]> git.openstreetmap.org Git - rails.git/blobdiff - config/initializers/oauth.rb
reintroduce unsafe-eval CSP rule for iD
[rails.git] / config / initializers / oauth.rb
index 3b4f06a2e66277c2856ca87650fea36b0b264d59..812e6610d9e67a46b1df270cd5a201cf41d3dff4 100644 (file)
@@ -1,9 +1,26 @@
 require "oauth/controllers/provider_controller"
+require "oauth/helper"
 require "oauth/rack/oauth_filter"
 
 Rails.configuration.middleware.use OAuth::Rack::OAuthFilter
 
 module OAuth
+  module Helper
+    def escape(value)
+      value.to_s.gsub(OAuth::RESERVED_CHARACTERS) do |c|
+        c.bytes.map do |b|
+          format("%%%02X", b)
+        end.join
+      end.force_encoding(Encoding::US_ASCII)
+    end
+
+    def unescape(value)
+      value.to_s.gsub(/%\h{2}/) do |c|
+        c[1..].to_i(16).chr
+      end.force_encoding(Encoding::UTF_8)
+    end
+  end
+
   module RequestProxy
     class RackRequest
       def method
@@ -16,37 +33,58 @@ end
 module OpenStreetMap
   module ProviderController
     def self.prepended(mod)
+      super
       mod.singleton_class.prepend(OpenStreetMap::ProviderController::ClassMethods)
     end
 
     def render(options = {})
       text = options.delete(:text)
       if text
-        super options.merge(:plain => text)
+        super(options.merge(:plain => text))
       elsif options.delete(:nothing)
         status = options.delete(:status) || :ok
         head status, options
       else
-        super options
+        super
       end
     end
 
     module ClassMethods
       def included(controller)
         controller.class_eval do
-          def self.before_filter(*names, &blk)
-            before_action(*names, &blk)
+          def self.before_filter(...)
+            before_action(...)
           end
 
-          def self.skip_before_filter(*names, &blk)
-            skip_before_action(*names, &blk)
+          def self.skip_before_filter(...)
+            skip_before_action(...)
           end
         end
 
-        super controller
+        super
+      end
+    end
+  end
+
+  module OAuthFilter
+    def oauth1_verify(request, options = {}, &block)
+      signature = OAuth::Signature.build(request, options, &block)
+      return false unless OauthNonce.remember(signature.request.nonce, signature.request.timestamp)
+
+      value = signature.verify
+      if request.ssl? && !value
+        http_request = request.dup
+        http_request.define_singleton_method(:scheme) { "http" }
+        http_request.define_singleton_method(:port) { 80 }
+        signature = OAuth::Signature.build(http_request, options, &block)
+        value = signature.verify
       end
+      value
+    rescue OAuth::Signature::UnknownSignatureMethod
+      false
     end
   end
 end
 
 OAuth::Controllers::ProviderController.prepend(OpenStreetMap::ProviderController)
+OAuth::Rack::OAuthFilter.prepend(OpenStreetMap::OAuthFilter)