Module: OAuthenticator::ConfigMethods
- Included in:
- SignedRequest
- Defined in:
- lib/oauthenticator/config_methods.rb
Overview
This module contains stubs, or in some cases default values, for implementations of particulars of the OAuth protocol. Applications must implement some of these, and are likely to want to override the default values of others. certain methods will need to use methods of the SignedRequest class.
the methods your implementation will need to be used are primarily those from the parsed OAuth Authorization header. these are methods your implementation WILL need to use to implement the required functionality:
#consumer_key
#token
#nonce
#timestamp
the following are the other parts of the Authorization, but your implementation will probably NOT need to use these (OAuthenticator does everything that is needed to validate these parts):
#version
#signature_method
#signature
Instance Method Summary collapse
-
#allowed_signature_methods ⇒ Array<String>
the signature methods which the application will accept.
-
#body_hash_required? ⇒ Boolean
whether the request will be considered valid if it is missing the oauth_body_hash parameter, when that parameter is allowed.
-
#consumer_secret ⇒ String
this should look up the consumer secret in your application's storage corresponding to the request's consumer key, which is available via the
#consumer_key
method. -
#nonce_used? ⇒ Boolean
whether the nonce, available via the
#nonce
method, has already been used. -
#timestamp_valid_future ⇒ Integer
the number of seconds (integer) in the future for which the request is considered valid.
-
#timestamp_valid_past ⇒ Integer
the number of seconds (integer) in the past for which the request is considered valid.
-
#timestamp_valid_period ⇒ Integer
the number of seconds (integer) in both the past and future for which the request is considered valid.
-
#token_belongs_to_consumer? ⇒ Boolean
whether the token indicated by the request (via
#token
) belongs to the consumer indicated by the request (via#consumer_key
). -
#token_secret ⇒ String
this should look up the token secret in your application's storage corresponding to the request's token, which is available via the
#token
method. -
#use_nonce! ⇒ Void
cause the nonce, available via the
#nonce
method, to be marked as used.
Instance Method Details
#allowed_signature_methods ⇒ Array<String>
the signature methods which the application will accept. this MUST be a subset of the signature methods
defined in the OAuth 1.0 protocol: %w(HMAC-SHA1 RSA-SHA1 PLAINTEXT)
. the default value for this is all
allowed signature methods, and may remain unimplemented if you wish to allow all defined signature
methods.
74 75 76 |
# File 'lib/oauthenticator/config_methods.rb', line 74 def allowed_signature_methods SignableRequest::SIGNATURE_METHODS.keys end |
#body_hash_required? ⇒ Boolean
whether the request will be considered valid if it is missing the oauth_body_hash parameter, when that parameter is allowed. if you require requests to include the oauth_body_hash parameter, return true here.
the default for this method is false, since the oauth body hash is not widely implemented.
this only applies to requests which are NOT form encoded - requests which are form-encoded must never have the oauth_body_hash parameter regardless of this setting and will be rejected as inauthentic, per the OAuth Request Body Hash spec. this also does not apply to requests with a signature method which does not have a corresponding body hash method - i.e., the PLAINTEXT signature method.
152 153 154 |
# File 'lib/oauthenticator/config_methods.rb', line 152 def body_hash_required? false end |
#consumer_secret ⇒ String
this should look up the consumer secret in your application's storage corresponding to the request's
consumer key, which is available via the #consumer_key
method. see the README for an example
implementation.
83 84 85 |
# File 'lib/oauthenticator/config_methods.rb', line 83 def consumer_secret config_method_not_implemented end |
#nonce_used? ⇒ Boolean
whether the nonce, available via the #nonce
method, has already been used. you may wish to use this in
conjunction with the timestamp (#timestamp
), per the OAuth 1.0 spec.
it's worth noting that if this ever returns true, it may indicate a replay attack under way against your application. the replay attack will fail due to OAuth, but you may wish to log the event.
this method MAY simply return false IF the method #use_nonce! is implemented to raise OAuthenticator::NonceUsedError when it encounters an already-used nonce. this may be preferable - see the #use_nonce! documentation.
106 107 108 |
# File 'lib/oauthenticator/config_methods.rb', line 106 def nonce_used? config_method_not_implemented end |
#timestamp_valid_future ⇒ Integer
the number of seconds (integer) in the future for which the request is considered valid.
if the timestamp is more than this number of seconds greater than the current clock time, then the request is considered invalid and the response is an error.
this should be large enough to allow for clock skew between your application's server and the requester's clock.
this method may remain unimplemented if #timestamp_valid_period is implemented.
64 65 66 |
# File 'lib/oauthenticator/config_methods.rb', line 64 def end |
#timestamp_valid_past ⇒ Integer
the number of seconds (integer) in the past for which the request is considered valid.
if the timestamp is more than this number of seconds less than the current clock time, then the request is considered invalid and the response is an error.
this should be large enough to allow for clock skew between your application's server and the requester's clock.
nonces older than Time.now - timestamp_valid_past may be discarded.
this method may remain unimplemented if #timestamp_valid_period is implemented.
49 50 51 |
# File 'lib/oauthenticator/config_methods.rb', line 49 def end |
#timestamp_valid_period ⇒ Integer
the number of seconds (integer) in both the past and future for which the request is considered valid.
if it is desired to have a different period considered valid in the past than in the future, then the methods #timestamp_valid_past and #timestamp_valid_future may be implemented instead, and this method may remain unimplemented.
see the documentation for #timestamp_valid_past and #timestamp_valid_future for other considerations of the valid period.
32 33 34 |
# File 'lib/oauthenticator/config_methods.rb', line 32 def config_method_not_implemented end |
#token_belongs_to_consumer? ⇒ Boolean
whether the token indicated by the request (via #token
) belongs to the consumer indicated by
the request (via #consumer_key
).
this method may simply return true if the implementation does not care to restrict tokens by consumer.
136 137 138 |
# File 'lib/oauthenticator/config_methods.rb', line 136 def token_belongs_to_consumer? config_method_not_implemented end |
#token_secret ⇒ String
this should look up the token secret in your application's storage corresponding to the request's
token, which is available via the #token
method. see the README for an example implementation.
91 92 93 |
# File 'lib/oauthenticator/config_methods.rb', line 91 def token_secret config_method_not_implemented end |
#use_nonce! ⇒ Void
cause the nonce, available via the #nonce
method, to be marked as used. you may wish to use this in
conjunction with the timestamp (#timestamp
).
although this will only be called when #nonce_used? has returned false, since a nonzero amount of time does elapse between that being called and this, a race condition may occur. therefore, if the implementation is able to perform an atomic test-and-set (e.g. with SETNX in redis, or with a uniqueness-ensuring index in SQL) when it is using the nonce, then it SHOULD do so in this method, and if the test-and-set indicates the nonce has been used, SHOULD raise OAuthenticator::NonceUsedError.
if it is more performant for the implementation to only check whether the nonce is used once, when setting, then the method #nonce_used? MAY simply return false, and raising OAuthenticator::NonceUsedError from this method may be the only method of indicating a used nonce.
125 126 127 |
# File 'lib/oauthenticator/config_methods.rb', line 125 def use_nonce! config_method_not_implemented end |