From: xray7224 <jessica@megworld.co.uk>
Date: Thu, 11 Jul 2013 19:55:08 +0000 (+0100)
Subject: Ensures endpoint queries with @oauth_required are validated
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=49a47ec991152a5dd25a7460e1d3d11afb73d32d;p=mediagoblin.git

Ensures endpoint queries with @oauth_required are validated
---

diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index ad36f376..bb2ba7a5 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -292,8 +292,10 @@ def oauth_required(controller):
                 body=request.get_data(),
                 headers=dict(request.headers),
                 )
-        #print "[VALID] %s" % valid
-        #print "[REQUEST] %s" % request
+
+        if not valid:
+            error = "Invalid oauth prarameter."
+            return json_response({"error": error}, status=400)
 
         return controller(request, *args, **kwargs)
 
diff --git a/mediagoblin/federation/oauth.py b/mediagoblin/federation/oauth.py
index ff45882d..846b0794 100644
--- a/mediagoblin/federation/oauth.py
+++ b/mediagoblin/federation/oauth.py
@@ -62,6 +62,51 @@ class GMGRequestValidator(RequestValidator):
         """ Currently a stub - called when making AccessTokens """
         return list()
 
+    def validate_timestamp_and_nonce(self, client_key, timestamp, 
+                                     nonce, request, request_token=None, 
+                                     access_token=None):
+        return True # TODO!!! - SECURITY RISK IF NOT DONE
+
+    def validate_client_key(self, client_key, request):
+        """ Verifies client exists with id of client_key """
+        client = Client.query.filter_by(id=client_key).first()
+        if client is None:
+            return False
+        
+        return True
+
+    def validate_access_token(self, client_key, token, request):
+        """ Verifies token exists for client with id of client_key """
+        client = Client.query.filter_by(id=client_key).first()
+        token = AccessToken.query.filter_by(token=token)
+        token = token.first()
+
+        if token is None:
+            return False
+
+        request_token = RequestToken.query.filter_by(token=token.request_token)
+        request_token = request_token.first()
+
+        if client.id != request_token.client:
+            return False
+
+        return True
+
+    def validate_realms(self, *args, **kwargs):
+        """ Would validate reals however not using these yet. """
+        return True # implement when realms are implemented
+
+
+    def get_client_secret(self, client_key, request):
+        """ Retrives a client secret with from a client with an id of client_key """
+        client = Client.query.filter_by(id=client_key).first()
+        return client.secret
+
+    def get_access_token_secret(self, client_key, token, request):
+        client = Client.query.filter_by(id=client_key).first()
+        access_token = AccessToken.query.filter_by(token=token).first()
+        return access_token.secret
+
 class GMGRequest(Request):
     """
         Fills in data to produce a oauth.common.Request object from a