GithubHelp home page GithubHelp logo

node-oauth's People

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

node-oauth's Issues

PLAINTEXT signature is encoded incorrectly

According to this: http://tools.ietf.org/html/rfc5849#section-3.4.4 the PLAINTEXT signature should have the encoded consumer secret, an '&' and the encoded token secret. The entire value is then encoded when placed in the header. However, currently it is encoding the entire concatenated value twice, resulting in the ampersand being encoded twice.

In my case, the oath service I use uses PLAINTEXT with no secret, so my signature is just the ampersand '&', which should be encoded in the header like this:
......,oauth_signature="%26"

However, currently the implementation encodes the ampersand twice, so that the signature ends up looking this this instead:
......,oauth_signature="%2526"
which fails.

I think the fix is to change these lines in oauth.js _createSignature():

   var key= this._consumerSecret + "&" + tokenSecret;

   var hash= ""
   if( this._signatureMethod == "PLAINTEXT" ) {
     hash= this._encodeData(key);
   }

to be like this:

  var key= this._encodeData(this._consumerSecret) + "&" + this._encodeData(tokenSecret);

   var hash= ""
   if( this._signatureMethod == "PLAINTEXT" ) {
     hash= key;
   }

Node.js auto extracts object literals from query parameters

The querystring.parse method in node.js auto-converts arguments such as 'foo[bar]=xxx into an object literal of the form: {bar :'xxx'} (named foo in the arguments hash.

Currently the node-oauth client does not handle this well. novermberborn has resolved this in his fork: https://github.com/novemberborn/node-oauth/commit/2d7fb8cd194a2af24900078f98fb0764b7b7df2e

Unfortunately it is so divergent from the current branch I can't merge it directly :(

OAuth2.prototype.getAuthorizeUrl()

More a Question than an issue:

Why OAuth2.prototype.getAuthorizeUrl doesn't make a request to the site, in orden to get the code?

Do you have planned to implement that functionality. Currently, to log in a facebook app, I need to make the first request this way:

res.redirect(
    'https://graph.facebook.com/oauth/authorize?client_id=' + 
        clientId + '&redirect_uri='+ redirectUri);

Regards,

hermanjunge

Document dependencies

Hey, I didn't see anywhere where dependencies were documented. If there isn't such a place, one should be made. If there is, please kindly point me there, and close this issue with prejudice :).

Creating a new OAuth object fails on the Mac

var oa = new OAuth("http://term.ie/oauth/example/request_token.php?foo=bar",
"http://term.ie/oauth/example/access_token.php",
"key",
"secret",
"1.0",
null,
"PLAINTEXT")

*The above fails with the following error on Mac :

node.js:134
throw e; // process.nextTick error, or 'error' event on first tick
^
TypeError: object is not a function
at Object.CALL_NON_FUNCTION_AS_CONSTRUCTOR (native)
at Object. (/Users/vivekian/code/PROG_LANGUAGES/JS/src/test.js:24:10)
at Module._compile (module.js:404:26)
at Object..js (module.js:410:10)
at Module.load (module.js:336:31)
at Function._load (module.js:297:12)
at Array. (module.js:423:10)
at EventEmitter._tickCallback (node.js:126:26)

undefined parsedUrl.hostname

https://github.com/ciaranj/node-oauth/blob/master/lib/oauth.js#L353

TypeError: Cannot call method ‘match’ of undefined

at Object.isAnEarlyCloseHost (/app/node_modules/oauth/lib/_utils.js:3:19)
at [object Object]._performSecureRequest (/app/node_modules/oauth/lib/oauth.js:353:37)
at secureRequest (/app/utils/github.js:88:27)
at [object Object].removeHook (/app/utils/github.js:153:10)
at Promise.<anonymous> (/app/app/controllers/github_controller.js:300:14)
at Promise.<anonymous> (/app/node_modules/mongoose/lib/promise.js:120:8)  
at Promise.<anonymous> (events.js:67:17)
at Promise.emit (/app/node_modules/mongoose/lib/promise.js:59:38)
at Promise.complete (/app/node_modules/mongoose/lib/promise.js:70:20)
at /app/node_modules/mongoose/lib/query.js:885:15

Had to change requests writes to binary to fix dropbox-node issue.

Hello,

Ran into an issue with file uploads using dropbox-node which depends on node-oauth oauth.js. I had to change the request.write calls to write in binary to get non-ascii file uploads (images, pdfs etc) to work. View the issue here. Not sure if this is something you want to adopt or if it will have implications with other oauth APIs, but the Dropbox Oauth api will not work with non-ascii files unless the request is written in binary.

Thanks,

Ralph

Missing licensing information

Hello,

I wanted to package node-oauth for Debian, but your source code is missing '''any''' licensing information. It would be nice if you could include a COPYING or LICENSE file, bonus points if you also include that information in package.json and inside the actual source code.

This issue is currently blocking packaging of other node modules and applications, it would be nice if you could fix it soon :)

Thanks,
David

Windows Live Protocol have some methods that return resources in 302

Fixing a issue where Windows Live protocol return some resources as HTTP Header Location data.

For example, if i want to get the profile picture for MSN, the URL of resource is the Location of a HTTP header. So, if i dont want the data (the data of image), and URL for download or for display the image, we must have access to that info in response.

Fixed and requesting a Pull.

Why custom HMAC-SHA1 implementation?

Out of curiosity, why the custom implementation? I'm now using this in my OAuth provider:

var signature = require("crypto").createHmac("sha1", key).update(baseString).digest("base64");

which gives exactly the same result.

POST method to Twitter API returns error 401

Hello,
I've found out that POST method to Twitter API returns error 401:

{ statusCode: 401,
  data: '{"error":"Could not authenticate with OAuth.","request":"\\/1\\/direct_messages\\/new.json"}' }

Please, check this out and try to run this test-case:

var OAuth = require('oauth').OAuth,
    qs = require('querystring'),
    readline = require('readline');

var requestUrl = 'https://twitter.com/oauth/request_token';
var accessUrl = 'https://twitter.com/oauth/access_token';
var authorizeUrl = 'https://twitter.com/oauth/authorize';
var key = 'TBqMts49qNCZPz0ZeLVlQ';
var secret = 'xkqK6WVjzox0lWYBrrlNKw3x4qJWkxs6znTMaynVjU';

console.log("Emulating web-based app...");
var oa = new OAuth(requestUrl, accessUrl, key, secret, '1.0', null, 'HMAC-SHA1');
oa.getOAuthRequestToken(function(error, requestToken, requestTokenSecret, results) {
    if(error) console.log(error);
    else {
        console.log("Please go to this URL, authorize the app and copy PIN-code:");
        console.log(authorizeUrl + '?' + qs.stringify({oauth_token: requestToken}));
        var i = readline.createInterface(process.stdin, process.stdout);
        i.question('Enter PIN-code: ', function(verifier) {
            i.close();
            process.stdin.destroy();
            oa.getOAuthAccessToken(requestToken, requestTokenSecret, verifier, function(error, accessToken, accessTokenSecret) {
                if(error) console.log(error);
                else {
                    oa.get('https://api.twitter.com/1/direct_messages/sent.json?count=1&page=1', accessToken, accessTokenSecret, function(error, data) {
                        console.log('\nGET direct message:\n');
                        if(error) console.log(error);
                        else {
                            console.log(data);
                            var user_id = JSON.parse(data)[0].recipient_id;
                            var body = qs.stringify({user_id: user_id, text: 'Testing...'});
                            oa.post('https://api.twitter.com/1/direct_messages/new.json', accessToken, accessTokenSecret, body, function(error, data) {
                                console.log('\nPOST direct message:\n');
                                console.log(error || data);
                            });
                        }
                    });
                }
            });
        });
    }
});

Hello documentation?

I installed this module using npm and the source code here is totally different.
The examples does not work at all, the constructor params seems to have changed... I don't know how to use this lib... please help?

Google Refresh Token

I'm trying to request a new access token using the refresh token originally provided, but can't get it to work. I'm requesting offline access so the refresh token is available but the actual call doesn't work. It seems like the library doesn't support it. Is that correct or am I missing something?

Here's the message received from Google:
Missing required parameter: refresh_token

Here's my code:

exports.RefreshGmailToken = function (clientId, clientSecret, refreshToken, callback) {

    this._clientId = clientId;
    this._clientSecret = clientSecret;
    this._basePath = '';
    this._authorizePath = 'https://accounts.google.com/o/oauth2/auth';
    this._accessTokenPath = 'https://accounts.google.com/o/oauth2/token';

    gmailAuthObject = new OAuth2(this._clientId,
        this._clientSecret,
        this._basePath,
        this._authorizePath,
        this._accessTokenPath);

    gmailAuthObject.getOAuthAccessToken(
        refreshToken,
        {grant_type: 'refresh_token'},
        function (error, access_token, refresh_token) {
            if (error)
                return callback(error);

            return callback(null, access_token);

        });
};

401 unauthorized - twitter streaming api

When trying to make a get request(as described in wiki) to the twitter's streaming api i get the answer 401/unauthorized.

Requests to the rest api work well with the same get method and the same oauth _access_token/secret_token.

PS In wiki the request is via http. Twitter does not accept it at all. To https returns described result

Accept response codes other than 200

at the moment if an api request returns a 302 code it is treated as an error.
twitter and facebook both use 302 redirects for getting profile images.

Google APIs (OAuth2)

A part of google APIs is accessible under the URL googleapis.com

It does seems to suffer from the same early closing, so changing the isAnEarlyCloseHost method to the following (or something similar) is necessary to be able to query those services :

return hostName.match("._google.com$") || hostName.match("._googleapis.com$");

Twitter getOAuthRequestToken does not work with callback

new oauth.OAuth(
  "https://twitter.com/oauth/request_token", "https://twitter.com/oauth/access_token", 
  key, secret, "1.0A", callback, "HMAC-SHA1"
  )
  .getOAuthRequestToken(function (error, oauth_token, oauth_token_secret, results) {
    console.log(error)
  })
{ statusCode: 401,
  data: '<?xml version="1.0" encoding="UTF-8"?>\n<hash>\n  <error>Desktop applications only support the oauth_callback value \'oob\'</error>\n  <request>/oauth/request_token</request>\n</hash>\n' }

Does not work with https://userstream.twitter.com

Connection ends unexpectedly less than a second after the response event is emitted. Is there any hack?
I would like to do it my way without this lib but I don't know what damn headers Oauth needs, all I see is a lot of nonsense hashes and numbers.
Appreciate any help or link explaining how the fuck Oauth is used.
Thanks.

Parameter sorting and encoding

Reading through http://tools.ietf.org/html/rfc5849:

3.4.1.3.2. Parameters Normalization

The parameters collected in Section 3.4.1.3 are normalized into a
single string as follows:

  1. First, the name and value of each parameter are encoded
    (Section 3.6).
  2. The parameters are sorted by name, using ascending byte value
    ordering. If two or more parameters share the same name, they
    are sorted by their value.

However, in node-oauth:

exports.OAuth.prototype._normaliseRequestParams= function(arguments) {
  var argument_pairs= this._sortRequestParams( arguments );
  var args= "";
  for(var i=0;i<argument_pairs.length;i++) {
      args+= this._encodeData( argument_pairs[i][0] );
      args+= "="
      args+= this._encodeData( argument_pairs[i][1] );
      if( i < argument_pairs.length-1 ) args+= "&";
  }     
  return args;
}

I.e. the params are sorted before they are encoded.

Callback not getting triggered

I am able to get access_token and access_token_secret back from Twitter, but when I go to make a GET request to the rest api using the supplied get() method, my callback function is not being triggered.

Example:

function consumer() {
return new OAuth(
"https://api.twitter.com/oauth/request_token",
"https://api.twitter.com/oauth/access_token",
_twitterConsumerKey,
_twitterConsumerSecret,
"1.0A",
"http://1.1.1.1/auth/twitter/callback",
"HMAC-SHA1"
);
}

consumer().get("https://api.twitter.com/1/account/verify_credentials.json", req.session.oauthAccessToken, req.session.oauthAccessTokenSecret, function (error, data, response) {
res.send("Callback triggered.");
});

Any suggestions on where to go with this problem? Thanks in advance.

Error Authenticating with Facebook Graph API

It seems that when you try and authenticate with facebook the authentication / granting fails with:
{ statusCode: 400, data: '{"error":{"type":"OAuthException","message":"Invalid verification code format."}}' }

The request appears to be:

  POST /oauth/access_token?&grant_type=client_credentials&client_id=...&client_secret=...&type=web_server&code=

It seems that this is caused because the querystring type argument is set to "web_server" which expects a "code" parameter, although, looking at the facebook documentation, It seems that this mode is only used when authenticating on behalf of a user, not an application.

Example:

  POST /oauth/access_token?&grant_type=client_credentials&client_id=...&client_secret=...

Works and returns a correct access token.

Are the code & type fields required by spec to be sent?

Need OAuth2 example

I would love to have an example to follow for OAuth2 and Google services. Thanks!

Support for 301 Redirects

I've been struggling with a really simple OAuth integration with the site Goodreads. They throw a 301 redirect when you hit /oauth/request_token before returning the oauthToken and oauthSecret. The app errors out currently because the oauth plugin only follows 302 redirects atm.

I've temporarily modified the oauth.js (line 360) with this hotfix but as I'm a neophyte programmer, I'm sure it's not the most efficient way to handle this:

else if(response.statusCode == 301 && response.headers && response.headers.location) {
self._performSecureRequest( oauth_token, oauth_token_secret, method, response.headers.location, extra_params, post_body, post_content_type, callback);
}

Strict Whitespace in HTTP Headers

Hi, I have been getting started with node by using the recently updated Tumblr API.
I kept getting 401/Unauthorized errors when using this oauth package. For the life of me I couldn't figure out what was going on... until I looked close at the HTTP headers.

Tumblr is seemingly implementing things very strictly and requires a space after each comma.
I forked and updated things so that they work for Tumblr OAuth and the fix seems to work for Twitter and Term.ie as well.

Curious about your thoughts on this fix... happy to do a pull request!
Henry

signUrl method not accepting PUT or DELETE methods

By changing line 362 in /usr/local/lib/node/.npm/oauth/0.8.3/package/lib/oauth.js from
if( oauth_token) {
collectedParameters["oauth_token"]= oauth_token;
}

to

// allow empty oauth_token for signed get requests - 2-legged oAuth
if( oauth_token != null) {
    collectedParameters["oauth_token"]= oauth_token;
}

I can get both PUT and DELETE to work.
Please fix.

TypeError: Cannot call method 'addListener' of undefined

On node v0.3.8-pre:

node.js:116
        throw e; // process.nextTick error, or 'error' event on first tick
        ^
TypeError: Cannot call method 'addListener' of undefined
    at [object Object]._performSecureRequest (/usr/local/lib/node/.npm/oauth/0.8.4/package/lib/oauth.js:306:20)
    at [object Object].getOAuthRequestToken (/usr/local/lib/node/.npm/oauth/0.8.4/package/lib/oauth.js:390:8)
    at Object.<anonymous> (term.ie.oauth-PLAINTEXT.js)
    at Module._compile (module.js:287:26)
    at Object..js (module.js:293:10)
    at Module.load (module.js:219:31)
    at Function._load (module.js:186:10)
    at Array.<anonymous> (module.js:307:10)
    at EventEmitter._tickCallback (node.js:108:26)

This is the result of running examples/term.ie.oauth-PLAINTEXT.js

Conflict with jsdom

I found a conflict with the jsdom module and node-oauth. It took some debugging, but I found the exact line where the issue takes place. Mind you I don't know enough to debug further why it is happening, but code is as follows.

At line 205 in lib/oauth.js:
if (orderedParameters[i][0].match('^oauth_') == "oauth_") {
authHeader+= this._encodeData(orderedParameters[i][0])+"=""+this._encodeData(orderedParameters[i][1])+"",";
}

The if statement fails when jsdom is included in a script. I dug into the headers being created and when jsdom is required, the parameters don't actually make it into the headers. For a quick fix I just check if each parameter is there with an if (orderedParameters[i][0]), since I don't plan on using extra parameters.

I don't know where the issue lies, I tried looking into jsdom code, but can't find anything relavent.

Code example demonstrating Facebook & OAuth2

The documentation for how, or even if its possible, to do this with node-oauth are somewhat vague or non-existent.

There is an example of some code in the connect-auth project:
https://github.com/ciaranj/connect-auth/wiki/Express---Facebook-example-(with-additional-cunning-sign-in-page-redirect-logic)

However, it does not appear (on the surface at least) that node-oauth is using connect-auth in its oauth2 implementation:
https://github.com/ciaranj/node-oauth/blob/master/lib/oauth2.js

Apologies if this has been previously answered. Either way, it would be very good to have some kind of info in the documentation indicating whether or not Facebook OAuth2 is compatible with node-oauth.

According to RFC 5849, one should use POST to retrieve token credentials

Line 294 (in oauth.js) uses GET, but according to the spec, the default request method is POST unless the server advertises a different request method. Twitter for instance supports both GET and POST, but my server will only accept POST.

I guess this should default to POST but be configurable.

a way to catch net exceptions

Sometimes I'd get an exception like

node.js:50
throw e; // process.nextTick error, or 'error' event on first tick
^
Error: EINVAL, Invalid argument
at doConnect (net.js:642:19)
at net.js:803:9
at dns.js:171:34
at IOWatcher.callback (dns.js:48:15)
at node.js:616:9

but it does not look like I can catch it using currently provided APIs of node-connect.

Please correct me if I am wrong, I would actually like to be wrong in this case.

Thanks.

Does not allow for multiple querystring parameters with the same name

Some APIs that use this module allow the developer to pass the same querystring parameter multiple times. For instance, see SimpleGeo and categories... https://simplegeo.com/docs/api-endpoints/simplegeo-places

The oauth implementation turns querystring parameters into object, so a given parameter can only exist one time, so it changes the parameter name to be category[0], categort[1], etc.

I devised a way to fix this by modifying "exports.OAuth.prototype._normaliseRequestParams" to look like this...

exports.OAuth.prototype._normaliseRequestParams= function(arguments) {
var argument_pairs= this._makeArrayOfArgumentsHash(arguments);

// David DeRemer: added logic to allow for multiple occurrences of the same querystring parameter
for (var i=0; i<argument_pairs.length; i++) {
if (argument_pairs[i][0].search(/[\d_]/) != -1) {
argument_pairs[i] = [argument_pairs[i][0].replace(/[\d_]/,''), argument_pairs[i][1]];
}
}

// First encode them #3.4.1.3.2 .1
for(var i=0;i<argument_pairs.length;i++) {
argument_pairs[i][0]= this._encodeData( argument_pairs[i][0] );
argument_pairs[i][1]= this._encodeData( argument_pairs[i][1] );
}

// Then sort them #3.4.1.3.2 .2
argument_pairs= this._sortRequestParams( argument_pairs );

// Then concatenate together #3.4.1.3.2 .3 & .4
var args= "";
for(var i=0;i<argument_pairs.length;i++) {
args+= argument_pairs[i][0];
args+= "="
args+= argument_pairs[i][1];
if( i < argument_pairs.length-1 ) args+= "&";
}
return args;
}

You may want to consider adding something like this into the main branch.

ClientRequest.socket is now undefined.

I got an error:

TypeError: Cannot call method 'addListener' of undefined
  at [object Object]._performSecureRequest (/home/meso/.nvm/v0.3.8/lib/node/.npm/oauth/0.8.4/package/lib/oauth.js:306:20)

After Node v0.3.6, ClientRequest.socket is undefined.
Maybe this line should be
request.addListener("error",callback);

POST using oAuth (ie to post a tweet)

Hi,

First of all thanks for the library, works great!

I need to use oAuth to post a new tweet but I cannot make it work.
It looks like you are not accepting to have data in part of the body of the request (for POST method).

How can I perform a secure request that looks like the following:
Accept: /
Connection: close
User-Agent: OAuth gem v0.3.4.1
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth oauth_nonce="qtby7fwJy8SnjY4vbmWiqJoSx3wQCIGb8LVpPI7o", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1281054979", oauth_consumer_key="whatever", oauth_token="55993-whatever", oauth_signature="whatever%3D", oauth_version="1.0"
Content-Length: 61
Host:api.twitter.com

status=My first tweet

Thanks so much!
Xavier

Twitter Authentication with an explicit callback url...

Hello, I am trying to authenticate with Twitter's OAuth 1.0A services. As per the 1.0a changes, the callback URL is required to be send in the request token url, and doing that manually (i.e. in the OAuth constructor) leads to Twitter rejecting the signature that was generated.

See more information here: http://groups.google.com/group/twitter-development-talk/browse_thread/thread/ecc234568479a490

Any insight on this would be very appreciated. Thanks in advance!

Unknown Authorization Header

I am getting an 'unknown authorization error' in my response from getProtectedResource. I am trying the Google oauth calendar demo from the wiki.
Here is the console after the request...

oauth_token :4/5Y...
oauth_token_secret :qDi9...
requestoken results :{ oauth_callback_confirmed: 'true' }
Requesting access token
oauth_access_token :undefined
oauth_token_secret :undefined
accesstoken results :undefined
Requesting access token
{ statusCode: 401,
data: '\n\nUnknown authorization header\n

Unknown authorization header

\n

Error 401

\n\n\n' }

The only changes to the demo that I have made was adding my scope to getOAuthRequest token and added 'sys.puts(sys.inspect(error));' to the callback function at the end to see the error that was coming back.
I don't know how to check the header of the request, but I think Google is looking for a different sequence of values in the header.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.