Fixing the way signed parameters are encoded #7
Conversation
Fixed a bug where using a comma on a query parameter caused the generation of a wrong Oauth signature (result was being double encoded)
|
This is really weird :( The 1.0 spec ( http://tools.ietf.org/html/rfc5849#section-3.4.1 ) and the 1.0a reference (http://oauth.net/core/1.0a/#sig_norm_param) seem to be pretty clear on their approach, which matches what I've implemented! If I apply your changes they break several of the tests I can do :( I.e. other OAuth Providers do not behave as Twitter describe :( arggh OAuth can be such a PitA! |
|
Indeed it can be a pita :( The exact problem with your code was that: follow=1,2 became follow=1%2C2 and then on the final encodeData follow=1%2C2 became follow%3D1%25C2 (ie, %2C got double escaped) again, I think there is a problem on this specific case, but I'm still not sure if my solution is generic enough! I tried to run the tests running "make" on the console, but it always said "ran 0 tests" :/ |
|
I know :( The tests broke when I swapped to npm.. Its on my urgent todo list to fix them Sigh (I desperately want to) I've commented on your question in the mailing list as far as I can tell twitter are generating their signature incorrectly. The specification as far as I can interpret it, expects this behaviour! I confirmed this (by yet another source) at http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/ :( |
|
Thank you ciaranj! We'll wait for twitter's response then :) Let's keep this on hold for now! |
|
no dude, thank you. I had no idea of this issue (I searched and searched the twitter APIs and couldn't find another example where they used commas as argument values.. but I imagine the issue exists with any argument value that requires encoding such as UTF8) :( |
|
For anyone else reading this, Twitter still haven't responded to me :( In the meantime just encode any parameters before passing them in for signing it will work with Twitter :( |
|
Link to thread about this with response from twitter. http://groups.google.com/group/twitter-development-talk/browse_thread/thread/0970d03e4e3528df |
|
Thanks ;) I'm not sure if I"m going insane or not, but given the silence i keep getting :( I may put in an 'if(twitter) { sign_like_this } section in the client ! |
|
Yea, seems a bit odd the way they interpreted it, but valid. I think having an option instead new OAuth({encoding:"twitter"}) or something would be more apt, just cant think of a good name. "inside-loop" "outside-loop" maybe? |
|
I genuinely don't think it is valid, not spec wise, but there's nothing stopping people form implementing OAuth however they want (it isn't true standard after all). The standard basically means the ',' will be encoded twice, once when the value is encoded, and then again when the whole concatentated string is encoded. In their scheme this re-encode of the comma never happens :( |
Hi. I was having a problem using node-oauth with Twitter SiteStreams.
I found the bug to be happening when I had a comma on the URL parameters, like "follow=123,324,45".
Checked the code and verified it was a double encoding bug. I think I've fixed it on my branch, here is the patch. Tell me what you think!
Thank you!