-
Notifications
You must be signed in to change notification settings - Fork 89
Open
Description
When passing a request object created via ServerRequest::fromGlobals()
an incorrect signature is generated. It seems that the parameter 'oauth_signature' is unset and then re-added after adding the body contents to the params in method getSignature()
. Clearing the body fixes the issue.
Code to reproduce the issue:
use GuzzleHttp\Subscriber\Oauth\Oauth1;
use GuzzleHttp\Psr7\ServerRequest;
use function GuzzleHttp\Psr7\stream_for;
$oauth = new Oauth1([
'consumer_key' => 'key',
'consumer_secret' => 'secret',
'token_secret' => ''
]);
$signature = $oauth->getSignature(ServerRequest::fromGlobals(), $_POST);
var_dump($signature === $_POST['oauth_signature']); // false
$signature = $oauth->getSignature(ServerRequest::fromGlobals()->withBody(stream_for()), $_POST);
var_dump($signature === $_POST['oauth_signature']); // true
Possible fix:
Move the line that unsets the 'oauth_signature' parameter after the code that adds the body contents and query parameters:
public function getSignature(RequestInterface $request, array $params)
{
// Add POST fields if the request uses POST fields and no files
if ($request->getHeaderLine('Content-Type') == 'application/x-www-form-urlencoded') {
$body = \GuzzleHttp\Psr7\parse_query($request->getBody()->getContents());
$params += $body;
}
// Parse & add query string parameters as base string parameters
$query = $request->getUri()->getQuery();
$params += \GuzzleHttp\Psr7\parse_query($query);
// Remove oauth_signature if present
// Ref: Spec: 9.1.1 ("The oauth_signature parameter MUST be excluded.")
unset($params['oauth_signature']);
lrynek
Metadata
Metadata
Assignees
Labels
No labels