Remove brittle custom-signing logic

This commit is contained in:
Tobe O 2019-03-23 00:22:20 -04:00
parent 8bef3ae78f
commit ffb9bfe6ae
2 changed files with 38 additions and 91 deletions

View file

@ -1,22 +1,16 @@
import 'dart:async'; import 'dart:async';
import 'dart:collection';
import 'dart:convert';
import 'package:angel_auth/angel_auth.dart'; import 'package:angel_auth/angel_auth.dart';
import 'package:angel_framework/angel_framework.dart'; import 'package:angel_framework/angel_framework.dart';
import 'package:crypto/crypto.dart';
import 'package:http/http.dart' as http; import 'package:http/http.dart' as http;
import 'package:meta/meta.dart'; import 'package:oauth/oauth.dart' as oauth;
import 'package:path/path.dart' as p; import 'package:path/path.dart' as p;
import 'package:random_string/random_string.dart' as rs;
import 'package:twitter/twitter.dart'; import 'package:twitter/twitter.dart';
/// Authenticates users by connecting to Twitter's API.
class TwitterStrategy<User> extends AuthStrategy<User> { class TwitterStrategy<User> extends AuthStrategy<User> {
/// The options defining how to connect to the third-party. /// The options defining how to connect to the third-party.
final ExternalAuthOptions options; final ExternalAuthOptions options;
/// The underlying [BaseClient] used to query Twitter.
final http.BaseClient httpClient;
/// A callback that uses Twitter to authenticate a [User]. /// A callback that uses Twitter to authenticate a [User].
/// ///
/// As always, return `null` if authentication fails. /// As always, return `null` if authentication fails.
@ -26,74 +20,21 @@ class TwitterStrategy<User> extends AuthStrategy<User> {
/// The root of Twitter's API. Defaults to `'https://api.twitter.com'`. /// The root of Twitter's API. Defaults to `'https://api.twitter.com'`.
final Uri baseUrl; final Uri baseUrl;
oauth.Client _client;
/// The underlying [oauth.Client] used to query Twitter.
oauth.Client get client => _client;
TwitterStrategy(this.options, this.verifier, TwitterStrategy(this.options, this.verifier,
{http.BaseClient client, Uri baseUrl}) {http.BaseClient client, Uri baseUrl})
: this.baseUrl = baseUrl ?? Uri.parse('https://api.twitter.com'), : this.baseUrl = baseUrl ?? Uri.parse('https://api.twitter.com') {
this.httpClient = client ?? http.Client() as http.BaseClient; var tokens = oauth.Tokens(
consumerId: options.clientId, consumerKey: options.clientSecret);
String _createSignature( _client = oauth.Client(tokens, client: client);
String method, String uriString, Map<String, String> params,
{@required String tokenSecret}) {
// Not only do we need to sort the parameters, but we need to URI-encode them as well.
var encoded = new SplayTreeMap();
for (String key in params.keys) {
encoded[Uri.encodeComponent(key)] = Uri.encodeComponent(params[key]);
}
String collectedParams =
encoded.keys.map((key) => "$key=${encoded[key]}").join("&");
String baseString =
"$method&${Uri.encodeComponent(uriString)}&${Uri.encodeComponent(collectedParams)}";
String signingKey =
"${Uri.encodeComponent(options.clientSecret)}&$tokenSecret";
// After you create a base string and signing key, we need to hash this via HMAC-SHA1
var hmac = new Hmac(sha1, signingKey.codeUnits);
// The returned signature should be the resulting hash, Base64-encoded
return base64.encode(hmac.convert(baseString.codeUnits).bytes);
} }
Future<http.Request> _prepRequest(String path, /// Handle a response from Twitter.
{String method = "GET", Future<Map<String, String>> handleUrlEncodedResponse(http.Response rs) async {
Map<String, String> data = const {},
String accessToken,
String tokenSecret = ''}) async {
var headers = new Map<String, String>.from(data);
headers["oauth_version"] = "1.0";
headers["oauth_consumer_key"] = options.clientId;
// The implementation of _randomString doesn't matter - just generate a 32-char
// alphanumeric string.
headers["oauth_nonce"] = rs.randomAlphaNumeric(32);
headers["oauth_signature_method"] = "HMAC-SHA1";
headers["oauth_timestamp"] =
(new DateTime.now().millisecondsSinceEpoch / 1000).round().toString();
if (accessToken != null) {
headers["oauth_token"] = accessToken;
}
var request = http.Request(method, baseUrl.replace(path: path));
headers['oauth_signature'] = _createSignature(
method, request.url.toString(), headers,
tokenSecret: tokenSecret);
var oauthString = headers.keys
.map((name) => '$name="${Uri.encodeComponent(headers[name])}"')
.join(", ");
return request
..headers.addAll(headers)
..headers['authorization'] = "OAuth $oauthString";
}
Future<Map<String, String>> _parseUrlEncoded(http.BaseRequest rq) async {
var response = await httpClient.send(rq);
var rs = await http.Response.fromStream(response);
var body = rs.body; var body = rs.body;
if (rs.statusCode != 200) { if (rs.statusCode != 200) {
@ -104,22 +45,25 @@ class TwitterStrategy<User> extends AuthStrategy<User> {
return Uri.splitQueryString(body); return Uri.splitQueryString(body);
} }
Future<Map<String, String>> getAccessToken( /// Get an access token.
String token, String verifier) async { Future<Map<String, String>> getAccessToken(String token, String verifier) {
var request = await _prepRequest("oauth/access_token", return _client.post(
method: "POST", data: {"verifier": verifier}, accessToken: token); baseUrl.replace(path: p.join(baseUrl.path, 'oauth/access_token')),
request.bodyFields = {'oauth_verifier': verifier}; body: {
return _parseUrlEncoded(request); 'oauth_token': token,
'oauth_verifier': verifier
}).then(handleUrlEncodedResponse);
// var request = await createRequest("oauth/access_token",
// method: "POST", data: {"verifier": verifier}, accessToken: token);
} }
Future<Map<String, String>> getRequestToken() async { /// Get a request token.
var request = await _prepRequest("oauth/request_token", Future<Map<String, String>> getRequestToken() {
method: "POST", return _client.post(
data: {"oauth_callback": options.redirectUri.toString()}); baseUrl.replace(path: p.join(baseUrl.path, 'oauth/request_token')),
body: {
// _mapifyRequest is a function that sends a request and parses its URL-encoded "oauth_callback": options.redirectUri.toString()
// response into a Map. This detail is not important. }).then(handleUrlEncodedResponse);
return await _parseUrlEncoded(request);
} }
@override @override

View file

@ -1,5 +1,5 @@
author: "Tobe O <thosakwe@gmail.com>" author: "Tobe O <thosakwe@gmail.com>"
description: "angel_auth strategy for Twitter login." description: "package:angel_auth strategy for Twitter login. Auto-signs requests."
environment: environment:
sdk: ">=2.0.0 <3.0.0" sdk: ">=2.0.0 <3.0.0"
homepage: "https://github.com/angel-dart/auth_twitter.git" homepage: "https://github.com/angel-dart/auth_twitter.git"
@ -7,8 +7,11 @@ name: "angel_auth_twitter"
version: 2.0.0 version: 2.0.0
dependencies: dependencies:
angel_auth: ^2.0.0 angel_auth: ^2.0.0
http: ^0.12.0 http: ">=0.11.0 <0.13.0"
random_string: ^0.0.2 # oauth:
# git:
# url: git://github.com/sh4869/oauth.dart.git
# ref: develop
twitter: ^1.0.0 twitter: ^1.0.0
dev_dependencies: dev_dependencies:
logging: ^0.11.0 logging: ^0.11.0