Re: [BTC-TC] Community Exchange w/ Options, DRIP, 2FA, API, CSV, etc.

Quote from: burnside on May 23, 2013, 05:40:24 AM

Quote from: inh on May 23, 2013, 04:18:55 AM

Burnside, would it be possible to have the oauth verifier not expire when the page for a specific token is called again? I can browse to https://btct.co/authorize?oauth_token=c6da005d45642ba73589e37444304412020f36bc with my browser, and approve it, but then it reloads the same page with the oauth verifier token appended to the URL and when I use that verifier the API tells me it's already invalid Sad

I hate to say it but that confused me pretty good. Wink

Something tells me though that if it doesn't invalidate it the first time around, it may be open to replay attacks?

I don't think so. Each time you visit the URL, for example

Code:

https://btct.co/authorize?oauth_token=c6da005d45642ba73589e37444304412020f36bc

and approve the access request, it returns the verification code in the form of a URL like

Code:

https://btct.co/authorize?oauth_token=c6da005d45642ba73589e37444304412020f36bc&oauth_verifier=

Each time I grant access, a NEW verifier string is generated, and the old one is invalidated. The problem is that once I approve access, the page redirects to

Code:

https://btct.co/authorize?oauth_token=c6da005d45642ba73589e37444304412020f36bc&oauth_verifier=

and it prompts for access again. If I just ignore the request and paste the verifier string from the URL in to my program, it comes back with this error:

Code:

OAuth server status 401, oauth_problem=verifier_invalid

Hope that helps clears things up. What I think is happening is whenever the page is called, the program invalidates any credentials used for the token in the request URL, so when the page refreshes, BAM, the verifier string in the URL is already invalid.