David Larlet committed c80b48e

Add a way to restrict signature methods (to avoid plaintext for instance). Thanks Toby White.

Comments (0)

Files changed (2)


     OAUTH_BLACKLISTED_HOSTNAMES = ['localhost', '']
+Default is an empty list.
+The ``OAUTH_SIGNATURE_METHODS`` setting allows you to restrict signatures'
+methods you'd like to use. For example if you don't want plaintext signature::
+    OAUTH_SIGNATURE_METHODS = ['hmac-sha1',]
+Default is ``['plaintext', 'hmac-sha1']``.
 A complete example is available in ``oauth_examples/provider/`` folder, you
 can run tests from this example with this command::


 from stores import DataStore
+OAUTH_REALM_KEY_NAME = getattr(settings, 'OAUTH_REALM_KEY_NAME', '')
+OAUTH_SIGNATURE_METHODS = getattr(settings, 'OAUTH_SIGNATURE_METHODS', ['plaintext', 'hmac-sha1'])
 def initialize_server_request(request):
     """Shortcut for initialization."""
                                               query_string=request.environ.get('QUERY_STRING', ''))
     if oauth_request:
         oauth_server = OAuthServer(DataStore(oauth_request))
-        oauth_server.add_signature_method(OAuthSignatureMethod_PLAINTEXT())
-        oauth_server.add_signature_method(OAuthSignatureMethod_HMAC_SHA1())
+        if 'plaintext' in OAUTH_SIGNATURE_METHODS:
+            oauth_server.add_signature_method(OAuthSignatureMethod_PLAINTEXT())
+        if 'hmac-sha1' in OAUTH_SIGNATURE_METHODS:
+            oauth_server.add_signature_method(OAuthSignatureMethod_HMAC_SHA1())
         oauth_server = None
     return oauth_server, oauth_request
     response = HttpResponse(err.message.encode('utf-8'), mimetype="text/plain")
     response.status_code = 401
     # return the authenticate header
-    realm = getattr(settings, OAUTH_REALM_KEY_NAME, '')
-    header = build_authenticate_header(realm=realm)
+    header = build_authenticate_header(realm=OAUTH_REALM_KEY_NAME)
     for k, v in header.iteritems():
         response[k] = v
     return response