Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
2012.2
-
None
-
Operating System: Ubuntu 10.04.3
PHP Version: 5.3.2
Database and version: MySQL 5.1
Browser (and version): ALL
Description
After upgrading from Community 2012.1 to 2012.2 the refresh token interface is broken.
This interface must be called using POST method, as documentation says:
http://doc.ez.no/var/doc/storage/images/media/images/oauth-flow-2/123635-1-eng-GB/Oauth-flow-2.png
and we can check that in the file "kernel/private/rest/classes/controllers/oauth_token.php".
However, the interface is returning the following error when called int the same way as I did when 2012.1:
*"This method is not supported, allowed methods are: GET, OPTIONS"*
The route is defined in "kernel/private/rest/classes/auth/auth_provider.php":
public function getRoutes() { $routes = array( 'basicAuth' => new ezpMvcRailsRoute( '/http-basic-auth', 'ezpRestAuthController', 'basicAuth' ), 'oauthLogin' => new ezpMvcRailsRoute( '/oauth/login', 'ezpRestAuthController', 'oauthRequired' ), 'oauthToken' => new ezpMvcRailsRoute( '/oauth/token', 'ezpRestOauthTokenController', 'handleRequest') ); return $routes; }
But in "kernel/private/rest/classes/router/rails.php" we have:
public function __construct( $pattern, $controllerClassName, $protocolActionMap, array $defaultValues = array(), $protocol = null ) { if ( is_string( $protocolActionMap ) ) { if ( $protocol === null ) { $protocolActionMap = array( 'http-get' => $protocolActionMap ); } else { // compatibility with 4.6 route definition $protocolActionMap = array( $protocol => $protocolActionMap ); } } if ( !isset( $protocolActionMap['http-options'] ) ) { $protocolActionMap['http-options'] = 'httpOptions'; } $this->protocolActionMap = $protocolActionMap; parent::__construct( $pattern, $controllerClassName, '', $defaultValues ); }
that when is not specified the $protocolActionMap as array (old API calls, like auth_provider.php does) it takes http-get as the only method allowed, avoiding refresh the token using POST method.
Steps to reproduce
Use the POST form I attached to reproduce it easily. You just have to modify the html to specify your domain. The other fields except "grant_type=refresh_token" are no relevant to this test.