Merge branch 'v3.1'

author: Andrew Arnott <andrewarnott@gmail.com> 2009-05-21 17:55:16 -0700
committer: Andrew Arnott <andrewarnott@gmail.com> 2009-05-21 17:55:16 -0700
commit: a05c016a9c73ba3c1d880e2f60be504bcbc36104 (patch)
tree: d022eeb4fa8c0b618db3fd777ba483647c9f2233 /samples/OAuthServiceProvider
parent: baa8dcc4fb574fe81ae701eb9020d10684158781 (diff)
parent: 683b55a61af3c7bfa11b74a5cc4efd3556e59613 (diff)
download: DotNetOpenAuth-a05c016a9c73ba3c1d880e2f60be504bcbc36104.zip
DotNetOpenAuth-a05c016a9c73ba3c1d880e2f60be504bcbc36104.tar.gz
DotNetOpenAuth-a05c016a9c73ba3c1d880e2f60be504bcbc36104.tar.bz2
4 files changed, 56 insertions, 4 deletions
diff --git a/samples/OAuthServiceProvider/App_Code/DatabaseTokenManager.cs b/samples/OAuthServiceProvider/App_Code/DatabaseTokenManager.cs
index d922901..275a7c9 100644
--- a/samples/OAuthServiceProvider/App_Code/DatabaseTokenManager.cs
+++ b/samples/OAuthServiceProvider/App_Code/DatabaseTokenManager.cs
@@ -119,4 +119,18 @@ public class DatabaseTokenManager : IServiceProviderTokenManager {
 		tokenRow.State = TokenAuthorizationState.AuthorizedRequestToken;
 		tokenRow.User = user;
 	}
+
+	public OAuthConsumer GetConsumerForToken(string token) {
+		if (String.IsNullOrEmpty(token)) {
+			throw new ArgumentNullException("requestToken");
+		}
+
+		var tokenRow = Global.DataContext.OAuthTokens.SingleOrDefault(
+			tokenCandidate => tokenCandidate.Token == token);
+		if (tokenRow == null) {
+			throw new ArgumentException();
+		}
+
+		return tokenRow.OAuthConsumer;
+	}
 }
diff --git a/samples/OAuthServiceProvider/Members/Authorize.aspx b/samples/OAuthServiceProvider/Members/Authorize.aspx
index 0fd272c..69f9498 100644
--- a/samples/OAuthServiceProvider/Members/Authorize.aspx
+++ b/samples/OAuthServiceProvider/Members/Authorize.aspx
@@ -7,6 +7,7 @@
 			<div style="background-color: Yellow">
 				<b>Warning</b>: Never give your login credentials to another web site or application.
 			</div>
+			<asp:HiddenField runat="server" ID="OAuthAuthorizationSecToken" EnableViewState="false" />
 			<p>The client web site or application
 				<asp:Label ID="consumerLabel" Font-Bold="true" runat="server" Text="[consumer]" />
 				wants access to your
diff --git a/samples/OAuthServiceProvider/Members/Authorize.aspx.cs b/samples/OAuthServiceProvider/Members/Authorize.aspx.cs
index 76eec26..b3094c9 100644
--- a/samples/OAuthServiceProvider/Members/Authorize.aspx.cs
+++ b/samples/OAuthServiceProvider/Members/Authorize.aspx.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Cryptography;
 using System.Web;
 using System.Web.UI;
 using System.Web.UI.WebControls;
@@ -12,6 +13,13 @@ using DotNetOpenAuth.OAuth.Messages;
 /// Conducts the user through a Consumer authorization process.
 /// </summary>
 public partial class Authorize : System.Web.UI.Page {
+	private static readonly RandomNumberGenerator CryptoRandomDataGenerator = new RNGCryptoServiceProvider();
+
+	private string AuthorizationSecret {
+		get { return Session["OAuthAuthorizationSecret"] as string; }
+		set { Session["OAuthAuthorizationSecret"] = value; }
+	}
+
 	protected void Page_Load(object sender, EventArgs e) {
 		if (!IsPostBack) {
 			if (Global.PendingOAuthAuthorization == null) {
@@ -20,11 +28,24 @@ public partial class Authorize : System.Web.UI.Page {
 				ITokenContainingMessage pendingToken = Global.PendingOAuthAuthorization;
 				var token = Global.DataContext.OAuthTokens.Single(t => t.Token == pendingToken.Token);
 				desiredAccessLabel.Text = token.Scope;
+				consumerLabel.Text = Global.TokenManager.GetConsumerForToken(token.Token).ConsumerKey;
+
+				// Generate an unpredictable secret that goes to the user agent and must come back
+				// with authorization to guarantee the user interacted with this page rather than
+				// being scripted by an evil Consumer.
+				byte[] randomData = new byte[8];
+				CryptoRandomDataGenerator.GetBytes(randomData);
+				this.AuthorizationSecret = Convert.ToBase64String(randomData);
+				OAuthAuthorizationSecToken.Value = this.AuthorizationSecret;
 			}
 		}
 	}
 
 	protected void allowAccessButton_Click(object sender, EventArgs e) {
+		if (this.AuthorizationSecret != OAuthAuthorizationSecToken.Value) {
+			throw new ArgumentException(); // probably someone trying to hack in.
+		}
+		this.AuthorizationSecret = null; // clear one time use secret
 		var pending = Global.PendingOAuthAuthorization;
 		Global.AuthorizePendingRequestToken();
 		multiView.ActiveViewIndex = 1;
diff --git a/samples/OAuthServiceProvider/Web.config b/samples/OAuthServiceProvider/Web.config
index 8fad999..894ad38 100644
--- a/samples/OAuthServiceProvider/Web.config
+++ b/samples/OAuthServiceProvider/Web.config
@@ -1,6 +1,7 @@
 <?xml version="1.0"?>
 <configuration>
 	<configSections>
+		<section name="uri" type="System.Configuration.UriSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
 		<section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler" requirePermission="false"/>
 		<sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
 			<sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
@@ -14,16 +15,31 @@
 			</sectionGroup>
 		</sectionGroup>
 	</configSections>
+
+	<!-- The uri section is necessary to turn on .NET 3.5 support for IDN (international domain names),
+	     which is necessary for OpenID urls with unicode characters in the domain/host name. 
+	     It is also required to put the Uri class into RFC 3986 escaping mode, which OpenID and OAuth require. -->
+	<uri>
+		<idn enabled="All"/>
+		<iriParsing enabled="true"/>
+	</uri>
+
+	<system.net>
+		<defaultProxy enabled="true" />
+		<settings>
+			<!-- This setting causes .NET to check certificate revocation lists (CRL) 
+			     before trusting HTTPS certificates.  But this setting tends to not 
+			     be allowed in shared hosting environments. -->
+			<!--<servicePointManager checkCertificateRevocationList="true"/>-->
+		</settings>
+	</system.net>
+
 	<appSettings/>
 	<connectionStrings>
   <add name="DatabaseConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True;User Instance=True"
    providerName="System.Data.SqlClient" />
  </connectionStrings>
 
-	<system.net>
-		<defaultProxy enabled="true" />
-	</system.net>
-
 	<system.web>
 		<!-- 
             Set compilation debug="true" to insert debugging
author	Andrew Arnott <andrewarnott@gmail.com>	2009-05-21 17:55:16 -0700
committer	Andrew Arnott <andrewarnott@gmail.com>	2009-05-21 17:55:16 -0700
commit	a05c016a9c73ba3c1d880e2f60be504bcbc36104 (patch)
tree	d022eeb4fa8c0b618db3fd777ba483647c9f2233 /samples/OAuthServiceProvider
parent	baa8dcc4fb574fe81ae701eb9020d10684158781 (diff)
parent	683b55a61af3c7bfa11b74a5cc4efd3556e59613 (diff)
download	DotNetOpenAuth-a05c016a9c73ba3c1d880e2f60be504bcbc36104.zip DotNetOpenAuth-a05c016a9c73ba3c1d880e2f60be504bcbc36104.tar.gz DotNetOpenAuth-a05c016a9c73ba3c1d880e2f60be504bcbc36104.tar.bz2