This queue is for tickets about the Net-OAuth CPAN distribution.

Report information
The Basics
Id:
30115
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
rt.cpan [...] sartak.org
Cc:
AdminCc:

BugTracker
Severity:
Important
Broken in:
0.03
Fixed in:
(no value)



Subject: (Empty) token_secret not included in RequestTokenRequest
Hi again Keith, This time I have a real bug for you! :) The token_secret is _always_ a required signature element, even if you have no token yet (during RequestTokenRequest it should just be the empty string). Net::OAuth doesn't include the token_secret during RequestTokenRequest. The effect is that the signature base string is missing a final & during HMAC/RSA RequestTokenRequests. Your test suite misses this bug because it uses PLAINTEXT for the Request Token Request, which bypasses the signature base string. Attached are tests and a fix. I think my fix hits all of the cases correctly. It's just a parameter that is joined into the signature base string until you get to AccessTokenRequest, where it becomes a required API parameter. Shawn
Subject: fix-token-secret.diff
diff -rN -u old-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm new-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm --- old-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm 2007-10-18 22:31:04.000000000 -0400 +++ new-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm 2007-10-18 22:31:04.000000000 -0400 @@ -5,7 +5,6 @@ __PACKAGE__->add_required_request_params(qw/token/); __PACKAGE__->add_required_api_params(qw/token_secret/); -__PACKAGE__->add_to_signature(qw/token_secret/); sub allow_extra_params {0} =head1 NAME diff -rN -u old-Net-OAuth-0.03/lib/Net/OAuth/Request.pm new-Net-OAuth-0.03/lib/Net/OAuth/Request.pm --- old-Net-OAuth-0.03/lib/Net/OAuth/Request.pm 2007-10-18 22:31:04.000000000 -0400 +++ new-Net-OAuth-0.03/lib/Net/OAuth/Request.pm 2007-10-18 22:31:04.000000000 -0400 @@ -29,13 +29,14 @@ request_url normalized_request_parameters consumer_secret + token_secret /]); __PACKAGE__->mk_accessors( @{__PACKAGE__->required_request_params}, @{__PACKAGE__->optional_request_params}, @{__PACKAGE__->required_api_params}, - qw/extra_params signature signature_key/ + qw/extra_params signature signature_key token_secret/ ); sub add_required_request_params { diff -rN -u old-Net-OAuth-0.03/t/01-spec.t new-Net-OAuth-0.03/t/01-spec.t --- old-Net-OAuth-0.03/t/01-spec.t 2007-10-18 22:31:04.000000000 -0400 +++ new-Net-OAuth-0.03/t/01-spec.t 2007-10-18 22:31:04.000000000 -0400 @@ -2,7 +2,7 @@ use strict; use warnings; -use Test::More tests => 12; +use Test::More tests => 15; BEGIN { use_ok( 'Net::OAuth::Request' ); @@ -82,3 +82,20 @@ oauth_version="1.0" EOT +$request = Net::OAuth::RequestTokenRequest->new( + consumer_key => 'dpf43f3p2l4k3l03', + consumer_secret => 'kd94hf93k423kf44', + request_url => 'https://photos.example.net/request_token', + request_method => 'POST', + signature_method => 'HMAC-SHA1', + timestamp => '1191242090', + nonce => 'hsu94j3884jdopsl', +); + +$request->sign; + +ok($request->verify); + +is($request->signature_base_string, 'POST&https%3A%2F%2Fphotos.example.net%2Frequest_token&oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dhsu94j3884jdopsl%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242090%26oauth_version%3D1.0&kd94hf93k423kf44&'); +is($request->signature, 'ivUllEyrORt90wdGXjOp5Z+ERCQ'); +
Thanks for the great patch! Applied in SVN r199, and released on CPAN as v0.04


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.