Access token inserted with type=0 (request token) [#1424470]

After the authorization has been made, the access token is being inserted with no type property (which defaults to being 0 -- so OAUTH_COMMON_TOKEN_TYPE_REQUEST), when it should be inserting type = 1 (OAUTH_COMMON_TOKEN_TYPE_ACCESS). The code:

$token->uid = $user->uid;
$token->authorized = 1;
$token->services = $context->authorization_options['default_authorization_levels'];
$token->write(TRUE);

Added this line before the write method is invoked, fixed it:

$token->type = OAUTH_COMMON_TOKEN_TYPE_ACCESS;

(Sorry I don't know how to make patches)

Comment	File	Size	Author
#4	1424470-d7-oauth-change-token-type-on-authorize.patch	768 bytes	miqmago
#4
#5	1424470-d7-oauth-change-token-type-on-authorize.patch	1.4 KB	miqmago
#5
#3	1424470-oaut-change-token-type-on-authorize.txt	525 bytes	miqmago

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

jobeirne CreditAttribution: jobeirne commented 1 February 2012 at 18:38

Thanks for the issue, edu. Can you describe the pathological behavior that crops up because of this exclusion? I'm not sure what to test for.

Comment #2

miqmago CreditAttribution: miqmago commented 3 May 2012 at 13:39

One pathological behavior I found is when a user wants to see his authorized tokens he can't because of the query in oauth_common_get_user_provider_tokens() in oauth_common.module line 408:

/**
 * Gets the tokens for a user.
 *
 * @param string $uid
 * @param string $type
 * @return array
 */
function oauth_common_get_user_provider_tokens($uid) {
  $res = db_query("SELECT t.*, pt.created, pt.changed, pt.services, pt.authorized FROM {oauth_common_token} t
    INNER JOIN {oauth_common_provider_token} pt WHERE t.uid = :uid AND t.type = :type", array(
      ':uid'  => $uid,
      ':type' => OAUTH_COMMON_TOKEN_TYPE_ACCESS,
    ));
  $tokens = array();
  while ($token = DrupalOAuthToken::fromResult($res)) {
    $tokens[] = $token;
  }
  return $tokens;
}

called by oauth_common_page_user_authorizations() in oauth_common.authorizations.inc line 3:

/**
 * @file
 * Functions related to a user's authorization section
 */

function oauth_common_page_user_authorizations($account) {
  $header = array(
    array('data' => t('Application'), 'class' =>  array("oauth-common-authorization-application")),
    array('data' => t('Key'),         'class' =>  array("oauth-common-authorization-key")),
    array('data' => t('Created'),     'class' =>  array("oauth-common-authorization-created")),
    array('data' => t('Expires'),     'class' =>  array("oauth-common-authorization-expires")),
    array('data' => t('Operations'),  'class' =>  array("oauth-common-authorization-operations")),
  );

  $access_tokens = oauth_common_get_user_provider_tokens($account->uid);

Comment #3

miqmago CreditAttribution: miqmago commented 3 May 2012 at 14:29

File	Size
1424470-oaut-change-token-type-on-authorize.txt	525 bytes

Here it goes my first patch... hope it is ok

Comment #4

miqmago CreditAttribution: miqmago commented 5 May 2012 at 10:58

Status:

Needs review

» Active

File	Size
1424470-d7-oauth-change-token-type-on-authorize.patch	768 bytes

Needed to be also added on oauth_common_form_authorize_submit(). Invalidates #3.

Comment #5

miqmago CreditAttribution: miqmago commented 5 May 2012 at 10:57

Status:

Active

» Needs review

File	Size
1424470-d7-oauth-change-token-type-on-authorize.patch	1.4 KB

After #4 now it shows the authorized tokens in /user/xx/oauth.
If there are multiple request tokens (not yet authorized) and authorized tokens, shows each authorized token as many times as authorized + unauthorized tokens)
Repeat:
1 - request token
2 - authorize token #1
3 - request token again
4 - go to /user/xx/oauth

there will be token #1 twice, because of INNER JOIN in:

function oauth_common_get_user_provider_tokens($uid) {
  $res = db_query("SELECT t.*, pt.created, pt.changed, pt.services, pt.authorized FROM {oauth_common_token} t
    INNER JOIN {oauth_common_provider_token} pt WHERE t.uid = :uid AND t.type = :type", array(

Attached new patch with all updates, converting INNER JOIN to LEFT JOIN.

Comment #6

miqmago CreditAttribution: miqmago commented 5 May 2012 at 11:30

Status:

Active

» Needs review

Ok, after testing the whole process, this there is another problem:

When the app tries to get access token from the authorized token, the authorized token needs to be still a "request" token, not an "access" token, if not OAuth doesn't find the token in OAuth.php:

  public function fetch_access_token(&$request) {
    $this->get_version($request);

    $consumer = $this->get_consumer($request);

    // requires authorized request token
    $token = $this->get_token($request, $consumer, "request");

So maybe the question is: when should the user be able to see his authorized tokens, inmediatly after authorizing them, or after the access token has been requested?

Anyway, should #5 be applied in order of not showing multiple lines for same authorized token?