php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #59259 Multiple fetch calls always send the same nonce
Submitted: 2010-06-11 11:18 UTC Modified: 2010-06-14 08:51 UTC
From: z at orbus dot fr Assigned:
Status: Closed Package: oauth (PECL)
PHP Version: 5.2.13 OS: Debian Linux
Private report: No CVE-ID: None
View Developer Edit
 [2010-06-11 11:18 UTC] z at orbus dot fr 
Description:
------------
As the OAuth RFC says, "The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations." (section 3.3).

But in PECL OAuth client, when you make calls to fetch method with a different timestamp (obviously, by waiting some seconds between calls), the nonce doesn't change and triggers a server error (when the server respects the RFC).

Reproduce code:
---------------
// (snip) Oauth dance

$oauth->fetch($url);

sleep(2);

$oauth->fetch($url2);

// -> triggers server error "invalid nonce"

Expected result:
----------------
Oauth should send a different nonce for each fetch call.

Actual result:
--------------
Always sends the same nonce.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-11 11:34 UTC] rasmus@php.net 
But you are generating the nonce yourself with the callback.  
pecl/oauth doesn't generate it.  So I don't understand what 
you are referring to here.
 [2010-06-11 11:42 UTC] z at orbus dot fr 
Sorry if I've not made myself clear enough. I'll try to explain better.

After having done a OAuth dance (temporary credentials, authorization, request token), you make OAuth requests with fetch.

If you call 'fetch' two times the second time it will send the same nonce as in the first call. But as the spec says, the nonce should change when the timestamp have changed, but that's not what the PECL is doing here.

Or maybe am I mis-interpreting the RFC?
 [2010-06-11 11:44 UTC] rasmus@php.net 
What does your timestampNonceHandler() callback look like and 
is it being called?  Like I said, the extension doesn't 
generate the Nonce, you do.
 [2010-06-11 11:47 UTC] rasmus@php.net 
ah, you are talking about the consumer side, not the provider.  
never mind.
 [2010-06-11 11:48 UTC] z at orbus dot fr 
Oh there's a little mis-understanding, I'm only using the Oauth client object, not the OauthProvider object.
 [2010-06-11 21:37 UTC] datibbaw@php.net 
Please provide the full reproduce script.

If you set your own nonce, you're also responsible for refreshing it ;-)
 [2010-06-14 04:22 UTC] z at orbus dot fr 
I *don't* set my own nonce.

The script:

$conskey = 'trololo';
$conssec = 'trololosecret';

$oauth = new OAuth($conskey, $conssec);
$oauth->enableDebug();
$oauth->disableSSLChecks();

$oauth->setToken('toto', '1234');
$joe = $oauth->fetch('https://test.orbus/api/v1/user/get.json?username=joe');

$jack = $oauth->fetch('https://test.orbus/api/v1/user/get.json?username=jack');
 [2010-06-14 08:22 UTC] datibbaw@php.net 
Your reproduce script doesn't confirm your assumptions, i.e. it doesn't print the request being sent to the server.

Couldn't reproduce this on my machine, it prints two completely different nonces for both requests.

Please modify your script so that the ->debugInfo['sbs'] is printed and try again.
 [2010-06-14 08:51 UTC] z at orbus dot fr 
Nethermind, the developer in charge found the bug, somewhat some callback in his code was setting the same nonce each time.

Sorry for the loss of time. *grmbl*
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 08:01:35 2025 UTC