There are multiple places in this lib that do not serialize multiple header values according to the spec. The code assumes that the value of a header will be a string -- or, that if it is an array, that the default join will suffice. This is not the case -- the spec says (in Section 2.3. Signature String Construction):
If there are multiple instances of the same header field, all
header field values associated with the header field MUST be
concatenated, separated by a ASCII comma and an ASCII space ,,
and used in the order in which they will appear in the
transmitted HTTP message. Any other modification to the header
field value MUST NOT be made.
This means that everywhere in this lib that does the construction: header + ' ' + value (or similar), where value may be an array, is incorrect. It should be header + ' ' + value.join(', '). Ideally, all of these spots would also be consolidated so only one place needs to be maintained.
There are multiple places in this lib that do not serialize multiple header values according to the spec. The code assumes that the value of a header will be a string -- or, that if it is an array, that the default join will suffice. This is not the case -- the spec says (in Section 2.3. Signature String Construction):
This means that everywhere in this lib that does the construction:
header + ' ' + value(or similar), wherevaluemay be an array, is incorrect. It should beheader + ' ' + value.join(', '). Ideally, all of these spots would also be consolidated so only one place needs to be maintained.At least these instances need to be fixed:
https://github.com/joyent/node-http-signature/blob/master/lib/signer.js#L130 https://github.com/joyent/node-http-signature/blob/master/lib/signer.js#L133 https://github.com/joyent/node-http-signature/blob/master/lib/signer.js#L338 https://github.com/joyent/node-http-signature/blob/master/lib/parser.js#L271