Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Securities
Re: [BTC-TC] Community Exchange w/ Options, DRIP, 2FA, API, CSV, etc.
by
inh
on 23/05/2013, 18:17:33 UTC
Quote from: burnside on May 23, 2013, 03:42:16 PM
Quote from: inh on May 23, 2013, 05:58:17 AM
Quote from: burnside on May 23, 2013, 05:40:24 AM
Quote from: inh on May 23, 2013, 04:18:55 AM
Burnside, would it be possible to have the oauth verifier not expire when the page for a specific token is called again? I can browse to https://btct.co/authorize?oauth_token=c6da005d45642ba73589e37444304412020f36bc with my browser, and approve it, but then it reloads the same page with the oauth verifier token appended to the URL and when I use that verifier the API tells me it's already invalid Sad

I hate to say it but that confused me pretty good.  Wink  Something tells me though that if it doesn't invalidate it the first time around, it may be open to replay attacks?


I don't think so. Each time you visit the URL, for example
Code:
https://btct.co/authorize?oauth_token=c6da005d45642ba73589e37444304412020f36bc

and approve the access request, it returns the verification code in the form of a URL like
Code:
https://btct.co/authorize?oauth_token=c6da005d45642ba73589e37444304412020f36bc&oauth_verifier=

 Each time I grant access, a NEW verifier string is generated, and the old one is invalidated. The problem is that once I approve access, the page redirects to
Code:
https://btct.co/authorize?oauth_token=c6da005d45642ba73589e37444304412020f36bc&oauth_verifier=
and it prompts for access again. If I just ignore the request and paste the verifier string from the URL in to my program, it comes back with this error:

Code:
OAuth server status 401, oauth_problem=verifier_invalid

Hope that helps clears things up. What I think is happening is whenever the page is called, the program invalidates any credentials used for the token in the request URL, so when the page refreshes, BAM, the verifier string in the URL is already invalid.


When you grant access, it should redirect back to your callback page, correct?  Is this the oob situation we were discussing earlier?  No callback causes it to call itself again?  With the DDoS issues lately I haven't had any time to fix the oob functionality.  It's high on the list though.


Correct. When I pass 'oob' for the callback, the webpage reloads itself as the callback URL.

Quote from: parseval on May 23, 2013, 03:53:25 PM
Quote from: burnside on May 23, 2013, 03:42:16 PM
When you grant access, it should redirect back to your callback page, correct?  Is this the oob situation we were discussing earlier?  No callback causes it to call itself again?  With the DDoS issues lately I haven't had any time to fix the oob functionality.  It's high on the list though.

I think oob is working okay.  At least, I've been able to register and retrieve working credentials with it.

Really? I haven't had any luck at all. I can fetch the URL to approve application access to my account, and when I approve it the page reloads again, this time with the verification string in the URL. When I take that string and try to use it in my program, the website API says that it's invalid. I'll see if I can find some other oauth code to work with and test it out, the stuff I'm using has worked fine on other sites but maybe something is off with the way it works with btct.co.