Implement /identify nonce checking

mediawiki-utilities · May 15, 2014 · cf3468e · cf3468e
1 parent 4128e00
commit cf3468e
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/mwoauth.py b/mwoauth.py
@@ -110,12 +110,13 @@ def identify(self, auth):
 		# Expiration (exp) should be in the future
 		if not int(identify_token['exp']) >= now:
 			raise Exception('JSON Web Token Validation Problem, exp')
-
-		# Verify we haven't seen this nonce before,
-		# which would indicate a replay attack
-		# TODO: implement nonce but this is not high priority
-		#if identify_token['nonce'] != <<original request nonce>>
-			#raise Exception('JSON Web Token Validation Problem, nonce')
+
+		# Verify that the nonce matches our request one,
+		# to avoid a replay attack
+		request_nonce = re.search(r'oauth_nonce="(.*?)"',
+			r.request.headers['Authorization']).group(1)
+		if identify_token['nonce'] != request_nonce:
+			raise Exception('JSON Web Token Validation Problem, nonce')
 
 		return identify_token