Package io.lumify.web.auth.oauth.routes

Source Code of io.lumify.web.auth.oauth.routes.Twitter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
package io.lumify.web.auth.oauth.routes;

import io.lumify.core.model.user.UserRepository;
import io.lumify.core.user.User;
import io.lumify.core.util.LumifyLogger;
import io.lumify.core.util.LumifyLoggerFactory;
import io.lumify.miniweb.Handler;
import io.lumify.miniweb.HandlerChain;
import io.lumify.web.AuthenticationHandler;
import io.lumify.web.CurrentUser;
import io.lumify.web.auth.oauth.OAuthConfiguration;
import org.json.JSONObject;
import org.scribe.builder.ServiceBuilder;
import org.scribe.builder.api.TwitterApi;
import org.scribe.model.*;
import org.scribe.oauth.OAuthService;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

import static com.google.common.base.Preconditions.checkNotNull;

public class Twitter implements Handler {
    private static final LumifyLogger LOGGER = LumifyLoggerFactory.getLogger(Twitter.class);
    private static final String OAUTH_REQUEST_TOKEN = "oauth_token";
    public static final String OAUTH_TOKEN_PARAM_NAME = "oauth_token";
    public static final String OAUTH_VERIFIER_PARAM_NAME = "oauth_verifier";
    private final OAuthConfiguration config;
    private final UserRepository userRepository;

    public Twitter(OAuthConfiguration config, UserRepository userRepository) {
        this.config = config;
        this.userRepository = userRepository;
        checkNotNull(config.getKey(), "Twitter OAuth apiKey not set");
        checkNotNull(config.getSecret(), "Twitter OAuth apiSecret not set");
    }

    @Override
    public void handle(HttpServletRequest httpRequest, HttpServletResponse httpResponse, HandlerChain chain) throws Exception {
        if (httpRequest.getParameter(OAUTH_VERIFIER_PARAM_NAME) != null) {
            verify(httpRequest, httpResponse, chain);
        } else {
            login(httpRequest, httpResponse, chain);
        }
    }

    private void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse, HandlerChain chain) throws IOException {
        OAuthService service = getOAuthService(httpRequest, true);
        Token requestToken = service.getRequestToken();
        httpRequest.getSession().setAttribute(OAUTH_REQUEST_TOKEN, requestToken);
        String authUrl = service.getAuthorizationUrl(requestToken);
        httpResponse.sendRedirect(authUrl);
    }

    private void verify(HttpServletRequest httpRequest, HttpServletResponse httpResponse, HandlerChain chain) throws IOException {
        String inboundVerifier = httpRequest.getParameter(OAUTH_VERIFIER_PARAM_NAME);
        String inboundToken = httpRequest.getParameter(OAUTH_TOKEN_PARAM_NAME);
        Token storedToken = (Token) httpRequest.getSession().getAttribute(OAUTH_REQUEST_TOKEN);
        httpRequest.getSession().removeAttribute(OAUTH_REQUEST_TOKEN);

        if (storedToken == null) {
            LOGGER.warn("OAuth verification attempted but no stored token found in the user's session");
            httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
            return;
        }

        if (!inboundToken.equals(storedToken.getToken())) {
            LOGGER.warn("OAuth verfication attempted, but oauth_token request param did not match token stored in user's session");
            httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
            return;
        }

        Verifier verifier = new Verifier(inboundVerifier);
        OAuthService service = getOAuthService(httpRequest, false);

        // TODO: Store this token if authorization succeeds
        Token accessToken = service.getAccessToken(storedToken, verifier);

        OAuthRequest authRequest = new OAuthRequest(Verb.GET, "https://api.twitter.com/1.1/account/verify_credentials.json");
        service.signRequest(accessToken, authRequest);
        Response authResponse = authRequest.send();

        if (!authResponse.isSuccessful()) {
            LOGGER.warn("OAuth handshake completed, but Twitter credential verification failed: " + authResponse.getMessage());
            httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
            return;
        }

        JSONObject jsonResponse = new JSONObject(authResponse.getBody());
        String screenName = jsonResponse.getString("screen_name");
        if (screenName == null) {
            LOGGER.warn("Twitter OAuth JSON authorization response did not contain a 'screen_name' value, which is required.");
            httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
            return;
        }

        String displayName = jsonResponse.getString("name");
        if (displayName == null) {
            LOGGER.warn("Twitter OAuth JSON authorization response did not contain a 'name' value, which is required.");
            httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
            return;
        }

        String username = "twitter/" + screenName;
        User user = userRepository.findByUsername(username);
        if (user == null) {
            // For form based authentication, username and displayName will be the same
            String randomPassword = UserRepository.createRandomPassword();
            user = userRepository.addUser(username, displayName, null, randomPassword, new String[0]);
        }
        userRepository.recordLogin(user, httpRequest.getRemoteAddr());

        CurrentUser.set(httpRequest, user.getUserId(), user.getUsername());

        httpResponse.sendRedirect(httpRequest.getServletContext().getContextPath() + "/");
    }

    private OAuthService getOAuthService(HttpServletRequest request, boolean withCallback) {
        ServiceBuilder builder = new ServiceBuilder()
                .provider(TwitterApi.SSL.Authenticate.class)
                .apiKey(config.getKey())
                .apiSecret(config.getSecret());

        if (withCallback) {
            builder.callback(request.getRequestURL().toString());
        }

        return builder.build();
    }
}
TOP

Related Classes of io.lumify.web.auth.oauth.routes.Twitter

  • io.lumify.core.user.User
  • io.lumify.web.auth.oauth.OAuthWebAppPlugin
  • org.json.JSONObject
  • org.scribe.builder.ServiceBuilder
  • org.scribe.oauth.OAuthService
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.