/// Implementations of OAuth 1.0 server and client. You probably don't need this anymore; I haven't used it for years. module arsd.oauth; import arsd.curl; import arsd.cgi; // for decodeVariables import std.array; static import std.uri; static import std.algorithm; import std.conv; import std.string; import std.random; import std.base64; import std.exception; import std.datetime; static if(__VERSION__ <= 2076) { // compatibility shims with gdc enum JSONType { object = JSON_TYPE.OBJECT, null_ = JSON_TYPE.NULL, false_ = JSON_TYPE.FALSE, true_ = JSON_TYPE.TRUE, integer = JSON_TYPE.INTEGER, float_ = JSON_TYPE.FLOAT, array = JSON_TYPE.ARRAY, string = JSON_TYPE.STRING, uinteger = JSON_TYPE.UINTEGER } } /////////////////////////////////////// class FacebookApiException : Exception { public this(string response, string token = null, string scopeRequired = null) { this.token = token; this.scopeRequired = scopeRequired; super(response ~ "\nToken: " ~ token ~ "\nScope: " ~ scopeRequired); } string token; string scopeRequired; } import arsd.curl; import arsd.sha; import std.digest.md; import std.file; // note when is a d_time, so unix_timestamp * 1000 Variant[string] postToFacebookWall(string[] info, string id, string message, string picture = null, string link = null, long when = 0, string linkDescription = null) { string url = "https://graph.facebook.com/" ~ id ~ "/feed"; string data = "access_token=" ~ std.uri.encodeComponent(info[1]); data ~= "&message=" ~ std.uri.encodeComponent(message); if(picture !is null && picture.length) data ~= "&picture=" ~ std.uri.encodeComponent(picture); if(link !is null && link.length) data ~= "&link=" ~ std.uri.encodeComponent(link); if(when) { data ~= "&scheduled_publish_time=" ~ to!string(when / 1000); data ~= "&published=false"; } if(linkDescription.length) data ~= "&description=" ~ std.uri.encodeComponent(linkDescription); auto response = curl(url, data); auto res = jsonToVariant(response); /+ {"error":{"type":"OAuthException","message":"An active access token must be used to query information about the current user."}} +/ // assert(0, response); auto var = res.get!(Variant[string]); if("error" in var) { auto error = var["error"].get!(Variant[string]); throw new FacebookApiException(error["message"].get!string, info[1], "scope" in error ? error["scope"].get!string : "publish_stream"); } return var; } version(with_arsd_jsvar) { import arsd.jsvar; var fbGraph(string token, string id, bool useCache = false, long maxCacheHours = 2) { auto response = fbGraphImpl(token, id, useCache, maxCacheHours); var ret = var.emptyObject; if(response == "false") { var v1 = id[1..$]; ret["id"] = v1; ret["name"] = v1 = "Private"; ret["description"] = v1 = "This is a private facebook page. Please make it public in Facebook if you want to promote it."; ret["link"] = v1 = "http://facebook.com?profile.php?id=" ~ id[1..$]; ret["is_false"] = true; return ret; } ret = var.fromJson(response); if("error" in ret) { auto error = ret.error; if("message" in error) throw new FacebookApiException(error["message"].get!string, token.length > 1 ? token : null, "scope" in error ? error["scope"].get!string : null); else throw new FacebookApiException("couldn't get FB info"); } return ret; } } Variant[string] fbGraph(string[] info, string id, bool useCache = false, long maxCacheHours = 2) { auto response = fbGraphImpl(info[1], id, useCache, maxCacheHours); if(response == "false") { //throw new Exception("This page is private. Please make it public in Facebook."); // we'll make dummy data so this still returns Variant[string] ret; Variant v1 = id[1..$]; ret["id"] = v1; ret["name"] = v1 = "Private"; ret["description"] = v1 = "This is a private facebook page. Please make it public in Facebook if you want to promote it."; ret["link"] = v1 = "http://facebook.com?profile.php?id=" ~ id[1..$]; ret["is_false"] = true; return ret; } auto res = jsonToVariant(response); /+ {"error":{"type":"OAuthException","message":"An active access token must be used to query information about the current user."}} +/ // assert(0, response); auto var = res.get!(Variant[string]); if("error" in var) { auto error = var["error"].get!(Variant[string]); if("message" in error) throw new FacebookApiException(error["message"].get!string, info.length > 1 ? info[1] : null, "scope" in error ? error["scope"].get!string : null); else throw new FacebookApiException("couldn't get FB info"); } return var; } // note ids=a,b,c works too. it returns an associative array of the ids requested. string fbGraphImpl(string info, string id, bool useCache = false, long maxCacheHours = 2) { string response; string cacheFile; char c = '?'; if(id.indexOf("?") != -1) c = '&'; string url; if(id[0] != '/') id = "/" ~ id; if(info !is null) url = "https://graph.facebook.com" ~ id ~ c ~ "access_token=" ~ info ~ "&format=json"; else url = "http://graph.facebook.com" ~ id ~ c ~ "format=json"; // this makes pagination easier. the initial / is there because it is added above if(id.indexOf("/http://") == 0 || id.indexOf("/https://") == 0) url = id[1 ..$]; if(useCache) cacheFile = "/tmp/fbGraphCache-" ~ hashToString(SHA1(url)); if(useCache) { if(std.file.exists(cacheFile)) { if((Clock.currTime() - std.file.timeLastModified(cacheFile)) < dur!"hours"(maxCacheHours)) { response = std.file.readText(cacheFile); goto haveResponse; } } } try { response = curl(url); } catch(CurlException e) { throw new FacebookApiException(e.msg); } if(useCache) { std.file.write(cacheFile, response); } haveResponse: assert(response.length); return response; } string[string][] getBasicDataFromVariant(Variant[string] v) { auto items = v["data"].get!(Variant[]); return getBasicDataFromVariant(items); } string[string][] getBasicDataFromVariant(Variant[] items) { string[string][] ret; foreach(item; items) { auto i = item.get!(Variant[string]); string[string] l; foreach(k, v; i) { l[k] = to!string(v); } ret ~= l; } return ret; } ///////////////////////////////////// /* ******************************* */ /* OAUTH 1.0 */ /* ******************************* */ struct OAuthParams { string apiKey; string apiSecret; string baseUrl; string requestTokenPath; string accessTokenPath; string authorizePath; } OAuthParams twitter(string apiKey, string apiSecret) { OAuthParams params; params.apiKey = apiKey; params.apiSecret = apiSecret; params.baseUrl = "https://api.twitter.com"; //params.baseUrl = "http://twitter.com"; params.requestTokenPath = "/oauth/request_token"; params.authorizePath = "/oauth/authorize"; params.accessTokenPath = "/oauth/access_token"; return params; } OAuthParams tumblr(string apiKey, string apiSecret) { OAuthParams params; params.apiKey = apiKey; params.apiSecret = apiSecret; params.baseUrl = "http://www.tumblr.com"; params.requestTokenPath = "/oauth/request_token"; params.authorizePath = "/oauth/authorize"; params.accessTokenPath = "/oauth/access_token"; return params; } OAuthParams linkedIn(string apiKey, string apiSecret) { OAuthParams params; params.apiKey = apiKey; params.apiSecret = apiSecret; params.baseUrl = "https://api.linkedin.com"; params.requestTokenPath = "/uas/oauth/requestToken"; params.accessTokenPath = "/uas/oauth/accessToken"; params.authorizePath = "/uas/oauth/authorize"; return params; } OAuthParams aWeber(string apiKey, string apiSecret) { OAuthParams params; params.apiKey = apiKey; params.apiSecret = apiSecret; params.baseUrl = "https://auth.aweber.com"; params.requestTokenPath = "/1.1/oauth/request_token"; params.accessTokenPath = "/1.1/oauth/access_token"; params.authorizePath = "/1.1/oauth/authorize"; // API Base: https://api.aweber.com/1.0/ return params; } string tweet(OAuthParams params, string oauthToken, string tokenSecret, string message) { assert(oauthToken.length); assert(tokenSecret.length); auto args = [ "oauth_token" : oauthToken, "token_secret" : tokenSecret, ]; auto data = "status=" ~ rawurlencode(message);//.replace("%3F", "?");//encodeVariables(["status" : message]); auto ret = curlOAuth(params, "https://api.twitter.com" ~ "/1.1/statuses/update.json", args, "POST", data); auto val = jsonToVariant(ret).get!(Variant[string]); if("id_str" !in val) throw new Exception("bad result from twitter: " ~ ret); return val["id_str"].get!string; } import std.file; /** Redirects the user to the authorize page on the provider's website. */ void authorizeStepOne(Cgi cgi, OAuthParams params, string oauthCallback = null, string additionalOptions = null, string[string] additionalTokenArgs = null) { if(oauthCallback is null) { oauthCallback = cgi.getCurrentCompleteUri(); if(oauthCallback.indexOf("?") == -1) oauthCallback ~= "?oauth_step=two"; else oauthCallback ~= "&oauth_step=two"; } string[string] args; if(oauthCallback.length) args["oauth_callback"] = oauthCallback; //foreach(k, v; additionalTokenArgs) //args[k] = v; auto moreArgs = encodeVariables(additionalTokenArgs); if(moreArgs.length) moreArgs = "?" ~ moreArgs; auto ret = curlOAuth(params, params.baseUrl ~ params.requestTokenPath ~ moreArgs, args, "POST", "", ""); auto vals = decodeVariables(ret); if("oauth_problem" in vals) throw new Exception("OAuth problem: " ~ vals["oauth_problem"][0]); if(vals.keys.length < 2) throw new Exception(ret); ///vals["fuck_you"] = [params.baseUrl ~ params.requestTokenPath]; auto oauth_token = vals["oauth_token"][0]; auto oauth_secret = vals["oauth_token_secret"][0]; // need to save the secret for later std.file.write("/tmp/oauth-token-secret-" ~ oauth_token, oauth_secret); // FIXME: make sure this doesn't break twitter etc if("login_url" in vals) // apparently etsy does it this way... cgi.setResponseLocation(vals["login_url"][0]); else cgi.setResponseLocation(params.baseUrl ~ params.authorizePath ~ "?" ~(additionalOptions.length ? (additionalOptions ~ "&") : "")~ "oauth_token=" ~ oauth_token); } /** Gets the final token, given the stuff from step one. This should be called from the callback in step one. Returns [token, secret, raw original data (for extended processing - twitter also sends the screen_name and user_id there)] */ string[] authorizeStepTwo(const(Cgi) cgi, OAuthParams params) { if("oauth_problem" in cgi.get) throw new Exception("OAuth problem: " ~ cgi.get["oauth_problem"]); string token = cgi.get["oauth_token"]; string verifier = cgi.get["oauth_verifier"]; // reload from file written above. FIXME: clean up old shit too string secret = std.file.readText("/tmp/oauth-token-secret-" ~ token); // don't need it anymore... std.file.remove("/tmp/oauth-token-secret-" ~ token); auto ret = curlOAuth(params, params.baseUrl ~ params.accessTokenPath, ["oauth_token" : token, "oauth_verifier" : verifier, "token_secret" : secret], "POST", "", ""); auto vars = decodeVariables(ret); return [vars["oauth_token"][0], vars["oauth_token_secret"][0], ret]; } /** Note in oauthValues: It creates the nonce, signature_method, version, consumer_key, and timestamp ones inside this function - you don't have to do it. Just put in the values specific to your call. oauthValues["token_secret"] if present, is concated into the signing string. Don't put it in for the early steps! */ import core.stdc.stdlib; string curlOAuth(OAuthParams auth, string url, string[string] oauthValues, string method = null,string data = null, string contentType = "application/x-www-form-urlencoded") { //string oauth_callback; // from user oauthValues["oauth_consumer_key"] = auth.apiKey; oauthValues["oauth_nonce"] = makeNonce(); oauthValues["oauth_signature_method"] = "HMAC-SHA1"; oauthValues["oauth_timestamp"] = to!string(Clock.currTime().toUTC().toUnixTime()); oauthValues["oauth_version"] = "1.0"; auto questionMark = std.string.indexOf(url, "?"); string signWith = std.uri.encodeComponent(auth.apiSecret) ~ "&"; if("token_secret" in oauthValues) { signWith ~= std.uri.encodeComponent(oauthValues["token_secret"]); oauthValues.remove("token_secret"); } if(method is null) method = data is null ? "GET" : "POST"; auto baseString = getSignatureBaseString( method, questionMark == -1 ? url : url[0..questionMark], questionMark == -1 ? "" : url[questionMark+1 .. $], oauthValues, contentType == "application/x-www-form-urlencoded" ? data : null ); string oauth_signature = /*std.uri.encodeComponent*/(cast(string) Base64.encode(mhashSign(baseString, signWith, MHASH_SHA1))); oauthValues["oauth_signature"] = oauth_signature; string oauthHeader; bool outputted = false; Pair[] pairs; foreach(k, v; oauthValues) { pairs ~= Pair(k, v); } foreach(pair; std.algorithm.sort(pairs)) { if(outputted) oauthHeader ~= ", "; else outputted = true; oauthHeader ~= pair.output(true); } return curlAuth(url, data, null, null, contentType, method, ["Authorization: OAuth " ~ oauthHeader]); } bool isOAuthRequest(Cgi cgi) { if(cgi.authorization.length < 5 || cgi.authorization[0..5] != "OAuth") return false; return true; } string getApiKeyFromRequest(Cgi cgi) { enforce(isOAuthRequest(cgi)); auto variables = split(cgi.authorization[6..$], ","); foreach(var; variables) if(var.startsWith("oauth_consumer_key")) return var["oauth_consumer_key".length + 3 .. $ - 1]; // trimming quotes too throw new Exception("api key not present"); } string getTokenFromRequest(Cgi cgi) { enforce(isOAuthRequest(cgi)); auto variables = split(cgi.authorization[6..$], ","); foreach(var; variables) if(var.startsWith("oauth_token")) return var["oauth_token".length + 3 .. $ - 1]; // trimming quotes too return null; } // FIXME check timestamp and maybe nonce too bool isSignatureValid(Cgi cgi, string apiSecret, string tokenSecret) { enforce(isOAuthRequest(cgi)); auto variables = split(cgi.authorization[6..$], ","); string[string] oauthValues; foreach(var; variables) { auto it = var.split("="); oauthValues[it[0]] = it[1][1 .. $ - 1]; // trimming quotes } auto url = cgi.getCurrentCompleteUri(); auto questionMark = std.string.indexOf(url, "?"); string signWith = std.uri.encodeComponent(apiSecret) ~ "&"; if(tokenSecret.length) signWith ~= std.uri.encodeComponent(tokenSecret); auto method = to!string(cgi.requestMethod); if("oauth_signature" !in oauthValues) return false; auto providedSignature = oauthValues["oauth_signature"]; oauthValues.remove("oauth_signature"); string oauth_signature = std.uri.encodeComponent(cast(string) Base64.encode(mhashSign( getSignatureBaseString( method, questionMark == -1 ? url : url[0..questionMark], questionMark == -1 ? "" : url[questionMark+1 .. $], oauthValues, cgi.postArray // FIXME: if this was a file upload, this isn't actually right ), signWith, MHASH_SHA1))); return oauth_signature == providedSignature; } string makeNonce() { auto val = to!string(uniform(uint.min, uint.max)) ~ to!string(Clock.currTime().stdTime); return val; } struct Pair { string name; string value; string output(bool useQuotes = false) { if(useQuotes) return std.uri.encodeComponent(name) ~ "=\"" ~ rawurlencode(value) ~ "\""; else return std.uri.encodeComponent(name) ~ "=" ~ rawurlencode(value); } int opCmp(Pair rhs) { // FIXME: is name supposed to be encoded? int val = std.string.cmp(name, rhs.name); if(val == 0) val = std.string.cmp(value, rhs.value); return val; } } string getSignatureBaseString( string method, string protocolHostAndPath, string queryStringContents, string[string] authorizationHeaderContents, in string[][string] postArray) { string baseString; baseString ~= method; baseString ~= "&"; baseString ~= std.uri.encodeComponent(protocolHostAndPath); baseString ~= "&"; auto getArray = decodeVariables(queryStringContents); Pair[] pairs; foreach(k, vals; getArray) foreach(v; vals) pairs ~= Pair(k, v); foreach(k, vals; postArray) foreach(v; vals) pairs ~= Pair(k, v); foreach(k, v; authorizationHeaderContents) pairs ~= Pair(k, v); bool outputted = false; string params; foreach(pair; std.algorithm.sort(pairs)) { if(outputted) params ~= "&"; else outputted = true; params ~= pair.output(); } baseString ~= std.uri.encodeComponent(params); return baseString; } string getSignatureBaseString( string method, string protocolHostAndPath, string queryStringContents, string[string] authorizationHeaderContents, string postBodyIfWwwEncoded) { return getSignatureBaseString( method, protocolHostAndPath, queryStringContents, authorizationHeaderContents, decodeVariables(postBodyIfWwwEncoded)); } /***************************************/ // OAuth 2.0 as used by Facebook // /***************************************/ immutable(ubyte)[] base64UrlDecode(string e) { string encoded = e.idup; while (encoded.length % 4) { encoded ~= "="; // add padding } // convert base64 URL to standard base 64 encoded = encoded.replace("-", "+"); encoded = encoded.replace("_", "/"); auto ugh = Base64.decode(encoded); return assumeUnique(ugh); } Ret parseSignedRequest(Ret = Variant)(in string req, string apisecret) { auto parts = req.split("."); immutable signature = parts[0]; immutable jsonEncoded = parts[1]; auto expected = mhashSign(jsonEncoded, apisecret, MHASH_SHA256); auto got = base64UrlDecode(signature); enforce(expected == got, "Signatures didn't match"); auto json = cast(string) base64UrlDecode(jsonEncoded); static if(is(Ret == Variant)) return jsonToVariant(json); else return Ret.fromJson(json); } string stripWhitespace(string w) { return w.replace("\t", "").replace("\n", "").replace(" ", ""); } string translateCodeToAccessToken(string code, string redirectUrl, string appId, string apiSecret) { string res = curl(stripWhitespace("https://graph.facebook.com/oauth/access_token? client_id="~appId~"&redirect_uri="~std.uri.encodeComponent(redirectUrl)~"& client_secret="~apiSecret~"&code=" ~ std.uri.encodeComponent(code) )); if(res.indexOf("access_token=") == -1) { throw new Exception("Couldn't translate code to access token. [" ~ res ~ "]"); } auto vars = decodeVariablesSingle(res); return vars["access_token"]; } /+ void updateFbGraphPermissions(string token) { fbGraph([null, token], "/me/permissions", true, -1); // use the cache, but only read if it is in the future - basically, force a cache refresh fbGraph([null, token], "/me/friends", true, -1); // do the same thing for friends.. } auto fbGraphPermissions(string token) { return fbGraph([null, token], "/me/permissions", true, 36); // use the cache } enum FacebookPermissions { user_likes, friends_likes, publish_stream, publish_actions, offline_access, manage_pages, } bool hasPermission(DataObject person, FacebookPermissions permission) { version(live) {} else return true; // on dev, just skip this stuff if(person.facebook_access_token.length == 0) return false; try { auto perms = getBasicDataFromVariant(fbGraphPermissions(person. facebook_access_token))[0]; return (to!string(permission) in perms) ? true : false; } catch(FacebookApiException e) { return false; // the token doesn't work } return false; } +/ /****************************************/ // Generic helper functions for web work /****************************************/ import std.variant; import std.json; Variant jsonToVariant(string json) { auto decoded = parseJSON(json); return jsonValueToVariant(decoded); } Variant jsonValueToVariant(JSONValue v) { Variant ret; final switch(v.type) { case JSONType.string: ret = v.str; break; case JSONType.uinteger: ret = v.uinteger; break; case JSONType.integer: ret = v.integer; break; case JSONType.float_: ret = v.floating; break; case JSONType.object: Variant[string] obj; foreach(k, val; v.object) { obj[k] = jsonValueToVariant(val); } ret = obj; break; case JSONType.array: Variant[] arr; foreach(i; v.array) { arr ~= jsonValueToVariant(i); } ret = arr; break; case JSONType.true_: ret = true; break; case JSONType.false_: ret = false; break; case JSONType.null_: ret = null; break; } return ret; } /***************************************/ // Interface to C lib for signing /***************************************/ extern(C) { alias int hashid; MHASH mhash_hmac_init(hashid, in void*, int, int); bool mhash(in void*, in void*, int); int mhash_get_hash_pblock(hashid); byte* mhash_hmac_end(MHASH); int mhash_get_block_size(hashid); hashid MHASH_MD5 = 1; hashid MHASH_SHA1 = 2; hashid MHASH_SHA256 = 17; alias void* MHASH; } ubyte[] mhashSign(string data, string signWith, hashid algorithm) { auto td = mhash_hmac_init(algorithm, signWith.ptr, cast(int) signWith.length, mhash_get_hash_pblock(algorithm)); mhash(td, data.ptr, cast(int) data.length); auto mac = mhash_hmac_end(td); ubyte[] ret; for (int j = 0; j < mhash_get_block_size(algorithm); j++) { ret ~= cast(ubyte) mac[j]; } /* string ret; for (int j = 0; j < mhash_get_block_size(algorithm); j++) { ret ~= std.string.format("%.2x", mac[j]); } */ return ret; } pragma(lib, "mhash");