The OAuth MaximumRequestTokenTimeToLive setting is now configurable programmatically (as well as the web.config way that was already available).

Closes #18

6 files changed, 54 insertions, 17 deletions

diff --git a/src/DotNetOpenAuth/Configuration/OAuthServiceProviderSecuritySettingsElement.cs b/src/DotNetOpenAuth/Configuration/OAuthServiceProviderSecuritySettingsElement.cs
index c58c023..723b607 100644
--- a/src/DotNetOpenAuth/Configuration/OAuthServiceProviderSecuritySettingsElement.cs
+++ b/src/DotNetOpenAuth/Configuration/OAuthServiceProviderSecuritySettingsElement.cs
@@ -68,6 +68,7 @@ namespace DotNetOpenAuth.Configuration {
 		internal ServiceProviderSecuritySettings CreateSecuritySettings() {
 			return new ServiceProviderSecuritySettings {
 				MinimumRequiredOAuthVersion = this.MinimumRequiredOAuthVersion,
+				MaximumRequestTokenTimeToLive = this.MaximumRequestTokenTimeToLive,
 			};
 		}
 	}
diff --git a/src/DotNetOpenAuth/OAuth/ChannelElements/OAuthChannel.cs b/src/DotNetOpenAuth/OAuth/ChannelElements/OAuthChannel.cs
index f2d69f5..e6cfb78 100644
--- a/src/DotNetOpenAuth/OAuth/ChannelElements/OAuthChannel.cs
+++ b/src/DotNetOpenAuth/OAuth/ChannelElements/OAuthChannel.cs
@@ -31,12 +31,18 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 		/// <param name="signingBindingElement">The binding element to use for signing.</param>
 		/// <param name="store">The web application store to use for nonces.</param>
 		/// <param name="tokenManager">The token manager instance to use.</param>
-		internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IConsumerTokenManager tokenManager)
+		/// <param name="securitySettings">The security settings.</param>
+		internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IConsumerTokenManager tokenManager, ConsumerSecuritySettings securitySettings)
 			: this(
 			signingBindingElement,
 			store,
 			tokenManager,
+			securitySettings,
 			new OAuthConsumerMessageFactory()) {
+			Contract.Requires<ArgumentNullException>(tokenManager != null);
+			Contract.Requires<ArgumentNullException>(securitySettings != null, "securitySettings");
+			Contract.Requires<ArgumentNullException>(signingBindingElement != null);
+			Contract.Requires<ArgumentException>(signingBindingElement.SignatureCallback == null, OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
 		}
 
 		/// <summary>
@@ -45,12 +51,18 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 		/// <param name="signingBindingElement">The binding element to use for signing.</param>
 		/// <param name="store">The web application store to use for nonces.</param>
 		/// <param name="tokenManager">The token manager instance to use.</param>
-		internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager)
+		/// <param name="securitySettings">The security settings.</param>
+		internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager, ServiceProviderSecuritySettings securitySettings)
 			: this(
 			signingBindingElement,
 			store,
 			tokenManager,
+			securitySettings,
 			new OAuthServiceProviderMessageFactory(tokenManager)) {
+			Contract.Requires<ArgumentNullException>(tokenManager != null);
+			Contract.Requires<ArgumentNullException>(securitySettings != null, "securitySettings");
+			Contract.Requires<ArgumentNullException>(signingBindingElement != null);
+			Contract.Requires<ArgumentException>(signingBindingElement.SignatureCallback == null, OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
 		}
 
 		/// <summary>
@@ -59,14 +71,14 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 		/// <param name="signingBindingElement">The binding element to use for signing.</param>
 		/// <param name="store">The web application store to use for nonces.</param>
 		/// <param name="tokenManager">The ITokenManager instance to use.</param>
-		/// <param name="messageTypeProvider">
-		/// An injected message type provider instance.
+		/// <param name="securitySettings">The security settings.</param>
+		/// <param name="messageTypeProvider">An injected message type provider instance.
 		/// Except for mock testing, this should always be one of
-		/// <see cref="OAuthConsumerMessageFactory"/> or <see cref="OAuthServiceProviderMessageFactory"/>.
-		/// </param>
-		internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, IMessageFactory messageTypeProvider)
-			: base(messageTypeProvider, InitializeBindingElements(signingBindingElement, store, tokenManager)) {
+		/// <see cref="OAuthConsumerMessageFactory"/> or <see cref="OAuthServiceProviderMessageFactory"/>.</param>
+		internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, SecuritySettings securitySettings, IMessageFactory messageTypeProvider)
+			: base(messageTypeProvider, InitializeBindingElements(signingBindingElement, store, tokenManager, securitySettings)) {
 			Contract.Requires<ArgumentNullException>(tokenManager != null);
+			Contract.Requires<ArgumentNullException>(securitySettings != null, "securitySettings");
 			Contract.Requires<ArgumentNullException>(signingBindingElement != null);
 			Contract.Requires<ArgumentException>(signingBindingElement.SignatureCallback == null, OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
 
@@ -265,8 +277,13 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 		/// <param name="signingBindingElement">The signing binding element.</param>
 		/// <param name="store">The nonce store.</param>
 		/// <param name="tokenManager">The token manager.</param>
-		/// <returns>An array of binding elements used to initialize the channel.</returns>
-		private static IChannelBindingElement[] InitializeBindingElements(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager) {
+		/// <param name="securitySettings">The security settings.</param>
+		/// <returns>
+		/// An array of binding elements used to initialize the channel.
+		/// </returns>
+		private static IChannelBindingElement[] InitializeBindingElements(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, SecuritySettings securitySettings) {
+			Contract.Requires(securitySettings != null);
+
 			var bindingElements = new List<IChannelBindingElement> {
 				new OAuthHttpMethodBindingElement(),
 				signingBindingElement,
@@ -276,7 +293,7 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 
 			var spTokenManager = tokenManager as IServiceProviderTokenManager;
 			if (spTokenManager != null) {
-				bindingElements.Insert(0, new TokenHandlingBindingElement(spTokenManager));
+				bindingElements.Insert(0, new TokenHandlingBindingElement(spTokenManager, (ServiceProviderSecuritySettings)securitySettings));
 			}
 
 			return bindingElements.ToArray();
diff --git a/src/DotNetOpenAuth/OAuth/ChannelElements/TokenHandlingBindingElement.cs b/src/DotNetOpenAuth/OAuth/ChannelElements/TokenHandlingBindingElement.cs
index f9547c6..329f8c4 100644
--- a/src/DotNetOpenAuth/OAuth/ChannelElements/TokenHandlingBindingElement.cs
+++ b/src/DotNetOpenAuth/OAuth/ChannelElements/TokenHandlingBindingElement.cs
@@ -25,13 +25,21 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 		private IServiceProviderTokenManager tokenManager;
 
 		/// <summary>
+		/// The security settings for this service provider.
+		/// </summary>
+		private ServiceProviderSecuritySettings securitySettings;
+
+		/// <summary>
 		/// Initializes a new instance of the <see cref="TokenHandlingBindingElement"/> class.
 		/// </summary>
 		/// <param name="tokenManager">The token manager.</param>
-		internal TokenHandlingBindingElement(IServiceProviderTokenManager tokenManager) {
+		/// <param name="securitySettings">The security settings.</param>
+		internal TokenHandlingBindingElement(IServiceProviderTokenManager tokenManager, ServiceProviderSecuritySettings securitySettings) {
 			Contract.Requires<ArgumentNullException>(tokenManager != null);
+			Contract.Requires<ArgumentNullException>(securitySettings != null, "securitySettings");
 
 			this.tokenManager = tokenManager;
+			this.securitySettings = securitySettings;
 		}
 
 		#region IChannelBindingElement Members
@@ -173,7 +181,7 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 
 			try {
 				IServiceProviderRequestToken token = this.tokenManager.GetRequestToken(message.Token);
-				TimeSpan ttl = DotNetOpenAuthSection.Configuration.OAuth.ServiceProvider.SecuritySettings.MaximumRequestTokenTimeToLive;
+				TimeSpan ttl = this.securitySettings.MaximumRequestTokenTimeToLive;
 				if (DateTime.Now >= token.CreatedOn.ToLocalTimeSafe() + ttl) {
 					Logger.OAuth.ErrorFormat(
 						"OAuth request token {0} rejected because it was originally issued at {1}, expired at {2}, and it is now {3}.",
diff --git a/src/DotNetOpenAuth/OAuth/ConsumerBase.cs b/src/DotNetOpenAuth/OAuth/ConsumerBase.cs
index dddbe9e..2af6988 100644
--- a/src/DotNetOpenAuth/OAuth/ConsumerBase.cs
+++ b/src/DotNetOpenAuth/OAuth/ConsumerBase.cs
@@ -32,9 +32,9 @@ namespace DotNetOpenAuth.OAuth {
 
 			ITamperProtectionChannelBindingElement signingElement = serviceDescription.CreateTamperProtectionElement();
 			INonceStore store = new NonceMemoryStore(StandardExpirationBindingElement.MaximumMessageAge);
-			this.OAuthChannel = new OAuthChannel(signingElement, store, tokenManager);
-			this.ServiceProvider = serviceDescription;
 			this.SecuritySettings = DotNetOpenAuthSection.Configuration.OAuth.Consumer.SecuritySettings.CreateSecuritySettings();
+			this.OAuthChannel = new OAuthChannel(signingElement, store, tokenManager, this.SecuritySettings);
+			this.ServiceProvider = serviceDescription;
 
 			Reporting.RecordFeatureAndDependencyUse(this, serviceDescription, tokenManager, null);
 		}
diff --git a/src/DotNetOpenAuth/OAuth/ServiceProvider.cs b/src/DotNetOpenAuth/OAuth/ServiceProvider.cs
index 829b572..fda895e 100644
--- a/src/DotNetOpenAuth/OAuth/ServiceProvider.cs
+++ b/src/DotNetOpenAuth/OAuth/ServiceProvider.cs
@@ -99,9 +99,9 @@ namespace DotNetOpenAuth.OAuth {
 
 			var signingElement = serviceDescription.CreateTamperProtectionElement();
 			this.ServiceDescription = serviceDescription;
-			this.OAuthChannel = new OAuthChannel(signingElement, nonceStore, tokenManager, messageTypeProvider);
-			this.TokenGenerator = new StandardTokenGenerator();
 			this.SecuritySettings = DotNetOpenAuthSection.Configuration.OAuth.ServiceProvider.SecuritySettings.CreateSecuritySettings();
+			this.OAuthChannel = new OAuthChannel(signingElement, nonceStore, tokenManager, this.SecuritySettings, messageTypeProvider);
+			this.TokenGenerator = new StandardTokenGenerator();
 
 			Reporting.RecordFeatureAndDependencyUse(this, serviceDescription, tokenManager, nonceStore);
 		}
diff --git a/src/DotNetOpenAuth/OAuth/ServiceProviderSecuritySettings.cs b/src/DotNetOpenAuth/OAuth/ServiceProviderSecuritySettings.cs
index b8e12fd..701e36c 100644
--- a/src/DotNetOpenAuth/OAuth/ServiceProviderSecuritySettings.cs
+++ b/src/DotNetOpenAuth/OAuth/ServiceProviderSecuritySettings.cs
@@ -21,5 +21,16 @@ namespace DotNetOpenAuth.OAuth {
 		/// Gets or sets the minimum required version of OAuth that must be implemented by a Consumer.
 		/// </summary>
 		public ProtocolVersion MinimumRequiredOAuthVersion { get; set; }
+
+		/// <summary>
+		/// Gets or sets the maximum time a user can take to complete authorization.
+		/// </summary>
+		/// <remarks>
+		/// This time limit serves as a security mitigation against brute force attacks to
+		/// compromise (unauthorized or authorized) request tokens.
+		/// Longer time limits is more friendly to slow users or consumers, while shorter
+		/// time limits provide better security.
+		/// </remarks>
+		public TimeSpan MaximumRequestTokenTimeToLive { get; set; }
 	}
 }