David Larlet avatar David Larlet committed c80b48e

Add a way to restrict signature methods (to avoid plaintext for instance). Thanks Toby White.

Comments (0)

Files changed (2)


     OAUTH_BLACKLISTED_HOSTNAMES = ['localhost', '']
+Default is an empty list.
+The ``OAUTH_SIGNATURE_METHODS`` setting allows you to restrict signatures'
+methods you'd like to use. For example if you don't want plaintext signature::
+    OAUTH_SIGNATURE_METHODS = ['hmac-sha1',]
+Default is ``['plaintext', 'hmac-sha1']``.
 A complete example is available in ``oauth_examples/provider/`` folder, you
 can run tests from this example with this command::


 from stores import DataStore
+OAUTH_REALM_KEY_NAME = getattr(settings, 'OAUTH_REALM_KEY_NAME', '')
+OAUTH_SIGNATURE_METHODS = getattr(settings, 'OAUTH_SIGNATURE_METHODS', ['plaintext', 'hmac-sha1'])
 def initialize_server_request(request):
     """Shortcut for initialization."""
                                               query_string=request.environ.get('QUERY_STRING', ''))
     if oauth_request:
         oauth_server = OAuthServer(DataStore(oauth_request))
-        oauth_server.add_signature_method(OAuthSignatureMethod_PLAINTEXT())
-        oauth_server.add_signature_method(OAuthSignatureMethod_HMAC_SHA1())
+        if 'plaintext' in OAUTH_SIGNATURE_METHODS:
+            oauth_server.add_signature_method(OAuthSignatureMethod_PLAINTEXT())
+        if 'hmac-sha1' in OAUTH_SIGNATURE_METHODS:
+            oauth_server.add_signature_method(OAuthSignatureMethod_HMAC_SHA1())
         oauth_server = None
     return oauth_server, oauth_request
     response = HttpResponse(err.message.encode('utf-8'), mimetype="text/plain")
     response.status_code = 401
     # return the authenticate header
-    realm = getattr(settings, OAUTH_REALM_KEY_NAME, '')
-    header = build_authenticate_header(realm=realm)
+    header = build_authenticate_header(realm=OAUTH_REALM_KEY_NAME)
     for k, v in header.iteritems():
         response[k] = v
     return response
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.