forked from meteor/meteor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathoauth1_pending_request_tokens.js
86 lines (75 loc) · 2.96 KB
/
oauth1_pending_request_tokens.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
//
// _pendingRequestTokens are request tokens that have been received
// but not yet fully authorized (processed).
//
// During the oauth1 authorization process, the Meteor App opens
// a pop-up, requests a request token from the oauth1 service, and
// redirects the browser to the oauth1 service for the user
// to grant authorization. The user is then returned to the
// Meteor Apps' callback url and the request token is verified.
//
// When Meteor Apps run on multiple servers, it's possible that
// 2 different servers may be used to generate the request token
// and to verify it in the callback once the user has authorized.
//
// For this reason, the _pendingRequestTokens are stored in the database
// so they can be shared across Meteor App servers.
//
// XXX This code is fairly similar to oauth/pending_credentials.js --
// maybe we can combine them somehow.
// Collection containing pending request tokens
// Has key, requestToken, requestTokenSecret, and createdAt fields.
OAuth._pendingRequestTokens = new Mongo.Collection(
"meteor_oauth_pendingRequestTokens", {
_preventAutopublish: true
});
OAuth._pendingRequestTokens._ensureIndex('key', {unique: 1});
OAuth._pendingRequestTokens._ensureIndex('createdAt');
// Periodically clear old entries that never got completed
var _cleanStaleResults = function() {
// Remove request tokens older than 5 minute
var timeCutoff = new Date();
timeCutoff.setMinutes(timeCutoff.getMinutes() - 5);
OAuth._pendingRequestTokens.remove({ createdAt: { $lt: timeCutoff } });
};
var _cleanupHandle = Meteor.setInterval(_cleanStaleResults, 60 * 1000);
// Stores the key and request token in the _pendingRequestTokens collection.
// Will throw an exception if `key` is not a string.
//
// @param key {string}
// @param requestToken {string}
// @param requestTokenSecret {string}
//
OAuth._storeRequestToken = function (key, requestToken, requestTokenSecret) {
check(key, String);
// We do an upsert here instead of an insert in case the user happens
// to somehow send the same `state` parameter twice during an OAuth
// login; we don't want a duplicate key error.
OAuth._pendingRequestTokens.upsert({
key: key
}, {
key: key,
requestToken: OAuth.sealSecret(requestToken),
requestTokenSecret: OAuth.sealSecret(requestTokenSecret),
createdAt: new Date()
});
};
// Retrieves and removes a request token from the _pendingRequestTokens collection
// Returns an object containing requestToken and requestTokenSecret properties
//
// @param key {string}
//
OAuth._retrieveRequestToken = function (key) {
check(key, String);
var pendingRequestToken = OAuth._pendingRequestTokens.findOne({ key: key });
if (pendingRequestToken) {
OAuth._pendingRequestTokens.remove({ _id: pendingRequestToken._id });
return {
requestToken: OAuth.openSecret(pendingRequestToken.requestToken),
requestTokenSecret: OAuth.openSecret(
pendingRequestToken.requestTokenSecret)
};
} else {
return undefined;
}
};