simple-oauth1 icon indicating copy to clipboard operation
simple-oauth1 copied to clipboard

Published 20 hours ago verified publisher icon chrhansen

Issues with comma in POST requests

Open bitwit opened this issue 11 years ago • 8 comments

I found when using this library that POSTs that included commas in the body or tags parameters would break the authorization

In the OAuth1Controller.m after line 228, this seems to fix the issue:

baseString = [baseString stringByReplacingOccurrencesOfString:@"%2C" withString:@"%252C"];

I'm not sure if there is a more elegant or pull request worthy solution to this but I thought I would make note of it here in case anyone else has this issue.

I really like using this library though!

bitwit avatar Oct 26 '13 20:10 bitwit

Note: I had this problem with Tumblr, probably should have mentioned that since Tumblr is mentioned in the code for easy setup.

bitwit avatar Oct 26 '13 20:10 bitwit

I have also had this problem, but with GET requests containing commas or spaces in the querystring. I was signing requests against the Yelp API. I believe I've tracked down the source of the issue.

In the preparedRequestForPath method in OAuth1Controller.m (https://github.com/Christian-Hansen/simple-oauth1/blob/master/Simple-OAuth1/Simple-OAuth1/OAuth1Controller.m#L396), the parameter string is UTF8 encoded by the code at https://github.com/Christian-Hansen/simple-oauth1/blob/master/Simple-OAuth1/Simple-OAuth1/OAuth1Controller.m#L47. Yelp appears to additionally encoding the characters , and (space), so my API calls are failing with an invalid signature error.

Simply modifying the that line to include the missing characters fixed the issue. I'm happy to submit a pull request, but am not sure a) whether this is common to other OAuth providers and b) whether commas and spaces are the only characters missing.

Hope that's helpful! -- Daniel

thisisdhaas avatar Apr 20 '15 09:04 thisisdhaas

@thisisdhaas Thanks. If those two additional characters are escaped are you still able to create the proper signature with other providers? And what does the Oauth1.0a spec say with regards to which characters should be escaped?

chrhansen avatar Apr 20 '15 17:04 chrhansen

This is a bit of an old issue I raised, but honestly, I would advise against using this OAuth library altogether. It's not up to spec with 1.0a and I went to production with a personal app and found even more problems along the way.

It's a little old now so I can't recall them all, but be forewarned this lib unfortunately gave me a lot of headaches.

Sorry Christian, nothing personal, but I think others need to be warned. Your proof of concept app should be expanded to test a POST request against a lot of irregular characters beyond commas. Unfortunately, this will be my last correspondence on the matter.

bitwit avatar Apr 20 '15 18:04 bitwit

@bitwit Thank you for the honest words. I guess the repository should be regarded more as proof-of-concept oauth1 implementation.

chrhansen avatar Apr 20 '15 19:04 chrhansen

Regarding the actual issue, I'm not in a position to test my fix against other APIs right now, but the OAuth 1.0a spec says that all characters not in the reserved set (ALPHA, DIGIT, -, ., _, ~) MUST be encoded (http://oauth.net/core/1.0a/#encoding_parameters), so escaping , and would bring the code closer to spec. Note that your function also escapes~, which is against spec and might also cause issues.

thisisdhaas avatar Apr 27 '15 23:04 thisisdhaas

@thisisdhaas do you have a pull request you can show me? i am not getting a good signature either

ideerge avatar Dec 04 '15 00:12 ideerge

Sorry, I never got around to making a PR and I don't have access to that development environment anymore. I think my first post in this thread describes the fix in enough detail to reproduce--wish I could be more help!

thisisdhaas avatar Jan 19 '16 01:01 thisisdhaas