OAuth1AuthenticationService.java

/*
 * Copyright 2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.social.security.provider;

import java.util.HashSet;
import java.util.Set;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.social.connect.Connection;
import org.springframework.social.connect.support.OAuth1ConnectionFactory;
import org.springframework.social.oauth1.AuthorizedRequestToken;
import org.springframework.social.oauth1.OAuth1Operations;
import org.springframework.social.oauth1.OAuth1Parameters;
import org.springframework.social.oauth1.OAuth1Version;
import org.springframework.social.oauth1.OAuthToken;
import org.springframework.social.security.SocialAuthenticationRedirectException;
import org.springframework.social.security.SocialAuthenticationToken;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/**
 * @author Stefan Fussennegger
 * @param <S> The provider's API type.
 */
public class OAuth1AuthenticationService<S> extends AbstractSocialAuthenticationService<S> implements InitializingBean {

	private final Log logger = LogFactory.getLog(getClass());
	
	private static final String OAUTH_TOKEN_ATTRIBUTE = "oauthToken";

	private Set<String> returnToUrlParameters;
	
	private OAuth1ConnectionFactory<S> connectionFactory;

	public OAuth1AuthenticationService(OAuth1ConnectionFactory<S> connectionFactory) {
		setConnectionFactory(connectionFactory);
	}
	
	public OAuth1ConnectionFactory<S> getConnectionFactory() {
		return connectionFactory;
	}

	public void setConnectionFactory(OAuth1ConnectionFactory<S> connectionFactory) {
		this.connectionFactory = connectionFactory;
	}

	public void setReturnToUrlParameters(Set<String> returnToUrlParameters) {
		Assert.notNull(returnToUrlParameters, "returnToUrlParameters cannot be null");
		this.returnToUrlParameters = returnToUrlParameters;
	}

	public Set<String> getReturnToUrlParameters() {
		if (returnToUrlParameters == null) {
			returnToUrlParameters = new HashSet<String>();
		}
		return returnToUrlParameters;
	}

	public void afterPropertiesSet() throws Exception {
		super.afterPropertiesSet();
		Assert.notNull(getConnectionFactory(), "connectionFactory");
	}

	public SocialAuthenticationToken getAuthToken(HttpServletRequest request, HttpServletResponse response) throws SocialAuthenticationRedirectException {
		/**
		 * OAuth Authentication flow: See http://dev.twitter.com/pages/auth
		 */
		String verifier = request.getParameter("oauth_verifier");
		if (!StringUtils.hasText(verifier)) {
			// First phase: get a request token
			OAuth1Operations ops = getConnectionFactory().getOAuthOperations();
			String returnToUrl = buildReturnToUrl(request);
			OAuthToken requestToken = ops.fetchRequestToken(returnToUrl, null);
			request.getSession().setAttribute(OAUTH_TOKEN_ATTRIBUTE, requestToken);

			// Redirect to the service provider for authorization
			OAuth1Parameters params;
			if (ops.getVersion() == OAuth1Version.CORE_10) {
				params = new OAuth1Parameters();
				params.setCallbackUrl(returnToUrl);
			} else {
				params = OAuth1Parameters.NONE;
			}			
			throw new SocialAuthenticationRedirectException(ops.buildAuthenticateUrl(requestToken.getValue(), params));
		} else {
			// Second phase: request an access token
			OAuthToken requestToken = extractCachedRequestToken(request);
			if (requestToken == null) {
				logger.warn("requestToken unavailable for oauth_verifier");
				return null;
			}
			OAuthToken accessToken = getConnectionFactory().getOAuthOperations().exchangeForAccessToken(new AuthorizedRequestToken(requestToken, verifier), null);
			// TODO avoid API call if possible (auth using token would be fine)
            Connection<S> connection = getConnectionFactory().createConnection(accessToken);
            return new SocialAuthenticationToken(connection, null);
		}
	}

	protected String buildReturnToUrl(HttpServletRequest request) {
		StringBuffer sb = request.getRequestURL();
		sb.append("?");

		for (String name : getReturnToUrlParameters()) {
			// Assume for simplicity that there is only one value
			String value = request.getParameter(name);

			if (value == null) {
				continue;
			}
			sb.append(name).append("=").append(value).append("&");

		}

		sb.setLength(sb.length() - 1); // strip trailing ? or &

		return sb.toString();
	}

	private OAuthToken extractCachedRequestToken(HttpServletRequest request) {
		OAuthToken requestToken = (OAuthToken) request.getSession().getAttribute(OAUTH_TOKEN_ATTRIBUTE);
		request.getSession().removeAttribute(OAUTH_TOKEN_ATTRIBUTE);
		return requestToken;
	}

}