Module: OohAuth::Request::VerificationMixin

Defined in:
lib/ooh-auth/request_verification_mixin.rb

Instance Method Summary collapse

Instance Method Details

#authenticating_clientObject

Returns the authenticating client referenced by the consumer key in the given request, or nil if no consumer key was given or if the given consumer key was invalid.



21
22
23
24
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 21

def authenticating_client
  #return false unless signed?
  @authenticating_client ||= OohAuth::AuthenticatingClient.first(:api_key=>consumer_key)
end

#authentication_tokenObject

Returns the stored token referenced by the oauth_token header or parameter, or nil if none was found.



27
28
29
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 27

def authentication_token
  @authentication_token ||= OohAuth::Token.first(:token_key=>token)
end

#build_signatureObject

Creates a signature for this request, returning the final hash required for insertion in a signed URL.



42
43
44
45
46
47
48
49
50
51
52
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 42

def build_signature
  sig = case signature_method
        when "HMAC-SHA1"
          Base64.encode64(HMAC::SHA1.digest(signature_secret, signature_base_string)).chomp.gsub(/\n/,'')
        when "HMAC-MD5"
          Base64.encode64(HMAC::MD5.digest(signature_secret, signature_base_string)).chomp.gsub(/\n/,'')
        else
          false
        end
  Merb::Parse.escape(sig)
end

#callbackObject 



149
150
151
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 149

def callback
  oauth_merged_params[:oauth_callback]
end

#consumer_keyObject

Returns the oauth_consumer_key from the Authorization header or the GET/POST params, or nil if not present.



124
125
126
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 124

def consumer_key
  oauth_merged_params[:oauth_consumer_key]
end

#nonceObject

Returns the oauth_nonce from the Authorization header or the GET/POST params, or nil if not present.



145
146
147
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 145

def nonce
  oauth_merged_params[:oauth_nonce]
end

#normalise_signature_paramsObject

Returns the signature_params as a normalised string in line with oauth.net/core/1.0#signing_process



78
79
80
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 78

def normalise_signature_params
  signature_params.sort.collect{|key, value| "#{key}=#{value}"}.join("&")
end

#oauth_headersObject

Returns any given OAuth headers as specified in oauth.net/core/1.0#auth_header as a hash.



89
90
91
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 89

def oauth_headers
  @oauth_headers ||= parse_oauth_headers
end

#oauth_merged_paramsObject

Returns the params properly merged with the oauth headers if they were given. OAuth headers take priority if a GET/POST parameter with the same name exists.



84
85
86
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 84

def oauth_merged_params
  params.merge(signature_oauth_headers)
end

#oauth_request?Boolean

Returns TRUE if the request contains api-flavour parameters. At least an api_token and an api_signature must be present

Returns:

  • (Boolean) 


15
16
17
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 15

def oauth_request?
  (consumer_key)? true : false
end

#oauth_versionObject

Returns the oauth_version from the Authorization header or the GET/POST params, or nil if not present, defaulting to “1.0” if not given.



154
155
156
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 154

def oauth_version
  oauth_merged_params[:oauth_version] || "1.0"
end

#parse_oauth_headersObject

Parses the given OAuth headers into a hash. See oauth.net/core/1.0#auth_header for parsing method.



101
102
103
104
105
106
107
108
109
110
111
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 101

def parse_oauth_headers
  # Pull headers and return blank hash if no header variables found
  headers = env['AUTHORIZATION']; result = {};
  return result unless headers  && headers[0,5] == 'OAuth'
  # Headers found. Go ahead and match 'em
  headers.split(/,\n*\r*/).each do |param|
    phrase, key, value = param.match(/([A-Za-z0-9_\s]+)="([^"]+)"/).to_a.map{|v| v.strip}
    result[(key["OAuth"])? :realm : key.to_sym] = value
  end
  result
end

#signatureObject

Returns the oauth_signature from the Authorization header or the GET/POST params, or nil if not present.



134
135
136
137
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 134

def signature
  # FIXME merb keeps mangling this by replacing "+" with "\s" 
  oauth_merged_params[:oauth_signature]
end

#signature_base_stringObject

Creates a plaintext version of the signature base string ready to be run through any# of the support OAuth signature methods. See oauth.net/core/1.0#signing_process for more information.



57
58
59
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 57

def signature_base_string
  "#{method.to_s.upcase}&#{full_uri}&#{normalise_signature_params}"
end

#signature_methodObject

Returns the requested signature signing mechanism from the auth headers, defaulting to HMAC-SHA1



119
120
121
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 119

def signature_method
  oauth_merged_params[:oauth_signature_method] || "HMAC-SHA1"
end

#signature_oauth_headersObject

Returns the auth headers for duplicating the request signature, missing the realm variable as defined in oauth.net/core/1.0#signing_process



96
97
98
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 96

def signature_oauth_headers
  o = oauth_headers.dup; o.delete(:realm); o
end

#signature_paramsObject

Scrubs route parameters from the known params, returning a hash of known GET and POST parameters. Basically, this returns the parameters needed in the signature key/value gibberish. FIXME unidentified request gremlins seeding params with mix of symbol and string keys, requiring to_s filth all over the match block.



70
71
72
73
74
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 70

def signature_params
  route, route_params = Merb::Router.route_for(self)
  #raise RuntimeError, route_params.inspect
  return oauth_merged_params.delete_if {|k,v| route_params.keys.map{|s|s.to_s}.include?(k.to_s) or k.to_s == "oauth_signature"}
end

#signature_secretObject

Returns the signature secret, which is expected to be the HMAC encryption key for signed requests. If the request refers to a token, the token will be retrieved



63
64
65
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 63

def signature_secret
  "#{authenticating_client.secret}&#{authentication_token ? authentication_token.secret : nil}" rescue raise Merb::ControllerExceptions::NotAcceptable
end

#signed?Boolean

Attempts to verify the request’s signature using the strategy covered in signing.markdown. Takes one argument, which is the authenticating client you wish to check the signature against. Returns a true on success, false on fail.

Returns:

  • (Boolean) 


34
35
36
37
38
39
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 34

def signed?
  # Fail immediately if the request is not signed at all
  return false unless oauth_request? and authenticating_client
  # mash and compare with given signature
  self.signature == build_signature
end

#timestampObject

Returns the oauth_timestamp from the Authorization header or the GET/POST params, or nil if not present.



140
141
142
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 140

def timestamp
  oauth_merged_params[:oauth_timestamp]
end

#tokenObject

Returns the oauth_token from the Authorization header or the GET/POST params, or nil if not present.



129
130
131
 
# File 'lib/ooh-auth/request_verification_mixin.rb', line 129

def token
  oauth_merged_params[:oauth_token]
end