From 42ca4de679b3c8f7736c9af12736ff5c7d01eaa5 Mon Sep 17 00:00:00 2001
From: Mike Bannister <notimpossiblemike@gmail.com>
Date: Sun, 29 Jul 2012 21:32:33 -0400
Subject: [PATCH] use oauth verifier

---
 .../accounts-oauth1-helper/oauth1_server.js    |  4 +++-
 packages/oauth1/oauth1.js                      | 18 ++++++++++--------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/packages/accounts-oauth1-helper/oauth1_server.js b/packages/accounts-oauth1-helper/oauth1_server.js
index 9506968cf9..e52e4f65a2 100644
--- a/packages/accounts-oauth1-helper/oauth1_server.js
+++ b/packages/accounts-oauth1-helper/oauth1_server.js
@@ -99,6 +99,8 @@
     
     } else {
 
+      // XXX Twitter's docs say to check that oauth_token is the
+      // same as the request token received in previous step
       // XXX does checking for the verifier really make sense?
       if (!req.query.oauth_token || !req.query.oauth_verifier) {
         // The user didn't authorize access
@@ -106,7 +108,7 @@
       }
 
       // Get the oauth token for signing requests
-      oauth.getAccessToken(req.query.oauth_token);
+      oauth.getAccessToken(req.query);
 
       // Get or create user id
       var oauthResult = service.handleOauthRequest(oauth);
diff --git a/packages/oauth1/oauth1.js b/packages/oauth1/oauth1.js
index 0279c63622..929504a67a 100644
--- a/packages/oauth1/oauth1.js
+++ b/packages/oauth1/oauth1.js
@@ -1,8 +1,6 @@
 var crypto = __meteor_bootstrap__.require("crypto");
 var querystring = __meteor_bootstrap__.require("querystring");
 
-// XXX Use oauth verifier
-
 OAuth = function(config) {
   _.extend(this, config);
 };
@@ -19,13 +17,16 @@ OAuth.prototype.getRequestToken = function(callbackUrl) {
   this.requestToken = tokens.oauth_token;
 };
 
-OAuth.prototype.getAccessToken = function(oauthToken) {
-
+OAuth.prototype.getAccessToken = function(query) {
   var headers = this._buildHeader({
-    oauth_token: oauthToken
+    oauth_token: query.oauth_token
   });
 
-  var response = this._call('post', this._urls.accessToken, headers);
+  var params = {
+    oauth_verifier: query.oauth_verifier
+  };
+
+  var response = this._call('post', this._urls.accessToken, headers, params);
   var tokens = querystring.parse(response.content);
 
   this.accessToken = tokens.oauth_token;
@@ -36,7 +37,7 @@ OAuth.prototype.call = function(method, url) {
   var headers = this._buildHeader({
     oauth_token: this.accessToken
   });
-
+ 
   var response = this._call(method, url, headers);
 
   return response.data;
@@ -77,7 +78,7 @@ OAuth.prototype._getSignature = function(method, url, rawHeaders, oauthSecret) {
   return crypto.createHmac('SHA1', signingKey).update(signatureBase).digest('base64');
 };
 
-OAuth.prototype._call = function(method, url, headers) {
+OAuth.prototype._call = function(method, url, headers, params) {
   
   // Get the signature
   headers.oauth_signature = this._getSignature(method.toUpperCase(), url, headers, this.accessTokenSecret);
@@ -87,6 +88,7 @@ OAuth.prototype._call = function(method, url, headers) {
 
   // Make signed request
   var response = Meteor.http[method.toLowerCase()](url, {
+    params: params,
     headers: {
       Authorization: authString
     }