php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59259 Multiple fetch calls always send the same nonce
Submitted: 2010-06-11 11:18 UTC Modified: 2010-06-14 08:51 UTC
From: z at orbus dot fr Assigned:
Status: Closed Package: oauth (PECL)
PHP Version: 5.2.13 OS: Debian Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: z at orbus dot fr
New email:
PHP Version: OS:

 

 [2010-06-11 11:18 UTC] z at orbus dot fr
Description:
------------
As the OAuth RFC says, "The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations." (section 3.3).

But in PECL OAuth client, when you make calls to fetch method with a different timestamp (obviously, by waiting some seconds between calls), the nonce doesn't change and triggers a server error (when the server respects the RFC).

Reproduce code:
---------------
// (snip) Oauth dance

$oauth->fetch($url);

sleep(2);

$oauth->fetch($url2);

// -> triggers server error "invalid nonce"

Expected result:
----------------
Oauth should send a different nonce for each fetch call.

Actual result:
--------------
Always sends the same nonce.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-11 11:34 UTC] rasmus@php.net
But you are generating the nonce yourself with the callback.  
pecl/oauth doesn't generate it.  So I don't understand what 
you are referring to here.
 [2010-06-11 11:42 UTC] z at orbus dot fr
Sorry if I've not made myself clear enough. I'll try to explain better.

After having done a OAuth dance (temporary credentials, authorization, request token), you make OAuth requests with fetch.

If you call 'fetch' two times the second time it will send the same nonce as in the first call. But as the spec says, the nonce should change when the timestamp have changed, but that's not what the PECL is doing here.

Or maybe am I mis-interpreting the RFC?
 [2010-06-11 11:44 UTC] rasmus@php.net
What does your timestampNonceHandler() callback look like and 
is it being called?  Like I said, the extension doesn't 
generate the Nonce, you do.
 [2010-06-11 11:47 UTC] rasmus@php.net
ah, you are talking about the consumer side, not the provider.  
never mind.
 [2010-06-11 11:48 UTC] z at orbus dot fr
Oh there's a little mis-understanding, I'm only using the Oauth client object, not the OauthProvider object.
 [2010-06-11 21:37 UTC] datibbaw@php.net
Please provide the full reproduce script.

If you set your own nonce, you're also responsible for refreshing it ;-)
 [2010-06-14 04:22 UTC] z at orbus dot fr
I *don't* set my own nonce.

The script:

$conskey = 'trololo';
$conssec = 'trololosecret';

$oauth = new OAuth($conskey, $conssec);
$oauth->enableDebug();
$oauth->disableSSLChecks();

$oauth->setToken('toto', '1234');
$joe = $oauth->fetch('https://test.orbus/api/v1/user/get.json?username=joe');

$jack = $oauth->fetch('https://test.orbus/api/v1/user/get.json?username=jack');
 [2010-06-14 08:22 UTC] datibbaw@php.net
Your reproduce script doesn't confirm your assumptions, i.e. it doesn't print the request being sent to the server.

Couldn't reproduce this on my machine, it prints two completely different nonces for both requests.

Please modify your script so that the ->debugInfo['sbs'] is printed and try again.
 [2010-06-14 08:51 UTC] z at orbus dot fr
Nethermind, the developer in charge found the bug, somewhat some callback in his code was setting the same nonce each time.

Sorry for the loss of time. *grmbl*
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 24 01:03:38 2021 UTC