Shinmera
commented
3 years ago Hey, sorry for all the trouble you must have went through to debug this! I remember my own pain putting this library together in the first place all too well, ha ha.
Thanks a lot for the detailed report, too, should be fixed now!
I've been struggling for a while to get north to work with the Etrade OAuth1 API but requests would keep failing with a 401 "signature invalid" error from Etrade. I've dug in deeper than I ever wanted to on the OAuth1.0a spec and finally figured out why Etrade couldn't validate the signature. In
create-signature, north isn't percent-encoding the consumer-secret and token-secret as required by the spec. See section 9.2 which defines the signature signing key as "the concatenated values (each first encoded per Parameter Encoding) of the Consumer Secret and Token Secret, separated by an '&' character (ASCII code 38) even if empty".Line 119 of toolkit.lisp is what needs to be fixed. I confirmed that signature validation with Etrade finally works once these are encoded before being passed to
sign.Note that signature validation would pass with any provider if the consumer-secret and token-secret did not contain any characters that needed encoding, which made testing and tracking this down take way too long. :)
It's a simple fix and I would submit a one-line PR, but unfortunately my job does not allow me to contribute code to any outside projects (the Etrade thing is a hobby project, they're not my employer).