app-restconsole icon indicating copy to clipboard operation
app-restconsole copied to clipboard
verified publisher icon ahmadnassri

Request parameters end up in oauth 'Authorization' header.

Open WanaByte opened this issue 14 years ago • 4 comments

I'm finding that adding a "limit" request parameter means that limit parameter is ending up in the 'Authorization' header.

This is using Rest Console, 4.0.2. I've included the raw request from the Chrome inspector (and removed my oAuth keys).

GET /v2/user/dashboard?limit=1 HTTP/1.1
Host: tumblr:8080
Connection: keep-alive
Authorization: OAuth oauth_signature_method="HMAC-SHA1" ,oauth_version="1.0" ,limit="1" ,oauth_nonce="PvZrN" ,oauth_timestamp="1317829910" ,oauth_consumer_key="..." ,oauth_token="..." ,oauth_signature="...%2Bgs%3D"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

WanaByte avatar Oct 05 '11 15:10 WanaByte

yeah the oAuth JS library I'm using is terrible, but its the only one out there, its actually used in production by some big systems ... but its not that great, missing a lot of the most recent oAuth revisions, and does what you see there, includes the request parameters in the signed header ...

I have to write my own library, hopefully incorporating the most recent oAuth 1.0a revisions and oAuth 2.0 ... seems like a task for the weekend ...

is this, breaking your server in any way?

ahmadnassri avatar Oct 06 '11 05:10 ahmadnassri

btw, its not just the limit parameter, its all request parameters that end up in the header, correct?

ahmadnassri avatar Oct 06 '11 05:10 ahmadnassri

Correct, it looks like it's all parameters if they into the request parameters section. I haven't tried the raw body.

Our OAuth implementation throws away any values it doesn't like, so it's not breaking anything on my end.

I'm wondering if it's ending up in the OAuth string, since some part of OAuth requires you to sort the parameters and take a hash of them for calculating the signature or nonce. Not sure about this 100% though.

WanaByte avatar Oct 06 '11 14:10 WanaByte

Well, the way I understand it, oAuth does require the parameters to create the signature string, but i think it was in a previous version of the spec that those parameters are also to be passed in the header, I think that's gone in 1.0a but the javascript library I'm using doesn't seem to know that...

Like I said, I'm gonna have to write up a JavaScript oAuth library myself.

ahmadnassri avatar Oct 06 '11 16:10 ahmadnassri