packageNet::OAuth::Simple;usewarnings;usestrict;our$VERSION="1.7";useURI;useLWP;useCGI;useHTTP::Request::Common ();useCarp;useNet::OAuth;useDigest::SHA;useFile::Basename;requireNet::OAuth::Request;requireNet::OAuth::RequestTokenRequest;requireNet::OAuth::AccessTokenRequest;requireNet::OAuth::ProtectedResourceRequest;requireNet::OAuth::XauthAccessTokenRequest;requireNet::OAuth::UserAuthRequest;BEGIN {unless($@) {Math::Random::MT->import(qw(srand rand));}}our@required_constructor_params=qw(consumer_key consumer_secret);our@access_token_params=qw(access_token access_token_secret);our@general_token_params=qw(general_token general_token_secret);=head1 NAMENet::OAuth::Simple - a simple wrapper round the OAuth protocol=head1 SYNOPSISFirst create a sub class of C<Net::OAuth::Simple> that will do you requestsfor you.package Net::AppThatUsesOAuth;use strict;use base qw(Net::OAuth::Simple);sub new {my $class = shift;my %tokens = @_;return $class->SUPER::new( tokens => \%tokens,protocol_version => '1.0a',urls => {authorization_url => ...,request_token_url => ...,access_token_url => ...,});}sub view_restricted_resource {my $self = shift;my $url = shift;return $self->make_restricted_request($url, 'GET');}sub update_restricted_resource {my $self = shift;my $url = shift;my %extra_params = @_;return $self->make_restricted_request($url, 'POST', %extra_params);}1;Then in your main app you need to do# Get the tokens from the command line, a config file or wherevermy %tokens = get_tokens();my $app = Net::AppThatUsesOAuth->new(%tokens);# Check to see we have a consumer key and secretunless ($app->consumer_key && $app->consumer_secret) {die "You must go get a consumer key and secret from App\n";}# If the app is authorized (i.e has an access token and secret)# Then look at a restricted resourseif ($app->authorized) {my $response = $app->view_restricted_resource;print $response->content."\n";exit;}# Otherwise the user needs to go get an access token and secretprint "Go to ".$app->get_authorization_url."\n";print "Then hit return after\n";<STDIN>;my ($access_token, $access_token_secret) = $app->request_access_token;# Now save those valuesNote the flow will be somewhat different for web apps since the request tokenand secret will need to be saved whilst the user visits the authorization url.For examples go look at the C<Net::FireEagle> module and the C<fireeagle> commandline script that ships with it. Also in the same distribution in the C<examples/>directory is a sample web app.=head1 METHODS=cut=head2 new [params]Create a new OAuth enabled app - takes a hash of params.One of the keys of the hash must be C<tokens>, the value of whichmust be a hash ref with the keys:=over 4=item consumer_key=item consumer_secret=backThen, when you have your per-use access token and secret youcan supply=over 4=item access_token=item access_secret=backAnother key of the hash must be C<urls>, the value of which mustbe a hash ref with the keys=over 4=item authorization_url=item request_token_url=item access_token_url=backIf you pass in a key C<protocol_version> with a value equal to B<1.0a> thenthe newest version of the OAuth protocol will be used. A value equal to B<1.0> willmean the old version will be used. Defaults to B<1.0a>You can pass in your own User Agent by using the key C<browser>.If you pass in C<return_undef_on_error> then instead of C<die>-ing on errormethods will return undef instead and the error can be retrieved using theC<last_error()> method. See the section on B<ERROR HANDLING>.=cutsubnew {my$class=shift;my%params=@_;$params{protocol_version} ||='1.0a';my$client=bless\%params,$class;# Set up LibWWWPerl for HTTP requests$client->{browser} ||= LWP::UserAgent->new;# Verify arguments$client->_check;# Client Objectreturn$client;}# Validate required constructor paramssub_check {my$self=shift;foreachmy$param(@required_constructor_params) {unless(defined$self->{tokens}->{$param} ) {return$self->_error("Missing required parameter '$param'");}}return$self->_error("browser must be a LWP::UserAgent")unlessblessed$self->{browser} &&$self->{browser}->isa('LWP::UserAgent');}=head2 oauth_1_0aWhether or not we're using 1.0a version of OAuth (necessary for,amongst others, FireEagle)=cutsuboauth_1_0a {my$self=shift;return$self->{protocol_version } eq'1.0a';}=head2 authorizedWhether the client has the necessary credentials to be authorized.Note that the credentials may be wrong and so the request may still fail.=cutsubauthorized {my$self=shift;foreachmy$param(@access_token_params) {return0unlessdefined$self->{tokens}->{$param} &&length$self->{tokens}->{$param};}return1;}=head2 signature_method [method]The signature method to use.Defaults to HMAC-SHA1=cutsubsignature_method {my$self=shift;$self->{signature_method} =shiftif@_;return$self->{signature_method} ||'HMAC-SHA1';}=head2 tokensGet all the tokens.=cutsubtokens {my$self=shift;if(@_) {my%tokens=@_;$self->{tokens} = \%tokens;}return%{$self->{tokens}||{}};}=head2 consumer_key [consumer key]Returns the current consumer key.Can optionally set the consumer key.=cutsubconsumer_key {my$self=shift;$self->_token('consumer_key',@_);}=head2 consumer_secret [consumer secret]Returns the current consumer secret.Can optionally set the consumer secret.=cutsubconsumer_secret {my$self=shift;$self->_token('consumer_secret',@_);}=head2 access_token [access_token]Returns the current access token.Can optionally set a new token.=cutsubaccess_token {my$self=shift;$self->_token('access_token',@_);}=head2 access_token_secret [access_token_secret]Returns the current access token secret.Can optionally set a new secret.=cutsubaccess_token_secret {my$self=shift;return$self->_token('access_token_secret',@_);}=head2 general_token [token]Get or set the general token.See documentation in C<new()>=cutsubgeneral_token {my$self=shift;$self->_token('general_token',@_);}=head2 general_token_secret [secret]Get or set the general token secret.See documentation in C<new()>=cutsubgeneral_token_secret {my$self=shift;$self->_token('general_token_secret',@_);}=head2 authorized_general_tokenIs the app currently authorized for general token requests.See documentation in C<new()>=cutsubauthorized_general_token {my$self=shift;foreachmy$param(@general_token_params) {return0unlessdefined$self->$param();}return1;}=head2 request_token [request_token]Returns the current request token.Can optionally set a new token.=cutsubrequest_token {my$self=shift;$self->_token('request_token',@_);}=head2 request_token_secret [request_token_secret]Returns the current request token secret.Can optionally set a new secret.=cutsubrequest_token_secret {my$self=shift;return$self->_token('request_token_secret',@_);}=head2 verifier [verifier]Returns the current oauth_verifier.Can optionally set a new verifier.=cutsubverifier {my$self=shift;return$self->_param('verifier',@_);}=head2 callback [callback]Returns the oauth callback.Can optionally set the oauth callback.=cutsubcallback {my$self=shift;$self->_param('callback',@_);}=head2 callback_confirmed [callback_confirmed]Returns the oauth callback confirmed.Can optionally set the oauth callback confirmed.=cutsubcallback_confirmed {my$self=shift;$self->_param('callback_confirmed',@_);}sub_token {my$self=shift;$self->_store('tokens',@_);}sub_param {my$self=shift;$self->_store('params',@_);}sub_store {my$self=shift;my$ns=shift;my$key=shift;$self->{$ns}->{$key} =shiftif@_;return$self->{$ns}->{$key};}=head2 authorization_urlGet the url the user needs to visit to authorize as a URI object.Note: this is the base url - not the full url with the necessary OAuth params.=cutsubauthorization_url {my$self=shift;return$self->_url('authorization_url',@_);}=head2 request_token_urlGet the url to obtain a request token as a URI object.=cutsubrequest_token_url {my$self=shift;return$self->_url('request_token_url',@_);}=head2 access_token_urlGet the url to obtain an access token as a URI object.=cutsubaccess_token_url {my$self=shift;return$self->_url('access_token_url',@_);}sub_url {my$self=shift;my$key=shift;$self->{urls}->{$key} =shiftif@_;my$url=$self->{urls}->{$key} ||return;;returnURI->new($url);}# generate a random numbersub_nonce {returnint(rand( 2**32 ) );}=head2 request_access_token [param[s]]Request the access token and access token secret for this user.The user must have authorized this app at the url given byC<get_authorization_url> first.Returns the access token and access token secret but also setsthem internally so that after calling this method you canimmediately call a restricted method.If you pass in a hash of params then they will added as parameters to the URL.=cutsubrequest_access_token {my$self=shift;my%params=@_;my$url=$self->access_token_url;$params{token} =$self->request_tokenunlessdefined$params{token};$params{token_secret} =$self->request_token_secretunlessdefined$params{token_secret};if($self->oauth_1_0a) {$params{verifier} =$self->verifierunlessdefined$params{verifier};return$self->_error("You must pass a verified parameter when using OAuth v1.0a")unlessdefined$params{verifier};}my$access_token_response=$self->_make_request('Net::OAuth::AccessTokenRequest',$url,'POST',%params,);return$self->_decode_tokens($url,$access_token_response);}sub_decode_tokens {my$self=shift;my$url=shift;my$access_token_response=shift;# Cast response into CGI query for EZ parameter decodingmy$access_token_response_query=new CGI($access_token_response->content );# Split out token and secret parameters from the access token response$self->access_token($access_token_response_query->param('oauth_token'));$self->access_token_secret($access_token_response_query->param('oauth_token_secret'));delete$self->{tokens}->{$_}forqw(request_token request_token_secret verifier);return$self->_error("$url did not reply with an access token")unless($self->access_token &&$self->access_token_secret );return($self->access_token,$self->access_token_secret );}=head2 xauth_request_access_token [param[s]]The same as C<request_access_token> but for xAuth.For more information on xAuth seeYou must pass in the parametersx_auth_usernamex_auth_passwordx_auth_modeYou must have HTTPS enabled for LWP::UserAgent.See C<examples/twitter_xauth> for a sample implementation.=cutsubxauth_request_access_token {my$self=shift;my%params=@_;my$url=$self->access_token_url;$url=~ s !^http:!https:!;# force httpsmy%xauth_params=map{$_=>$params{$_} }grep{/^x_auth_/}@{Net::OAuth::XauthAccessTokenRequest->required_message_params};my$access_token_response=$self->_make_request('Net::OAuth::XauthAccessTokenRequest',$url,'POST',%xauth_params,);return$self->_decode_tokens($url,$access_token_response);}=head2 request_request_token [param[s]]Request the request token and request token secret for this user.This is called automatically by C<get_authorization_url> if necessary.If you pass in a hash of params then they will added as parameters to the URL.=cutsubrequest_request_token {my$self=shift;my%params=@_;my$url=$self->request_token_url;if($self->oauth_1_0a) {$params{callback} =$self->callbackunlessdefined$params{callback};return$self->_error("You must pass a callback parameter when using OAuth v1.0a")unlessdefined$params{callback};}my$request_token_response=$self->_make_request('Net::OAuth::RequestTokenRequest',$url,'GET',%params);return$self->_error("GET for $url failed: ".$request_token_response->status_line)unless($request_token_response->is_success );# Cast response into CGI query for EZ parameter decodingmy$request_token_response_query=new CGI($request_token_response->content );# Split out token and secret parameters from the request token response$self->request_token($request_token_response_query->param('oauth_token'));$self->request_token_secret($request_token_response_query->param('oauth_token_secret'));$self->callback_confirmed($request_token_response_query->param('oauth_callback_confirmed'));# Hack to deal with bug in older versions of oauth-php (See https://code.google.com/p/oauth-php/issues/detail?id=60)$self->callback_confirmed($request_token_response_query->param('oauth_callback_accepted'))unless$self->callback_confirmed;return$self->_error("Response does not confirm to OAuth1.0a. oauth_callback_confirmed not received")if$self->oauth_1_0a && !$self->callback_confirmed;}=head2 get_authorization_url [param[s]]Get the URL to authorize a user as a URI object.If you pass in a hash of params then they will added as parameters to the URL.=cutsubget_authorization_url {my$self=shift;my%params=@_;my$url=$self->authorization_url;if(!defined$self->request_token) {$self->request_request_token(%params);}#$params{oauth_token} = $self->request_token;$url->query_form(%params);my$req=$self->_build_request('Net::OAuth::UserAuthRequest',$url,"GET");return$req->normalized_request_url;}=head2 make_restricted_request <url> <HTTP method> [extra[s]]Make a request to C<url> using the given HTTP method.Any extra parameters can be passed in as a hash.=cutsubmake_restricted_request {my$self=shift;return$self->_error("This restricted request is not authorized")unless$self->authorized;return$self->_restricted_request($self->access_token,$self->access_token_secret,@_);}=head2 make_general_request <url> <HTTP method> [extra[s]]Make a request to C<url> using the given HTTP method usingthe general purpose tokens.Any extra parameters can be passed in as a hash.=cutsubmake_general_request {my$self=shift;return$self->_error("This general request is not authorized")unless$self->authorized_general_token;return$self->_restricted_request($self->general_token,$self->general_token_secret,@_);}sub_restricted_request {my$self=shift;my$token=shift;my$secret=shift;my$url=shift;my$method=shift;my%extras=@_;my$response=$self->_make_request('Net::OAuth::ProtectedResourceRequest',$url,$method,token=>$token,token_secret=>$secret,extra_params=> \%extras);return$response;}sub_make_request {my$self=shift;my$class=shift;my$url=shift;my$method=uc(shift);my@extra=@_;my$request=$self->_build_request($class,$url,$method,@extra);my$response=$self->{browser}->request($request);return$self->_error("$method on ".$request->normalized_request_url." failed: ".$response->status_line." - ".$response->content)unless($response->is_success );return$response;}useData::Dumper;sub_build_request {my$self=shift;my$class=shift;my$url=shift;my$method=uc(shift);my@extra=@_;my$uri= URI->new($url);my%query=$uri->query_form;$uri->query_form({});my$content;my$filename;if('PUT'eq$method) {# Get the content (goes in the body), and hash the content for inclusion in the messagemy%params=@extra;$filename=delete$params{extra_params}->{filename};return$self->_error('Missing required parameter $filename')unless$filename;# Slurp the file from abovemy$content="";$self->_read_file($filename,sub{$content.=shift} ) ;($filename) = fileparse($filename);# Net::OAuth doesn't seem to handle body hash, so do it ourselves# If the OAuth signature method is HMAC-SHA1 or RSA-SHA1, SHA1 MUST be used as the body hash algorithm# No discussion of other signature methods, but the draft spec for OAuth2 predictably says that SHA256# should be used for HMAC-SHA256if($self->signature_method eq'HMAC-SHA1'||$self->signature_method eq'RSA-SHA1') {$params{body_hash} = Digest::SHA::sha1_hex($content);}elsif($self->signature_method eq'HMAC-SHA256') {$params{body_hash} = Digest::SHA::sha256_hex($content);}else{return$self->_error("Unknown signature method: ".$self->signature_method);}@extra=%params;}my$request=$class->new(consumer_key=>$self->consumer_key,consumer_secret=>$self->consumer_secret,request_url=>$uri,request_method=>$method,signature_method=>$self->signature_method,protocol_version=>$self->oauth_1_0a ? Net::OAuth::PROTOCOL_VERSION_1_0A : Net::OAuth::PROTOCOL_VERSION_1_0,timestamp=>time,nonce=>$self->_nonce,extra_params=> \%query,@extra,);$request->add_optional_message_params('body_hash')if'PUT'eq$method;$request->sign;return$self->_error("Couldn't verify request! Check OAuth parameters.")unless$request->verify;my$req_url= ('GET'eq$method||'DELETE'eq$method) ?$request->to_url() :$url;my$req= HTTP::Request->new($method=>$req_url);if('PUT'eq$method) {$req->header('Authorization'=>$request->to_authorization_header(""));$req->header('Content-disposition'=>qq!attachment; filename="$filename"!);$req->content($content);}if('POST'eq$method) {# "@extra" params are the ones that don't start with oath_ in the hash# User passed them, they must want us to actually send them, huh?$request->add_optional_message_params($_)forgrep{ ! /^oauth_/ }keys%{$request->to_hash};$req->content_type('application/x-www-form-urlencoded');$req->content($request->to_post_body);}return$req;}sub_error {my$self=shift;my$mess=shift;if($self->{return_undef_on_error}) {$self->{_last_error} =$mess;}else{croak$mess;}returnundef;}=head2 last_errorGet the last error message.Only works if C<return_undef_on_error> was passed in to the constructor.See the section on B<ERROR HANDLING>.=cutsublast_error {my$self=shift;return$self->{_last_error};}=head2 load_tokens <file>A convenience method for loading tokens from a config file.Returns a hash with the token names suitable for passing toC<new()>.Returns an empty hash if the file doesn't exist.=cutsubload_tokens {my$class=shift;my$file=shift;my%tokens= ();return%tokensunless-f$file;$class->_read_file($file,sub{$_=shift;chomp;nextif/^#/;nextif/^\s*$/;nextunless/=/;s/(^\s*|\s*$)//g;my($key,$val) =split/\s*=\s*/,$_, 2;$tokens{$key} =$val;});return%tokens;}=head2 save_tokens <file> [token[s]]A convenience method to save a hash of tokens out to the given file.=cutsubsave_tokens {my$class=shift;my$file=shift;my%tokens=@_;my$max= 0;foreachmy$key(keys%tokens) {$max=length($key)iflength($key)>$max;}open(my$fh,">$file") ||die"Couldn't open $file for writing: $!\n";foreachmy$key(sortkeys%tokens) {my$pad=" "x($max-length($key));$fh"$key ${pad}= ".$tokens{$key}."\n";}close($fh);}sub_read_file {my$self=shift;my$file=shift;my$sub=shift;open(my$fh,$file) ||die"Couldn't open $file: $!\n";while(<$fh>) {$sub->($_)if$sub;}close($fh);}=head1 ERROR HANDLINGOriginally this module would die upon encountering an error (inheriting behaviourfrom the original Yahoo! code).This is still the default behaviour however if you now passreturn_undef_on_error => 1into the constructor then all methods will return undef on error instead.The error message is accessible via the C<last_error()> method.=head1 GOOGLE'S SCOPE PARAMETERGoogle's OAuth API requires the non-standard C<scope> parameter to be setin C<request_token_url>, and you also explicitly need to pass an C<oauth_callback>to C<get_authorization_url()> method, so that you can direct the user to your siteif you're authenticating users in Web Application mode. Otherwise Google will letuser grant acesss as a desktop app mode and doesn't redirect users back.Here's an example class that uses Google's Portable Contacts API via OAuth:package Net::AppUsingGoogleOAuth;use strict;use base qw(Net::OAuth::Simple);sub new {my $class = shift;my %tokens = @_;return $class->SUPER::new(tokens => \%tokens,urls => {request_token_url => "https://www.google.com/accounts/OAuthGetRequestToken?scope=http://www-opensocial.googleusercontent.com/api/people",authorization_url => "https://www.google.com/accounts/OAuthAuthorizeToken",access_token_url => "https://www.google.com/accounts/OAuthGetAccessToken",},);}package main;my $oauth = Net::AppUsingGoogleOAuth->new(%tokens);# Web application$app->redirect( $oauth->get_authorization_url( callback => "http://you.example.com/oauth/callback") );# Desktop applicationprint "Open the URL and come back once you're authenticated!\n",$oauth->get_authorization_url;See L<http://code.google.com/apis/accounts/docs/OAuth.html> and otherservices API documentation for the possible list of I<scope> parameter value.=head1 RANDOMNESSIf C<Math::Random::MT> is installed then any nonces generated will use aMersenne Twiser instead of Perl's built in randomness function.=head1 EXAMPLESThere are example Twitter and Twitter xAuth 'desktop' apps and a FireEagle OAuth 1.0a web appin the examples directory of the distribution.=head1 BUGSNon known=head1 DEVELOPERSThe latest code for this module can be found at=head1 AUTHORSimon Wistow, C<<simon@thegestalt.org>>=head1 BUGSPlease report any bugs or feature requests to C<bug-net-oauth-simple at rt.cpan.org>, or throughthe web interface at L<http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Net-OAuth-Simple>. I will be notified, and then you'llautomatically be notified of progress on your bug as I make changes.=head1 SUPPORTYou can find documentation for this module with the perldoc command.perldoc Net::OAuth::SimpleYou can also look for information at:=over 4=item * RT: CPAN's request tracker=item * AnnoCPAN: Annotated CPAN documentation=item * CPAN Ratings=item * Search CPAN=back=head1 COPYRIGHT & LICENSECopyright 2009 Simon Wistow, all rights reserved.This program is free software; you can redistribute it and/or modify itunder the same terms as Perl itself.=cut1;# End of Net::OAuth::Simple