search

Kong / mashape-oauth

OAuth Modules for Node.js - Supporting RSA, HMAC, PLAINTEXT, 2,3-Legged, 1.0a, Echo, XAuth, and 2.0
http://oauthbible.com
MIT License
1.77k stars 186 forks source link

FIX: Invalid signature generation #14

Closed neilco closed 8 years ago

neilco commented 9 years ago

This commit fixes an issue were the library is incorrectly normalizing and adding the request body when the content type is not form-encoded. This results in an invalid signature being generated for the request.

The OAuth 1.0a specs states this about normalizing request parameters:

9.1.1. Normalize Request Parameters

The request parameters are collected, sorted and concatenated into a normalized string:

  • Parameters in the OAuth HTTP Authorization header excluding the realm parameter.
  • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded).
  • HTTP GET parameters added to the URLs in the query part (as defined by [RFC3986] section 3).

Source: OAuth 1.0a Spec: Normalize Request Parameters

[FIX] Check the content type when preparing the signature parameters.

nijikokun commented 9 years ago

Thanks, could you please provide tests, this could also break some providers implementations I fear.

neilco commented 9 years ago

It might take me a while to get to writing some tests. FYI, I was integrating with MasterCard's MoneySend API when I hit the issue this PR solves. I've been trying to find other examples of public OAuth 1.0a APIs with non-form-encoded POST endpoints—even going through your own API directory—and I'm coming up empty.