views.fake_authorize_view')
        try:
            authorize_view = get_callable(authorize_view_str)
        except AttributeError:
            raise Exception, "%s view doesn't exist." % authorize_view_str
        params = oauth_request.get_normalized_parameters()
        # set the oauth flag
        request.session['oauth'] = request_token.key
        response = authorize_view(request, request_token, request_token.get_callback_url(), params)
        
    return response
Ejemplo n.º 7
0
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
    if "oauth_token" not in request.REQUEST:
        return HttpResponseBadRequest("No request token specified.")

    oauth_request = get_oauth_request(request)

    try:
        request_token = store.get_request_token(request, oauth_request, request.REQUEST["oauth_token"])
    except InvalidTokenError:
        return HttpResponseBadRequest("Invalid request token.")

    consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)

    if request.method == "POST":
        form = form_class(request.POST)
        if request.session.get("oauth", "") == request_token.key and form.is_valid():
            request.session["oauth"] = ""
            if form.cleaned_data["authorize_access"]:
                request_token = store.authorize_request_token(request, oauth_request, request_token)
                args = {"oauth_token": request_token.key}
            else:
                args = {"error": _("Access not granted by user.")}
            if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
                response = HttpResponseRedirect("%s&%s" % (request_token.get_callback_url(), urlencode(args)))
            else:
                # try to get custom callback view
                callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW, "oauth_provider.views.fake_callback_view")
                try:
                    callback_view = get_callable(callback_view_str)
                except AttributeError:
                    raise Exception, "%s view doesn't exist." % callback_view_str
                response = callback_view(request, **args)
        else:
            response = send_oauth_error(oauth.Error(_("Action not allowed.")))
    else:
        # try to get custom authorize view
        authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, "oauth_provider.views.fake_authorize_view")
        try:
            authorize_view = get_callable(authorize_view_str)
        except AttributeError:
            raise Exception, "%s view doesn't exist." % authorize_view_str
        params = oauth_request.get_normalized_parameters()
        # set the oauth flag
        request.session["oauth"] = request_token.key
        response = authorize_view(request, request_token, request_token.get_callback_url(), params)

    return response
Ejemplo n.º 8
0
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
    if 'oauth_token' not in request.REQUEST:
        return HttpResponseBadRequest('No request token specified.')

    oauth_request = get_oauth_request(request)

    try:
        request_token = store.get_request_token(request, oauth_request,
                                                request.REQUEST['oauth_token'])
    except InvalidTokenError:
        return HttpResponse('Invalid request token: %s' %
                            request.REQUEST['oauth_token'],
                            status=401)

    consumer = store.get_consumer_for_request_token(request, oauth_request,
                                                    request_token)

    # LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER
    if request.user != consumer.user:
        return HttpResponseForbidden('Invalid user for this client.')

    if request.method == 'POST':
        form = form_class(request.POST)
        if request.session.get('oauth',
                               '') == request_token.key and form.is_valid():
            request.session['oauth'] = ''
            if form.cleaned_data['authorize_access']:
                request_token = store.authorize_request_token(
                    request, oauth_request, request_token)
                args = {'oauth_token': request_token.key}
            else:
                args = {'error': _('Access not granted by user.')}
            if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
                callback_url = request_token.get_callback_url(args)
                if UNSAFE_REDIRECTS:
                    response = UnsafeRedirect(callback_url)
                else:
                    response = HttpResponseRedirect(callback_url)
            else:
                # try to get custom callback view
                callback_view_str = getattr(
                    settings, OAUTH_CALLBACK_VIEW,
                    'oauth_provider.views.fake_callback_view')
                try:
                    view_callable = get_callable(callback_view_str)
                except AttributeError:
                    raise Exception, "%s view doesn't exist." % callback_view_str

                # try to treat it as Class Based View (CBV)
                try:
                    callback_view = view_callable.as_view()
                except AttributeError:
                    # if it appears not to be CBV treat it like FBV
                    callback_view = view_callable

                response = callback_view(request, **args)
        else:
            response = send_oauth_error(oauth.Error(_('Action not allowed.')))
    else:
        # try to get custom authorize view
        authorize_view_str = getattr(
            settings, OAUTH_AUTHORIZE_VIEW,
            'oauth_provider.views.fake_authorize_view')
        try:
            view_callable = get_callable(authorize_view_str)
        except AttributeError:
            raise Exception, "%s view doesn't exist." % authorize_view_str

        # try to treat it as Class Based View (CBV)
        try:
            authorize_view = view_callable.as_view()
        except AttributeError:
            # if it appears not to be CBV treat it like FBV
            authorize_view = view_callable

        params = oauth_request.get_normalized_parameters()
        # set the oauth flag
        request.session['oauth'] = request_token.key
        response = authorize_view(request, request_token,
                                  request_token.get_callback_url(), params)

    return response
Ejemplo n.º 9
0
def access_token(request):
    oauth_request = get_oauth_request(request)
    if oauth_request is None:
        return HttpResponseBadRequest('Invalid request parameters.')

    # Consumer
    try:
        consumer = store.get_consumer(request, oauth_request,
                                      oauth_request['oauth_consumer_key'])
    except InvalidConsumerError:
        return HttpResponseBadRequest('Invalid consumer.')

    is_xauth = is_xauth_request(oauth_request)

    if not is_xauth:

        # Check Parameters
        missing_params = require_params(oauth_request,
                                        ('oauth_token', 'oauth_verifier'))
        if missing_params is not None:
            return missing_params

        # Check Request Token
        try:
            request_token = store.get_request_token(
                request, oauth_request, oauth_request['oauth_token'])
        except InvalidTokenError:
            return HttpResponse('Invalid request token: %s' %
                                oauth_request['oauth_token'],
                                status=401)
        if not request_token.is_approved:
            return HttpResponse('Request Token not approved by the user.',
                                status=401)

        # Verify Signature
        if not verify_oauth_request(request, oauth_request, consumer,
                                    request_token):
            return HttpResponseBadRequest('Could not verify OAuth request.')

        # Check Verifier
        if oauth_request.get('oauth_verifier', None) != request_token.verifier:
            return HttpResponseBadRequest('Invalid OAuth verifier.')

    else:  # xAuth

        # Check Parameters
        missing_params = require_params(
            oauth_request,
            ('x_auth_username', 'x_auth_password', 'x_auth_mode'))
        if missing_params is not None:
            return missing_params

        # Check if Consumer allows xAuth
        if not consumer.xauth_allowed:
            return HttpResponseBadRequest('xAuth not allowed for this method')

        # Check Signature
        if not verify_oauth_request(request, oauth_request, consumer):
            return HttpResponseBadRequest('Could not verify xAuth request.')

        user = authenticate(
            x_auth_username=oauth_request.get_parameter('x_auth_username'),
            x_auth_password=oauth_request.get_parameter('x_auth_password'),
            x_auth_mode=oauth_request.get_parameter('x_auth_mode'))

        if not user:
            return HttpResponseBadRequest(
                'xAuth username or password is not valid')
        else:
            request.user = user

        # Handle Request Token
        try:
            #request_token = store.create_request_token(request, oauth_request, consumer, oauth_request.get('oauth_callback'))
            request_token = store.create_request_token(request, oauth_request,
                                                       consumer, OUT_OF_BAND)
            request_token = store.authorize_request_token(
                request, oauth_request, request_token)
        except oauth.Error, err:
            return send_oauth_error(err)
Ejemplo n.º 10
0
def access_token(request):
    oauth_request = get_oauth_request(request)
    if oauth_request is None:
        return INVALID_PARAMS_RESPONSE

    # Consumer
    try:
        consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key'])
    except InvalidConsumerError:
        return HttpResponseBadRequest('Invalid consumer.')

    is_xauth = is_xauth_request(oauth_request)

    if not is_xauth:

        # Check Parameters
        missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier'))
        if missing_params is not None:
            return missing_params

        # Check Request Token
        try:
            request_token = store.get_request_token(request, oauth_request, oauth_request['oauth_token'])
        except InvalidTokenError:
            return HttpResponseBadRequest('Invalid request token.')
        if not request_token.is_approved:
            return HttpResponseBadRequest('Request Token not approved by the user.')

        # Verify Signature
        if not verify_oauth_request(request, oauth_request, consumer, request_token):
            return HttpResponseBadRequest('Could not verify OAuth request.')
       
        # Check Verifier
        if oauth_request.get('oauth_verifier', None) != request_token.verifier:
            return HttpResponseBadRequest('Invalid OAuth verifier.')

    else: # xAuth

        # Check Parameters
        missing_params = require_params(oauth_request, ('x_auth_username', 'x_auth_password', 'x_auth_mode'))
        if missing_params is not None:
            return missing_params

        # Check if Consumer allows xAuth
        if not consumer.xauth_allowed:
            return HttpResponseBadRequest('xAuth not allowed for this method')

        # Check Signature
        if not verify_oauth_request(request, oauth_request, consumer):
            return HttpResponseBadRequest('Could not verify xAuth request.')
        
        # Check Username/Password 
        if is_xauth and not verify_xauth_request(request, oauth_request):
            return HttpResponseBadRequest('xAuth username or password is not valid')
        
        # Handle Request Token
        try:
            #request_token = store.create_request_token(request, oauth_request, consumer, oauth_request.get('oauth_callback'))
            request_token = store.create_request_token(request, oauth_request, consumer, OUT_OF_BAND)
            request_token = store.authorize_request_token(request, oauth_request, request_token)
        except oauth.Error, err:
            return send_oauth_error(err)
Ejemplo n.º 11
0
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
    if 'oauth_token' not in request.REQUEST:
        return oauth_error_response('No request token specified.',
                                    status_code=httplib.BAD_REQUEST)

    oauth_request = get_oauth_request(request)

    try:
        request_token = store.get_request_token(request, oauth_request,
                                                request.REQUEST['oauth_token'])
    except InvalidTokenError:
        return oauth_error_response('Invalid request token.',
                                    status_code=httplib.BAD_REQUEST)

    consumer = store.get_consumer_for_request_token(request, oauth_request,
                                                    request_token)

    if request.method == 'POST':
        form = form_class(request.POST)
        if request.session.get('oauth',
                               '') == request_token.key and form.is_valid():
            request.session['oauth'] = ''
            if form.cleaned_data['authorize_access']:
                request_token.name = form.cleaned_data.get(
                    "client_name",
                    getattr(settings, "OAUTH_PROVIDER_TOKEN_DEFAULT_NAME",
                            "Unnamed"))
                request_token = store.authorize_request_token(
                    request, oauth_request, request_token)
                args = {'oauth_token': request_token.key}
            else:
                args = {'error': _('Access not granted by user.')}

            if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
                response = HttpResponseRedirect(
                    '%s&%s' %
                    (request_token.get_callback_url(), urlencode(args)))
            else:
                # try to get custom callback view
                if request_token.callback == OUT_OF_BAND:
                    callback_view_str = getattr(
                        settings, OAUTH_PROVIDER_OUT_OF_BAND_CALLBACK_VIEW,
                        'oauth_provider.views.fake_out_of_band_callback_view')
                else:
                    # try to get custom callback view
                    callback_view_str = getattr(
                        settings, OAUTH_PROVIDER_CALLBACK_VIEW,
                        'oauth_provider.views.fake_callback_view')

                try:
                    callback_view = get_callable(callback_view_str)
                except AttributeError:
                    raise Exception, "%s view doesn't exist." % callback_view_str
                response = callback_view(request, request_token, **args)
        else:
            response = oauth_error_response(
                oauth.Error(_('Action not allowed.')))
    else:
        # try to get custom authorize view
        authorize_view_str = getattr(
            settings, OAUTH_PROVIDER_AUTHORIZE_VIEW,
            'oauth_provider.views.default_authorize_view')
        try:
            authorize_view = get_callable(authorize_view_str)
        except AttributeError:
            raise Exception, "%s view doesn't exist." % authorize_view_str
        params = oauth_request.get_normalized_parameters()
        # set the oauth flag
        request.session['oauth'] = request_token.key
        response = authorize_view(request, request_token,
                                  request_token.get_callback_url(), params)

    return response
Ejemplo n.º 12
0
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
    if request.method.lower() == "get":
        if "oauth_token" not in request.GET:
            return HttpResponseBadRequest("No request token specified.")
        incoming_token = request.GET["oauth_token"]
    elif request.method.lower() == "post":
        if "oauth_token" not in request.POST:
            return HttpResponseBadRequest("No request token specified.")
        incoming_token = request.POST["oauth_token"]

    oauth_request = get_oauth_request(request)

    try:
        request_token = store.get_request_token(request, oauth_request, incoming_token)
    except InvalidTokenError:
        return HttpResponse("Invalid request token: %s" % incoming_token, status=401)

    consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)

    # LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER
    if request.user != consumer.user:
        return HttpResponseForbidden("Invalid user for this client.")

    if request.method == "POST":
        form = form_class(request.POST)
        if request.session.get("oauth", "") == request_token.key and form.is_valid():
            request.session["oauth"] = ""
            if form.cleaned_data["authorize_access"]:
                request_token = store.authorize_request_token(request, oauth_request, request_token)
                args = {"oauth_token": request_token.key}
            else:
                args = {"error": _("Access not granted by user.")}
            if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
                callback_url = request_token.get_callback_url(args)
                if UNSAFE_REDIRECTS:
                    response = UnsafeRedirect(callback_url)
                else:
                    response = HttpResponseRedirect(callback_url)
            else:
                # try to get custom callback view
                callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW, "oauth_provider.views.fake_callback_view")
                try:
                    view_callable = get_callable(callback_view_str)
                except AttributeError:
                    raise Exception("%s view doesn't exist." % callback_view_str)

                # try to treat it as Class Based View (CBV)
                try:
                    callback_view = view_callable.as_view()
                except AttributeError:
                    # if it appears not to be CBV treat it like FBV
                    callback_view = view_callable

                response = callback_view(request, **args)
        else:
            response = send_oauth_error(
                "https" if request.is_secure() else "http",
                get_current_site(request).domain,
                oauth.Error(_("Action not allowed.")),
            )
    else:
        # try to get custom authorize view
        authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, "oauth_provider.views.fake_authorize_view")
        try:
            view_callable = get_callable(authorize_view_str)
        except AttributeError:
            raise Exception("%s view doesn't exist." % authorize_view_str)

        # try to treat it as Class Based View (CBV)
        try:
            authorize_view = view_callable.as_view()
        except AttributeError:
            # if it appears not to be CBV treat it like FBV
            authorize_view = view_callable

        params = oauth_request.get_normalized_parameters()
        # set the oauth flag
        request.session["oauth"] = request_token.key
        response = authorize_view(request, request_token, request_token.get_callback_url(), params)

    return response
Ejemplo n.º 13
0
def access_token(request):
    oauth_request = get_oauth_request(request)
    if oauth_request is None:
        return HttpResponseBadRequest("Invalid request parameters.")

    # Consumer
    try:
        consumer = store.get_consumer(request, oauth_request, oauth_request["oauth_consumer_key"])
    except InvalidConsumerError:
        return HttpResponseBadRequest("Invalid consumer.")

    is_xauth = is_xauth_request(oauth_request)

    if not is_xauth:

        # Check Parameters
        missing_params = require_params(oauth_request, ("oauth_token", "oauth_verifier"))
        if missing_params is not None:
            return missing_params

        # Check Request Token
        try:
            request_token = store.get_request_token(request, oauth_request, oauth_request["oauth_token"])
        except InvalidTokenError:
            return HttpResponse("Invalid request token: %s" % oauth_request["oauth_token"], status=401)
        if not request_token.is_approved:
            return HttpResponse("Request Token not approved by the user.", status=401)

        # Verify Signature
        if not verify_oauth_request(request, oauth_request, consumer, request_token):
            return HttpResponseBadRequest("Could not verify OAuth request.")

        # Check Verifier
        if oauth_request.get("oauth_verifier", None) != request_token.verifier:
            return HttpResponseBadRequest("Invalid OAuth verifier.")

    else:  # xAuth

        # Check Parameters
        missing_params = require_params(oauth_request, ("x_auth_username", "x_auth_password", "x_auth_mode"))
        if missing_params is not None:
            return missing_params

        # Check if Consumer allows xAuth
        if not consumer.xauth_allowed:
            return HttpResponseBadRequest("xAuth not allowed for this method")

        # Check Signature
        if not verify_oauth_request(request, oauth_request, consumer):
            return HttpResponseBadRequest("Could not verify xAuth request.")

        user = authenticate(
            x_auth_username=oauth_request.get_parameter("x_auth_username"),
            x_auth_password=oauth_request.get_parameter("x_auth_password"),
            x_auth_mode=oauth_request.get_parameter("x_auth_mode"),
        )

        if not user:
            return HttpResponseBadRequest("xAuth username or password is not valid")
        else:
            request.user = user

        # Handle Request Token
        try:
            # request_token = store.create_request_token(request, oauth_request, consumer, oauth_request.get('oauth_callback'))
            request_token = store.create_request_token(request, oauth_request, consumer, OUT_OF_BAND)
            request_token = store.authorize_request_token(request, oauth_request, request_token)
        except oauth.Error as err:
            return send_oauth_error("https" if request.is_secure() else "http", get_current_site(request).domain, err)

    access_token = store.create_access_token(request, oauth_request, consumer, request_token)

    ret = urlencode({"oauth_token": access_token.key, "oauth_token_secret": access_token.secret})
    return HttpResponse(ret, content_type="application/x-www-form-urlencoded")
Ejemplo n.º 14
0
def user_authorization(request, form_class=AuthClientForm):
    if 'oauth_token' not in request.REQUEST:
        return HttpResponseBadRequest('No request token specified.')

    oauth_request = get_oauth_request(request)

    try:
        request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token'])
    except InvalidTokenError:
        return HttpResponse('Invalid request token: %s' % request.REQUEST['oauth_token'], status=401)

    consumer = store.get_consumer_for_request_token(request, oauth_request, request_token)

    # LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER
    if request.user != consumer.user:
        return HttpResponseForbidden('Invalid user for this client.')

    if request.method == 'POST':
        form = form_class(request.POST)
        if request.session.get('oauth', '') == request_token.key and form.is_valid():
            request.session['oauth'] = ''
            if form.cleaned_data['authorize_access']:
                request_token = store.authorize_request_token(request, oauth_request, request_token)
                args = { 'oauth_token': request_token.key }
            else:
                args = { 'error': _('Access not granted by user.') }
            if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
                callback_url = request_token.get_callback_url(args)
                if UNSAFE_REDIRECTS:
                    response = UnsafeRedirect(callback_url)
                else:
                    response = HttpResponseRedirect(callback_url)
            else:
                # try to get custom callback view
                callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW,
                                    'oauth_provider.views.fake_callback_view')
                try:
                    view_callable = get_callable(callback_view_str)
                except AttributeError:
                    raise Exception, "%s view doesn't exist." % callback_view_str

                # try to treat it as Class Based View (CBV)
                try:
                    callback_view = view_callable.as_view()
                except AttributeError:
                    # if it appears not to be CBV treat it like FBV
                    callback_view = view_callable
                
                response = callback_view(request, **args)
        else:
            response = send_oauth_error(oauth.Error(_('Action not allowed.')))
    else:       
        # try to get custom authorize view
        authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, 
                                    'oauth_provider.views.fake_authorize_view')
        try:
            view_callable = get_callable(authorize_view_str)
        except AttributeError:
            raise Exception, "%s view doesn't exist." % authorize_view_str

        # try to treat it as Class Based View (CBV)
        try:
            authorize_view = view_callable.as_view()
        except AttributeError:
            # if it appears not to be CBV treat it like FBV
            authorize_view = view_callable

        params = oauth_request.get_normalized_parameters()
        # set the oauth flag
        request.session['oauth'] = request_token.key
        response = authorize_view(request, request_token, request_token.get_callback_url(), params)
        
    return response
Ejemplo n.º 15
0
def user_authorization(request, form_class=AuthorizeRequestTokenForm):
    if request.method.lower() == 'get':
        if 'oauth_token' not in request.GET:
            return HttpResponseBadRequest('No request token specified.')
        incoming_token = request.GET['oauth_token']
    elif request.method.lower() == 'post':
        if 'oauth_token' not in request.POST:
            return HttpResponseBadRequest('No request token specified.')
        incoming_token = request.POST['oauth_token']

    oauth_request = get_oauth_request(request)

    try:
        request_token = store.get_request_token(request, oauth_request,
                                                incoming_token)
    except InvalidTokenError:
        return HttpResponse('Invalid request token: %s' % incoming_token,
                            status=401)

    consumer = store.get_consumer_for_request_token(request, oauth_request,
                                                    request_token)

    # LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER
    # CLATOOLKIT CHANGE - MULTIPLE USERS CAN HAVE MULTIPLE CONSUMERS
    if not consumer.attached_to_user(request.user):
        return HttpResponseForbidden('Invalid user for this client.')

    if request.method == 'POST':
        form = form_class(request.POST)
        print 'request.session.oauth == request_token.key? %s' % (
            request.session.get('oauth', '') == request_token.key)

        print 'session: %s and request_token: %s' % (request.session.get(
            'oauth', ''), request_token.key)

        print 'form valid? %s' % form.is_valid()

        if not form.is_valid():
            print 'form errors: %s' % form.errors

        if request.session.get('oauth',
                               '') == request_token.key and form.is_valid():
            request.session['oauth'] = ''
            if form.cleaned_data['authorize_access']:
                request_token = store.authorize_request_token(
                    request, oauth_request, request_token)
                args = {
                    'oauth_token': request_token.key,
                    'user': request.GET.get('clau', None)
                }
            else:
                args = {'error': _('Access not granted by user.')}

            print 'callback url: %s' % (request_token.callback)

            #            print 'new callback url: %s' % (request_token.callback)
            if request_token.callback is not None and request_token.callback != OUT_OF_BAND:
                callback_url = request_token.get_callback_url(args)
                #cla-user = request.GET.get('clau', None)
                #print 'got CLA user: %s' % (cla-user)
                if UNSAFE_REDIRECTS:
                    response = UnsafeRedirect(
                        callback_url)  #+'?user=%s' % cla-user)
                else:
                    response = HttpResponseRedirect(
                        callback_url)  #+'?user=%s' % cla-user)
            else:
                print "We're in here..."
                # try to get custom callback view
                callback_view_str = getattr(
                    settings, OAUTH_CALLBACK_VIEW,
                    'oauth_provider.views.fake_callback_view')
                try:
                    view_callable = get_callable(callback_view_str)
                except AttributeError:
                    raise Exception("%s view doesn't exist." %
                                    callback_view_str)

            # try to treat it as Class Based View (CBV)
                try:
                    callback_view = view_callable.as_view()
                except AttributeError:
                    # if it appears not to be CBV treat it like FBV
                    callback_view = view_callable

                response = callback_view(request, **args)
        else:
            response = send_oauth_error(
                'https' if request.is_secure() else 'http',
                get_current_site(request).domain,
                oauth.Error(_('Action not allowed.')))
    else:
        # try to get custom authorize view
        authorize_view_str = getattr(
            settings, OAUTH_AUTHORIZE_VIEW,
            'oauth_provider.views.fake_authorize_view')
        try:
            view_callable = get_callable(authorize_view_str)
        except AttributeError:
            raise Exception("%s view doesn't exist." % authorize_view_str)

        # try to treat it as Class Based View (CBV)
        try:
            authorize_view = view_callable.as_view()
        except AttributeError:
            # if it appears not to be CBV treat it like FBV
            authorize_view = view_callable

        params = oauth_request.get_normalized_parameters()
        # set the oauth flag
        request.session['oauth'] = request_token.key
        response = authorize_view(request, request_token,
                                  request_token.get_callback_url(), params)

    return response