Make sure oauth_body_hash gets forwarded to actual Authorization header

- While the signature params were updated to account for the body hash, it turns out those params were ONLY being used for the signature, not forwarded into the main Authorization header payload. This commit rectifies that mistake.
derivita · Sep 13, 2019 · 0a10983 · 0a10983
1 parent b098500
commit 0a10983
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/auther.go b/auther.go
@@ -62,11 +62,17 @@ func newAuther(config *Config) *auther {
 // request (temporary credential) according to RFC 5849 2.1.
 func (a *auther) setRequestTokenAuthHeader(req *http.Request) error {
 	oauthParams := a.commonOAuthParams()
-	oauthParams[oauthCallbackParam] = a.config.CallbackURL
+
 	params, err := collectParameters(req, oauthParams)
 	if err != nil {
 		return err
 	}
+
+	oauthParams[oauthCallbackParam] = a.config.CallbackURL
+	if bodyHash, ok := params[oauthBodyHash]; ok {
+		oauthParams[oauthBodyHash] = bodyHash
+	}
+
 	signatureBase := signatureBase(req, params)
 	signature, err := a.signer().Sign("", signatureBase)
 	if err != nil {
@@ -84,17 +90,24 @@ func (a *auther) setRequestTokenAuthHeader(req *http.Request) error {
 // (token credential) according to RFC 5849 2.3.
 func (a *auther) setAccessTokenAuthHeader(req *http.Request, requestToken, requestSecret, verifier string) error {
 	oauthParams := a.commonOAuthParams()
-	oauthParams[oauthTokenParam] = requestToken
-	oauthParams[oauthVerifierParam] = verifier
+
 	params, err := collectParameters(req, oauthParams)
 	if err != nil {
 		return err
 	}
+
+	oauthParams[oauthTokenParam] = requestToken
+	oauthParams[oauthVerifierParam] = verifier
+	if bodyHash, ok := params[oauthBodyHash]; ok {
+		oauthParams[oauthBodyHash] = bodyHash
+	}
+
 	signatureBase := signatureBase(req, params)
 	signature, err := a.signer().Sign(requestSecret, signatureBase)
 	if err != nil {
 		return err
 	}
+
 	oauthParams[oauthSignatureParam] = signature
 	req.Header.Set(authorizationHeaderParam, authHeaderValue(oauthParams))
 	return nil
@@ -104,21 +117,29 @@ func (a *auther) setAccessTokenAuthHeader(req *http.Request, requestToken, reque
 // requests with an AccessToken (token credential) according to RFC 5849 3.1.
 func (a *auther) setRequestAuthHeader(req *http.Request, accessToken *Token) error {
 	oauthParams := a.commonOAuthParams()
+
 	var tokenSecret string
 	if accessToken != nil {
 		oauthParams[oauthTokenParam] = accessToken.Token
 		tokenSecret = accessToken.TokenSecret
 	}
+
 	params, err := collectParameters(req, oauthParams)
 	if err != nil {
 		return err
 	}
+
 	signatureBase := signatureBase(req, params)
 	signature, err := a.signer().Sign(tokenSecret, signatureBase)
 	if err != nil {
 		return err
 	}
+
 	oauthParams[oauthSignatureParam] = signature
+	if bodyHash, ok := params[oauthBodyHash]; ok {
+		oauthParams[oauthBodyHash] = bodyHash
+	}
+
 	req.Header.Set(authorizationHeaderParam, authHeaderValue(oauthParams))
 	return nil
 }