search

ciaranj / node-oauth

OAuth wrapper for node.js
MIT License
2.44k stars 660 forks source link

OAuth `authHeader` method not creating a valid signature for POST requests with url encoded form parameters #366

Open chrisbottin opened 2 years ago

chrisbottin commented 2 years ago

The OAuth authHeader method https://github.com/ciaranj/node-oauth/blob/master/lib/oauth.js#L574 is not accepting a extra_params required to create a valid signature for POST requests with url encoded form parameters.

The solution is straightforward and it would just require to add the extra_params params in the method...

Before the fix

exports.OAuth.prototype.authHeader= function(url, oauth_token, oauth_token_secret, method) {
  if( method === undefined ) {
    var method= "GET";
  }

  var orderedParameters= this._prepareParameters(oauth_token, oauth_token_secret, method, url, {});
  return this._buildAuthorizationHeaders(orderedParameters);
};

After the fix

exports.OAuth.prototype.authHeader= function(url, oauth_token, oauth_token_secret, method, extra_params) {
  if( method === undefined ) {
    var method= "GET";
  }

  if( extra_params === undefined ) {
    var extra_params= {};
  }

  var orderedParameters= this._prepareParameters(oauth_token, oauth_token_secret, method, url, extra_params);
  return this._buildAuthorizationHeaders(orderedParameters);
};

I'm happy to create a pull request if it's likely to be approved and merged, please advise.

ugpeter commented 1 year ago

@chrisbottin - I have the same issue (POST requests are being rejected due to authentication failings) and I believe it's due to the construction of the Authorization header.

I believe this is the same as what you're specifying, but I attempted your change, but it did not make a change, as I don't believe the method calling authHeader() has been updated to include extra_params.

Would be good to understand if you achieved success with this and/or a further change was required?

chrisbottin commented 1 year ago

@ugpeter authHeader doesn't yet accept the extra_params parameter.

I suggest you change your code to use oauth._prepareParameters(token, secret, method, url, params) instead of oauth.authHeader(url, token, secret, method). This is what I'm doing until a fix is applied.

ugpeter commented 1 year ago

Thanks for the response, @chrisbottin. I tried and unfortunately failed to make it work. I post my code here in an effort to determine if I missed something: https://stackoverflow.com/questions/73159810/why-would-my-oauth-post-request-to-twitter-ads-api-fail-while-the-get-request-w