Merge branch 'nonce' of github.com:FiloSottile/MediaWiki-OAuth

Conflicts: mwoauth.py
mediawiki-utilities · May 16, 2014 · 82dc60e · 82dc60e
2 parents ffabfac + cf3468e
commit 82dc60e
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/mwoauth.py b/mwoauth.py
@@ -4,6 +4,7 @@
 import jwt, requests, time, six
 from requests_oauthlib import OAuth1
 import six
+import re
 
 try:
 	from urlparse import parse_qs
@@ -265,12 +266,14 @@ def identify(mw_uri, consumer_token, access_token, leeway=10.0):
 	if not now <= expiration:
 		raise Exception("Identity expired {0} ".format(expiration - now) + \
 		                "seconds ago!")
-
-	# Verify we haven't seen this nonce before,
-	# which would indicate a replay attack
-	# TODO: implement nonce but this is not high priority
-	#if identity['nonce'] != <<original request nonce>>
-		#raise Exception('JSON Web Token Validation Problem, nonce')
+
+	# Verify that the nonce matches our request one,
+	# to avoid a replay attack
+	request_nonce = re.search(r'oauth_nonce="(.*?)"',
+		r.request.headers['Authorization']).group(1)
+	if identity['nonce'] != request_nonce:
+		raise Exception('Replay attack detected: {0} != {1}'.format(
+						identity['nonce'], request_nonce))
 
 	return identity