Bug #30115 for Net-OAuth: (Empty) token_secret not included in RequestTokenRequest

Thu Oct 18 22:33:17 2007 rt.cpan [...] sartak.org - Ticket created

Subject:

(Empty) token_secret not included in RequestTokenRequest

Hi again Keith, This time I have a real bug for you! :) The token_secret is _always_ a required signature element, even if you have no token yet (during RequestTokenRequest it should just be the empty string). Net::OAuth doesn't include the token_secret during RequestTokenRequest. The effect is that the signature base string is missing a final & during HMAC/RSA RequestTokenRequests. Your test suite misses this bug because it uses PLAINTEXT for the Request Token Request, which bypasses the signature base string. Attached are tests and a fix. I think my fix hits all of the cases correctly. It's just a parameter that is joined into the signature base string until you get to AccessTokenRequest, where it becomes a required API parameter. Shawn

Subject:

fix-token-secret.diff

diff -rN -u old-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm new-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm --- old-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm 2007-10-18 22:31:04.000000000 -0400 +++ new-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm 2007-10-18 22:31:04.000000000 -0400 @@ -5,7 +5,6 @@ __PACKAGE__->add_required_request_params(qw/token/); __PACKAGE__->add_required_api_params(qw/token_secret/); -__PACKAGE__->add_to_signature(qw/token_secret/); sub allow_extra_params {0} =head1 NAME diff -rN -u old-Net-OAuth-0.03/lib/Net/OAuth/Request.pm new-Net-OAuth-0.03/lib/Net/OAuth/Request.pm --- old-Net-OAuth-0.03/lib/Net/OAuth/Request.pm 2007-10-18 22:31:04.000000000 -0400 +++ new-Net-OAuth-0.03/lib/Net/OAuth/Request.pm 2007-10-18 22:31:04.000000000 -0400 @@ -29,13 +29,14 @@ request_url normalized_request_parameters consumer_secret + token_secret /]); __PACKAGE__->mk_accessors( @{__PACKAGE__->required_request_params}, @{__PACKAGE__->optional_request_params}, @{__PACKAGE__->required_api_params}, - qw/extra_params signature signature_key/ + qw/extra_params signature signature_key token_secret/ ); sub add_required_request_params { diff -rN -u old-Net-OAuth-0.03/t/01-spec.t new-Net-OAuth-0.03/t/01-spec.t --- old-Net-OAuth-0.03/t/01-spec.t 2007-10-18 22:31:04.000000000 -0400 +++ new-Net-OAuth-0.03/t/01-spec.t 2007-10-18 22:31:04.000000000 -0400 @@ -2,7 +2,7 @@ use strict; use warnings; -use Test::More tests => 12; +use Test::More tests => 15; BEGIN { use_ok( 'Net::OAuth::Request' ); @@ -82,3 +82,20 @@ oauth_version="1.0" EOT +$request = Net::OAuth::RequestTokenRequest->new( + consumer_key => 'dpf43f3p2l4k3l03', + consumer_secret => 'kd94hf93k423kf44', + request_url => 'https://photos.example.net/request_token', + request_method => 'POST', + signature_method => 'HMAC-SHA1', + timestamp => '1191242090', + nonce => 'hsu94j3884jdopsl', +); + +$request->sign; + +ok($request->verify); + +is($request->signature_base_string, 'POST&https%3A%2F%2Fphotos.example.net%2Frequest_token&oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dhsu94j3884jdopsl%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242090%26oauth_version%3D1.0&kd94hf93k423kf44&'); +is($request->signature, 'ivUllEyrORt90wdGXjOp5Z+ERCQ'); +

Fri Oct 19 12:56:17 2007 kgrennan [...] cpan.org - Correspondence added

Thanks for the great patch! Applied in SVN r199, and released on CPAN as v0.04

Fri Oct 19 12:56:19 2007 The RT System itself - Status changed from 'new' to 'open'

Fri Oct 19 12:56:22 2007 kgrennan [...] cpan.org - Status changed from 'open' to 'resolved'