admin/oik-clone-wp-api.php

Lines:

<?php // (C) Copyright Bobbing Wide 2014


/* function oik_clone_wp_api() – Display a box to connect to a remote server to list content
Display a box to list the content
Actions: Refresh from server */

/* function oik_clone_source_site() – Dialog to discover which site to clone and parameters to use */




/* function oik_clone_get_api_url() – Find the URL to access WP-API */




 
/* function oik_clone_selection_criteria() – Display the selected posts and find out what the user wants to do with them */




/* function oik_clone_source_site_check() – Perform checks on the source site */




/* function oik_clone_get_api_route() – */


/* function oik_clone_parse_links() – Parse the link from this ugly string */




/* function oik_clone_get_api_url() – Find the URL to access WP-API */





/**
 * 
 * In order to store OAuth authentication details for a remote site we need to be able to keep
 * the same information as WP-CLI does when using OAuth2
 * Where should this be stored? 
 * Options are:
 * - Oauth post type using post meta data
 * - user post meta - keyed the same way as WP-CLI caches its data
 * 
 * So how do we decide which "service" the user is using at the other site? 
 * I suppose we let them select it from those they have authorized.
 * 
 
string(29) "http://qw/wp40/oauth1/request"

    [Authorization] => OAuth oauth_version="1.0",oauth_nonce="b488a5fbf6a607072e332719c3278d0d",oauth_timestamp="1413205251",oauth_co
nsumer_key="qSWU6OQiP2aU",oauth_signature_method="HMAC-SHA1",oauth_signature="JPRP%2FFVf2lxxrsnmEp3Sw6byrYQ%3D"


Authorized!
Key: tWjAkyJzaSnMJ3gT4VOnzbf8
Secret: o5LhV1QveyCImx3TGb5Wvw7GjOOUoY7LugnjX1QwDEYV3oPD


Consumer key: qSWU6OQiP2aU
Consumer secret: ZxchyIePEPUkItiLZDcLCdu9tRRk42kMCq0sDySmeshn0Nle
Token key: ezhyYEwnz36Iy7DniaZYxp5c
Token secret: OwJu7pDqmIMz6eD4wmwQjs4PVOtlaQIHsUy92ocbmA1HDXSh

The information is stored in the wp_options table:
with an option_name of of oauth1_access_<i>Token key</i>

e.g. 

Key: oauth1_access_ezhyYEwnz36Iy7DniaZYxp5c


a:4:{s:3:"key";s:24:"ezhyYEwnz36Iy7DniaZYxp5c";
s:6:"secret";s:48:"OwJu7pDqmIMz6eD4wmwQjs4PVOtlaQIHsUy92ocbmA1HDXSh";
s:8:"consumer";i:524;
s:4:"user";i:2;}

WP-CLI stores the information in the cache
api/oauth1-blah

where blah is made from the URL you're using


But how do we actually use this information?
It must be the key that we pass to the server.
No, it's more complicated than that.

How does this make it any more secure?


OK, so now we're failing with 
23768456/23870904 F=160 check_oauth_signature(6) 
string_to_sign 
GET&http%3A%2F%2Fqw%2Fwp40%2Fwp-json%2Fusers&oauth_consumer_key%3DqSWU6OQiP2aU%26oauth_nonce%3D627d24e513113d719f3d6b668931637f%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1413222926%26oauth_token%3DezhyYEwnz36Iy7DniaZYxp5c%26oauth_version%3D1.0

 View on GitHub