OAuth not generating new request tokens! about etsy HOT 9 CLOSED

I ran into something similar recently, and didn't have time to dig into it. I'm stuck in a cabin on a mountain right now, but on monday I'll be back in civilization, and would be happy to help debug and fix. If you want to do some remote pair programming on it let me know, and we can share a screen session or something.

from etsy.

That sounds cool. If you want to switch places, a cabin in the mountain sounds incredible. Send me a message whenever, I'd be happy to help if I can. In the meantime, I've just done the OAuth verification using the regular ol' oauth gem, which so far seems to be working.

from etsy.

I've committed a fix for this. Let me know if you run into any issues with it.

from etsy.

Hey awesome! I'll check it out and see how it goes, thanks for working on it! :-)

from etsy.

I just wanted to mention that I'm still seeing some issues with the etsy gem holding on to oauth tokens too long and giving them to the wrong person, so I'm going to be going through this with a fine-tooth comb in the next couple of days.

from etsy.

Katrina, do you have steps to reproduce this? I could take a stab at it this weekend as well.

from etsy.

Yepp, using this gist: https://gist.github.com/791872

This is what I did:

1. From localhost:4567 click 'authorize', and log in to etsy as PaisleyAnnHome
2. Click to view profile, and see 'logged in as PaisleyAnnHome'
3. Go back to localhost:4567, click 'authorize'
4. At etsy, switch to different user (circuit) and authorize
5. Click to view profile
   => Expected to see 'logged in as circuit', but saw 'logged in as PaisleyAnnHome'.

from etsy.

This is what I found: on line 124 of lib/etsy.rb we memoize the access token, thus giving the calling code back the previous client, regardless of the request token/secret that is being passed in.

We could probably check an existing client against the request token and generate a new client if the tokens don't match, but this time around I'm simply clearing out the @access_token at the same time as the @verification_request when someone starts a new verification against etsy.

from etsy.

After thinking about this a little longer, I decided to always ask for a new client if asking for an access token, so that it generates the access tokens based on the request tokens passed in, rather than any memory of what has gone before.

from etsy.