|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59259 Multiple fetch calls always send the same nonce
Submitted: 2010-06-11 11:18 UTC Modified: 2010-06-14 08:51 UTC
From: z at orbus dot fr Assigned:
Status: Closed Package: oauth (PECL)
PHP Version: 5.2.13 OS: Debian Linux
Private report: No CVE-ID: None
 [2010-06-11 11:18 UTC] z at orbus dot fr
As the OAuth RFC says, "The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations." (section 3.3).

But in PECL OAuth client, when you make calls to fetch method with a different timestamp (obviously, by waiting some seconds between calls), the nonce doesn't change and triggers a server error (when the server respects the RFC).

Reproduce code:
// (snip) Oauth dance




// -> triggers server error "invalid nonce"

Expected result:
Oauth should send a different nonce for each fetch call.

Actual result:
Always sends the same nonce.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-11 11:34 UTC]
But you are generating the nonce yourself with the callback.  
pecl/oauth doesn't generate it.  So I don't understand what 
you are referring to here.
 [2010-06-11 11:42 UTC] z at orbus dot fr
Sorry if I've not made myself clear enough. I'll try to explain better.

After having done a OAuth dance (temporary credentials, authorization, request token), you make OAuth requests with fetch.

If you call 'fetch' two times the second time it will send the same nonce as in the first call. But as the spec says, the nonce should change when the timestamp have changed, but that's not what the PECL is doing here.

Or maybe am I mis-interpreting the RFC?
 [2010-06-11 11:44 UTC]
What does your timestampNonceHandler() callback look like and 
is it being called?  Like I said, the extension doesn't 
generate the Nonce, you do.
 [2010-06-11 11:47 UTC]
ah, you are talking about the consumer side, not the provider.  
never mind.
 [2010-06-11 11:48 UTC] z at orbus dot fr
Oh there's a little mis-understanding, I'm only using the Oauth client object, not the OauthProvider object.
 [2010-06-11 21:37 UTC]
Please provide the full reproduce script.

If you set your own nonce, you're also responsible for refreshing it ;-)
 [2010-06-14 04:22 UTC] z at orbus dot fr
I *don't* set my own nonce.

The script:

$conskey = 'trololo';
$conssec = 'trololosecret';

$oauth = new OAuth($conskey, $conssec);

$oauth->setToken('toto', '1234');
$joe = $oauth->fetch('https://test.orbus/api/v1/user/get.json?username=joe');

$jack = $oauth->fetch('https://test.orbus/api/v1/user/get.json?username=jack');
 [2010-06-14 08:22 UTC]
Your reproduce script doesn't confirm your assumptions, i.e. it doesn't print the request being sent to the server.

Couldn't reproduce this on my machine, it prints two completely different nonces for both requests.

Please modify your script so that the ->debugInfo['sbs'] is printed and try again.
 [2010-06-14 08:51 UTC] z at orbus dot fr
Nethermind, the developer in charge found the bug, somewhat some callback in his code was setting the same nonce each time.

Sorry for the loss of time. *grmbl*
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Jun 07 15:03:42 2023 UTC