According to this: http://tools.ietf.org/html/rfc5849#section-3.4.4 the PLAINTEXT signature should have the encoded consumer secret, an '&' and the encoded token secret. The entire value is then encoded when placed in the header. However, currently it is encoding the entire concatenated value twice, resulting in the ampersand being encoded twice.

In my case, the oath service I use uses PLAINTEXT with no secret, so my signature is just the ampersand '&', which should be encoded in the header like this:
......,oauth_signature="%26"

However, currently the implementation encodes the ampersand twice, so that the signature ends up looking this this instead:
......,oauth_signature="%2526"
which fails.

I think the fix is to change these lines in oauth.js _createSignature():

   var key= this._consumerSecret + "&" + tokenSecret;

   var hash= ""
   if( this._signatureMethod == "PLAINTEXT" ) {
     hash= this._encodeData(key);
   }

to be like this:

  var key= this._encodeData(this._consumerSecret) + "&" + this._encodeData(tokenSecret);

   var hash= ""
   if( this._signatureMethod == "PLAINTEXT" ) {
     hash= key;
   }

The querystring.parse method in node.js auto-converts arguments such as 'foo[bar]=xxx into an object literal of the form: {bar :'xxx'} (named foo in the arguments hash.

Currently the node-oauth client does not handle this well. novermberborn has resolved this in his fork: https://github.com/novemberborn/node-oauth/commit/2d7fb8cd194a2af24900078f98fb0764b7b7df2e

Unfortunately it is so divergent from the current branch I can't merge it directly :(

changing it to "keep-alive" fixes the problem, specifically with google.

More a Question than an issue:

Why OAuth2.prototype.getAuthorizeUrl doesn't make a request to the site, in orden to get the code?

Do you have planned to implement that functionality. Currently, to log in a facebook app, I need to make the first request this way:

res.redirect(
    'https://graph.facebook.com/oauth/authorize?client_id=' + 
        clientId + '&redirect_uri='+ redirectUri);

Regards,

hermanjunge

Hey, I didn't see anywhere where dependencies were documented. If there isn't such a place, one should be made. If there is, please kindly point me there, and close this issue with prejudice :).

I just did a clean npm install and noticed that it installed v 0.9.0 ... is this the latest? (I'm having trouble fixing the repeating connects in connect-auth)

var oa = new OAuth("http://term.ie/oauth/example/request_token.php?foo=bar",
"http://term.ie/oauth/example/access_token.php",
"key",
"secret",
"1.0",
null,
"PLAINTEXT")

*The above fails with the following error on Mac :

node.js:134
throw e; // process.nextTick error, or 'error' event on first tick
^
TypeError: object is not a function
at Object.CALL_NON_FUNCTION_AS_CONSTRUCTOR (native)
at Object. (/Users/vivekian/code/PROG_LANGUAGES/JS/src/test.js:24:10)
at Module._compile (module.js:404:26)
at Object..js (module.js:410:10)
at Module.load (module.js:336:31)
at Function._load (module.js:297:12)
at Array. (module.js:423:10)
at EventEmitter._tickCallback (node.js:126:26)

https://github.com/ciaranj/node-oauth/blob/master/lib/oauth.js#L353

TypeError: Cannot call method ‘match’ of undefined

at Object.isAnEarlyCloseHost (/app/node_modules/oauth/lib/_utils.js:3:19)
at [object Object]._performSecureRequest (/app/node_modules/oauth/lib/oauth.js:353:37)
at secureRequest (/app/utils/github.js:88:27)
at [object Object].removeHook (/app/utils/github.js:153:10)
at Promise.<anonymous> (/app/app/controllers/github_controller.js:300:14)
at Promise.<anonymous> (/app/node_modules/mongoose/lib/promise.js:120:8)  
at Promise.<anonymous> (events.js:67:17)
at Promise.emit (/app/node_modules/mongoose/lib/promise.js:59:38)
at Promise.complete (/app/node_modules/mongoose/lib/promise.js:70:20)
at /app/node_modules/mongoose/lib/query.js:885:15

Hello,

Ran into an issue with file uploads using dropbox-node which depends on node-oauth oauth.js. I had to change the request.write calls to write in binary to get non-ascii file uploads (images, pdfs etc) to work. View the issue here. Not sure if this is something you want to adopt or if it will have implications with other oauth APIs, but the Dropbox Oauth api will not work with non-ascii files unless the request is written in binary.

Thanks,

Ralph

Does node-oauth currently support Immediate Mode?

Hello,

I wanted to package node-oauth for Debian, but your source code is missing '''any''' licensing information. It would be nice if you could include a COPYING or LICENSE file, bonus points if you also include that information in package.json and inside the actual source code.

This issue is currently blocking packaging of other node modules and applications, it would be nice if you could fix it soon :)

Thanks,
David

Fixing a issue where Windows Live protocol return some resources as HTTP Header Location data.

For example, if i want to get the profile picture for MSN, the URL of resource is the Location of a HTTP header. So, if i dont want the data (the data of image), and URL for download or for display the image, we must have access to that info in response.

Fixed and requesting a Pull.

Out of curiosity, why the custom implementation? I'm now using this in my OAuth provider:

var signature = require("crypto").createHmac("sha1", key).update(baseString).digest("base64");

which gives exactly the same result.

Hello,
I've found out that POST method to Twitter API returns error 401:

{ statusCode: 401,
  data: '{"error":"Could not authenticate with OAuth.","request":"\\/1\\/direct_messages\\/new.json"}' }

Please, check this out and try to run this test-case:

var OAuth = require('oauth').OAuth,
    qs = require('querystring'),
    readline = require('readline');

var requestUrl = 'https://twitter.com/oauth/request_token';
var accessUrl = 'https://twitter.com/oauth/access_token';
var authorizeUrl = 'https://twitter.com/oauth/authorize';
var key = 'TBqMts49qNCZPz0ZeLVlQ';
var secret = 'xkqK6WVjzox0lWYBrrlNKw3x4qJWkxs6znTMaynVjU';

console.log("Emulating web-based app...");
var oa = new OAuth(requestUrl, accessUrl, key, secret, '1.0', null, 'HMAC-SHA1');
oa.getOAuthRequestToken(function(error, requestToken, requestTokenSecret, results) {
    if(error) console.log(error);
    else {
        console.log("Please go to this URL, authorize the app and copy PIN-code:");
        console.log(authorizeUrl + '?' + qs.stringify({oauth_token: requestToken}));
        var i = readline.createInterface(process.stdin, process.stdout);
        i.question('Enter PIN-code: ', function(verifier) {
            i.close();
            process.stdin.destroy();
            oa.getOAuthAccessToken(requestToken, requestTokenSecret, verifier, function(error, accessToken, accessTokenSecret) {
                if(error) console.log(error);
                else {
                    oa.get('https://api.twitter.com/1/direct_messages/sent.json?count=1&page=1', accessToken, accessTokenSecret, function(error, data) {
                        console.log('\nGET direct message:\n');
                        if(error) console.log(error);
                        else {
                            console.log(data);
                            var user_id = JSON.parse(data)[0].recipient_id;
                            var body = qs.stringify({user_id: user_id, text: 'Testing...'});
                            oa.post('https://api.twitter.com/1/direct_messages/new.json', accessToken, accessTokenSecret, body, function(error, data) {
                                console.log('\nPOST direct message:\n');
                                console.log(error || data);
                            });
                        }
                    });
                }
            });
        });
    }
});

I installed this module using npm and the source code here is totally different.
The examples does not work at all, the constructor params seems to have changed... I don't know how to use this lib... please help?

Gowalla returns more data than just access_token and refresh_token.

Line 106 in oauth2.js

callback(null, access_token, refresh_token);

should be

callback(null, access_token, refresh_token, results);

Currently, the library can't be used to send POST requests that contain information in the body.

I'm trying to request a new access token using the refresh token originally provided, but can't get it to work. I'm requesting offline access so the refresh token is available but the actual call doesn't work. It seems like the library doesn't support it. Is that correct or am I missing something?

Here's the message received from Google:
Missing required parameter: refresh_token

Here's my code:

exports.RefreshGmailToken = function (clientId, clientSecret, refreshToken, callback) {

    this._clientId = clientId;
    this._clientSecret = clientSecret;
    this._basePath = '';
    this._authorizePath = 'https://accounts.google.com/o/oauth2/auth';
    this._accessTokenPath = 'https://accounts.google.com/o/oauth2/token';

    gmailAuthObject = new OAuth2(this._clientId,
        this._clientSecret,
        this._basePath,
        this._authorizePath,
        this._accessTokenPath);

    gmailAuthObject.getOAuthAccessToken(
        refreshToken,
        {grant_type: 'refresh_token'},
        function (error, access_token, refresh_token) {
            if (error)
                return callback(error);

            return callback(null, access_token);

        });
};

When trying to make a get request(as described in wiki) to the twitter's streaming api i get the answer 401/unauthorized.

Requests to the rest api work well with the same get method and the same oauth _access_token/secret_token.

PS In wiki the request is via http. Twitter does not accept it at all. To https returns described result

at the moment if an api request returns a 302 code it is treated as an error.
twitter and facebook both use 302 redirects for getting profile images.

oauth2.js of version 0.8.3 & 0.8.4
I was testing with Gowalla's API. It is returning JSON while the library is expecting a querystring encoded string.

line 90
var results= querystring.parse(data);
should be
var results= JSON.parse(data);

With this change I was able to get Gowalla to work.

According to the spec http://tools.ietf.org/html/draft-ietf-oauth-v2-05 the response data must be JSON encoded

I may have overlooked it but I don't see one. Perhaps the MIT license as used by node.js itself would be appropriate? http://github.com/ry/node/blob/master/LICENSE

I keep getting the error above on callback.

Any idea why?

A part of google APIs is accessible under the URL googleapis.com

It does seems to suffer from the same early closing, so changing the isAnEarlyCloseHost method to the following (or something similar) is necessary to be able to query those services :

return hostName.match("._google.com$") || hostName.match("._googleapis.com$");

Connection ends unexpectedly less than a second after the response event is emitted. Is there any hack?
I would like to do it my way without this lib but I don't know what damn headers Oauth needs, all I see is a lot of nonsense hashes and numbers.
Appreciate any help or link explaining how the fuck Oauth is used.
Thanks.

Reading through http://tools.ietf.org/html/rfc5849:

3.4.1.3.2. Parameters Normalization

The parameters collected in Section 3.4.1.3 are normalized into a
single string as follows:

1. First, the name and value of each parameter are encoded
   (Section 3.6).
2. The parameters are sorted by name, using ascending byte value
   ordering. If two or more parameters share the same name, they
   are sorted by their value.

However, in node-oauth:

exports.OAuth.prototype._normaliseRequestParams= function(arguments) {
  var argument_pairs= this._sortRequestParams( arguments );
  var args= "";
  for(var i=0;i<argument_pairs.length;i++) {
      args+= this._encodeData( argument_pairs[i][0] );
      args+= "="
      args+= this._encodeData( argument_pairs[i][1] );
      if( i < argument_pairs.length-1 ) args+= "&";
  }     
  return args;
}

I.e. the params are sorted before they are encoded.

I am able to get access_token and access_token_secret back from Twitter, but when I go to make a GET request to the rest api using the supplied get() method, my callback function is not being triggered.

Example:

function consumer() {
return new OAuth(
"https://api.twitter.com/oauth/request_token",
"https://api.twitter.com/oauth/access_token",
_twitterConsumerKey,
_twitterConsumerSecret,
"1.0A",
"http://1.1.1.1/auth/twitter/callback",
"HMAC-SHA1"
);
}

consumer().get("https://api.twitter.com/1/account/verify_credentials.json", req.session.oauthAccessToken, req.session.oauthAccessTokenSecret, function (error, data, response) {
res.send("Callback triggered.");
});

Any suggestions on where to go with this problem? Thanks in advance.

It seems that when you try and authenticate with facebook the authentication / granting fails with:
{ statusCode: 400, data: '{"error":{"type":"OAuthException","message":"Invalid verification code format."}}' }

The request appears to be:

  POST /oauth/access_token?&grant_type=client_credentials&client_id=...&client_secret=...&type=web_server&code=

It seems that this is caused because the querystring type argument is set to "web_server" which expects a "code" parameter, although, looking at the facebook documentation, It seems that this mode is only used when authenticating on behalf of a user, not an application.

Example:

  POST /oauth/access_token?&grant_type=client_credentials&client_id=...&client_secret=...

Works and returns a correct access token.

Are the code & type fields required by spec to be sent?

I would love to have an example to follow for OAuth2 and Google services. Thanks!

I've been struggling with a really simple OAuth integration with the site Goodreads. They throw a 301 redirect when you hit /oauth/request_token before returning the oauthToken and oauthSecret. The app errors out currently because the oauth plugin only follows 302 redirects atm.

I've temporarily modified the oauth.js (line 360) with this hotfix but as I'm a neophyte programmer, I'm sure it's not the most efficient way to handle this:

else if(response.statusCode == 301 && response.headers && response.headers.location) {
self._performSecureRequest( oauth_token, oauth_token_secret, method, response.headers.location, extra_params, post_body, post_content_type, callback);
}

Hi, I have been getting started with node by using the recently updated Tumblr API.
I kept getting 401/Unauthorized errors when using this oauth package. For the life of me I couldn't figure out what was going on... until I looked close at the HTTP headers.

Tumblr is seemingly implementing things very strictly and requires a space after each comma.
I forked and updated things so that they work for Tumblr OAuth and the fix seems to work for Twitter and Term.ie as well.

Curious about your thoughts on this fix... happy to do a pull request!
Henry

According to the spec the service provider specifies the HTTP method for this request. Some APIs only accept GET requests and therefore are not usable.

Some oauth services that I've been using do not support Authorization headers to be used. It would be nice if there was a flag to have the parameters be appended to the querystring instead.

By changing line 362 in /usr/local/lib/node/.npm/oauth/0.8.3/package/lib/oauth.js from
if( oauth_token) {
collectedParameters["oauth_token"]= oauth_token;
}

to

// allow empty oauth_token for signed get requests - 2-legged oAuth
if( oauth_token != null) {
    collectedParameters["oauth_token"]= oauth_token;
}

I can get both PUT and DELETE to work.
Please fix.

On node v0.3.8-pre:

node.js:116
        throw e; // process.nextTick error, or 'error' event on first tick
        ^
TypeError: Cannot call method 'addListener' of undefined
    at [object Object]._performSecureRequest (/usr/local/lib/node/.npm/oauth/0.8.4/package/lib/oauth.js:306:20)
    at [object Object].getOAuthRequestToken (/usr/local/lib/node/.npm/oauth/0.8.4/package/lib/oauth.js:390:8)
    at Object.<anonymous> (term.ie.oauth-PLAINTEXT.js)
    at Module._compile (module.js:287:26)
    at Object..js (module.js:293:10)
    at Module.load (module.js:219:31)
    at Function._load (module.js:186:10)
    at Array.<anonymous> (module.js:307:10)
    at EventEmitter._tickCallback (node.js:108:26)

This is the result of running examples/term.ie.oauth-PLAINTEXT.js

OAuth is written as Oauth in getOauthAccessToken, whereas it's OAuth in getOAuthRequestToken.

Hi,
Correct me if I am wrong. When I install the package through npm I see the the version 0.9.5 is installed but it is not the same with the one at git repo. Basically, http://registry.npmjs.org/oauth/-/oauth-0.9.5.tgz is not same as https://github.com/ciaranj/node-oauth/tree/0.9.5 There are different files between each other

I found a conflict with the jsdom module and node-oauth. It took some debugging, but I found the exact line where the issue takes place. Mind you I don't know enough to debug further why it is happening, but code is as follows.

At line 205 in lib/oauth.js:
if (orderedParameters[i][0].match('^oauth_') == "oauth_") {
authHeader+= this._encodeData(orderedParameters[i][0])+"=""+this._encodeData(orderedParameters[i][1])+"",";
}

The if statement fails when jsdom is included in a script. I dug into the headers being created and when jsdom is required, the parameters don't actually make it into the headers. For a quick fix I just check if each parameter is there with an if (orderedParameters[i][0]), since I don't plan on using extra parameters.

I don't know where the issue lies, I tried looking into jsdom code, but can't find anything relavent.

The documentation for how, or even if its possible, to do this with node-oauth are somewhat vague or non-existent.

There is an example of some code in the connect-auth project:
https://github.com/ciaranj/connect-auth/wiki/Express---Facebook-example-(with-additional-cunning-sign-in-page-redirect-logic)

However, it does not appear (on the surface at least) that node-oauth is using connect-auth in its oauth2 implementation:
https://github.com/ciaranj/node-oauth/blob/master/lib/oauth2.js

Apologies if this has been previously answered. Either way, it would be very good to have some kind of info in the documentation indicating whether or not Facebook OAuth2 is compatible with node-oauth.

Line 294 (in oauth.js) uses GET, but according to the spec, the default request method is POST unless the server advertises a different request method. Twitter for instance supports both GET and POST, but my server will only accept POST.

I guess this should default to POST but be configurable.

Sometimes I'd get an exception like

node.js:50
throw e; // process.nextTick error, or 'error' event on first tick
^
Error: EINVAL, Invalid argument
at doConnect (net.js:642:19)
at net.js:803:9
at dns.js:171:34
at IOWatcher.callback (dns.js:48:15)
at node.js:616:9

but it does not look like I can catch it using currently provided APIs of node-connect.

Please correct me if I am wrong, I would actually like to be wrong in this case.

Thanks.

Some APIs that use this module allow the developer to pass the same querystring parameter multiple times. For instance, see SimpleGeo and categories... https://simplegeo.com/docs/api-endpoints/simplegeo-places

The oauth implementation turns querystring parameters into object, so a given parameter can only exist one time, so it changes the parameter name to be category[0], categort[1], etc.

I devised a way to fix this by modifying "exports.OAuth.prototype._normaliseRequestParams" to look like this...

exports.OAuth.prototype._normaliseRequestParams= function(arguments) {
var argument_pairs= this._makeArrayOfArgumentsHash(arguments);

// David DeRemer: added logic to allow for multiple occurrences of the same querystring parameter
for (var i=0; i<argument_pairs.length; i++) {
if (argument_pairs[i][0].search(/[\d_]/) != -1) {
argument_pairs[i] = [argument_pairs[i][0].replace(/[\d_]/,''), argument_pairs[i][1]];
}
}

// First encode them #3.4.1.3.2 .1
for(var i=0;i<argument_pairs.length;i++) {
argument_pairs[i][0]= this._encodeData( argument_pairs[i][0] );
argument_pairs[i][1]= this._encodeData( argument_pairs[i][1] );
}

// Then sort them #3.4.1.3.2 .2
argument_pairs= this._sortRequestParams( argument_pairs );

// Then concatenate together #3.4.1.3.2 .3 & .4
var args= "";
for(var i=0;i<argument_pairs.length;i++) {
args+= argument_pairs[i][0];
args+= "="
args+= argument_pairs[i][1];
if( i < argument_pairs.length-1 ) args+= "&";
}
return args;
}

You may want to consider adding something like this into the main branch.

I got an error:

TypeError: Cannot call method 'addListener' of undefined
  at [object Object]._performSecureRequest (/home/meso/.nvm/v0.3.8/lib/node/.npm/oauth/0.8.4/package/lib/oauth.js:306:20)

After Node v0.3.6, ClientRequest.socket is undefined.
Maybe this line should be
request.addListener("error",callback);

Hi,

First of all thanks for the library, works great!

I need to use oAuth to post a new tweet but I cannot make it work.
It looks like you are not accepting to have data in part of the body of the request (for POST method).

How can I perform a secure request that looks like the following:
Accept: /
Connection: close
User-Agent: OAuth gem v0.3.4.1
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth oauth_nonce="qtby7fwJy8SnjY4vbmWiqJoSx3wQCIGb8LVpPI7o", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1281054979", oauth_consumer_key="whatever", oauth_token="55993-whatever", oauth_signature="whatever%3D", oauth_version="1.0"
Content-Length: 61
Host:api.twitter.com

status=My first tweet

Thanks so much!
Xavier

Hello, I am trying to authenticate with Twitter's OAuth 1.0A services. As per the 1.0a changes, the callback URL is required to be send in the request token url, and doing that manually (i.e. in the OAuth constructor) leads to Twitter rejecting the signature that was generated.

See more information here: http://groups.google.com/group/twitter-development-talk/browse_thread/thread/ecc234568479a490

Any insight on this would be very appreciated. Thanks in advance!

Broken on both 0.2.5 and 0.3.0

http://gist.github.com/380321

Hi, I added an example to use Google GData API (v2 and v3).

GData v2 uses a 302 redirect (to add a "gsessionid" to the URL).
To simplify usage, I added an auto-follow of the 302 redirect, but maybe you have reasons not to do so ?

Both commits are here:
https://github.com/neyric/node-oauth/commits/master

I'm trying to retrieve access tokens from twitter using the out-of-band PIN.

https://gist.github.com/791565

This fails with 401 unauthorized. Am I doing something wrong?

I am getting an 'unknown authorization error' in my response from getProtectedResource. I am trying the Google oauth calendar demo from the wiki.
Here is the console after the request...

oauth_token :4/5Y...
oauth_token_secret :qDi9...
requestoken results :{ oauth_callback_confirmed: 'true' }
Requesting access token
oauth_access_token :undefined
oauth_token_secret :undefined
accesstoken results :undefined
Requesting access token
{ statusCode: 401,
data: '\n\nUnknown authorization header\n

Unknown authorization header

The only changes to the demo that I have made was adding my scope to getOAuthRequest token and added 'sys.puts(sys.inspect(error));' to the callback function at the end to see the error that was coming back.
I don't know how to check the header of the request, but I think Google is looking for a different sequence of values in the header.