Code review comment for lp:~leonardr/launchpad/anonymous-oauth

This branch fixes bug 385517 (but not all of it: see bug 496964). It allows OAuth requests to bypass the normal verification process (and enjoy the privileges of the unauthenticated principal) if their token key is the empty string. All the real data the client has to provide is a consumer key.

If a normal request comes in with an unrecognized consumer key, the request is still rejected. Access tokens are associated with specific known consumers, so there's no way that request can be valid. But an anonymous request is valid even if it mentions a consumer key never seen before. If that happens, my branch automatically creates a consumer object associated with the consumer key, so it can be recognized later.

I created an 'anonymous_webservice' LaunchpadWebServiceCaller for use in testing anonymous access to the web service, and added some basic tests to xx-service.txt.