Skip to content

Incorrect signature generated #63

@renaatdemuynck

Description

@renaatdemuynck

When passing a request object created via ServerRequest::fromGlobals() an incorrect signature is generated. It seems that the parameter 'oauth_signature' is unset and then re-added after adding the body contents to the params in method getSignature(). Clearing the body fixes the issue.

Code to reproduce the issue:

use GuzzleHttp\Subscriber\Oauth\Oauth1;
use GuzzleHttp\Psr7\ServerRequest;
use function GuzzleHttp\Psr7\stream_for;

$oauth = new Oauth1([
    'consumer_key' => 'key',
    'consumer_secret' => 'secret',
    'token_secret' => ''
]);

$signature = $oauth->getSignature(ServerRequest::fromGlobals(), $_POST);
var_dump($signature === $_POST['oauth_signature']); // false

$signature = $oauth->getSignature(ServerRequest::fromGlobals()->withBody(stream_for()), $_POST);
var_dump($signature === $_POST['oauth_signature']); // true

Possible fix:
Move the line that unsets the 'oauth_signature' parameter after the code that adds the body contents and query parameters:

public function getSignature(RequestInterface $request, array $params)
{
    // Add POST fields if the request uses POST fields and no files
    if ($request->getHeaderLine('Content-Type') == 'application/x-www-form-urlencoded') {
        $body = \GuzzleHttp\Psr7\parse_query($request->getBody()->getContents());
        $params += $body;
    }

    // Parse & add query string parameters as base string parameters
    $query = $request->getUri()->getQuery();
    $params += \GuzzleHttp\Psr7\parse_query($query);

    // Remove oauth_signature if present
    // Ref: Spec: 9.1.1 ("The oauth_signature parameter MUST be excluded.")
    unset($params['oauth_signature']);

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions