26rairden / oauth-signpost

Automatically exported from code.google.com/p/oauth-signpost
0 stars 0 forks source link

Message signing with no token secret #2

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
When obtaining an Unauthorized Request Token, the request must be signed 
http://oauth.net/core/#auth_step1) However, at that point a Token Secret is not 
available. The 
specification allows for this in section 9.2. HMAC-SHA1 
(http://oauth.net/core/#anchor16) by 
not requiring a Token Secret (the implication is that it's the url-encoded 
consumer secret 
followed by an "&" and nothing else)

HmacSha1MessageSigner.java:25
 String keyString = OAuth.percentEncode(getConsumerSecret()) + '&' + 
OAuth.percentEncode(getTokenSecret());

Which depends on oauth.signpost.OAuth.percentEncode, which depends on 
com.google.gdata.util.common.base.PercentEscaper, which fails with an NPE if 
the Token Secret 
is null.

A quick fix is to add a test in oauth.signpost.OAuth.percentEncode and just 
return an empty 
string in the parameter is null.

With that fix, I could access Twitter using OAuth.

Original issue reported on code.google.com by ckstj...@gmail.com on 7 May 2009 at 10:47

GoogleCodeExporter commented 9 years ago
Can you please test this again with the latest build (see downloads)? I believe 
I
already fixed this as part of another change.

If the problem persists, please let me know and I'll investigate further.

Original comment by m.kaepp...@gmail.com on 13 May 2009 at 3:47

GoogleCodeExporter commented 9 years ago
Just checked again, this was resolved in changeset
http://code.google.com/p/oauth-signpost/source/detail?r=8

Thanks for reporting!

Original comment by m.kaepp...@gmail.com on 13 May 2009 at 8:15