From 0a10983a3c29e474579f353421b3c5f7353bd534 Mon Sep 17 00:00:00 2001
From: Aric Parkinson <aparkinson@derivita.com>
Date: Fri, 13 Sep 2019 10:42:38 -0600
Subject: [PATCH] Make sure oauth_body_hash gets forwarded to actual
 Authorization header

 - While the signature params were updated to account for the body hash,
 it turns out those params were ONLY being used for the signature, not
 forwarded into the main Authorization header payload. This commit
 rectifies that mistake.
---
 auther.go | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/auther.go b/auther.go
index 29de262..a4b1252 100644
--- a/auther.go
+++ b/auther.go
@@ -62,11 +62,17 @@ func newAuther(config *Config) *auther {
 // request (temporary credential) according to RFC 5849 2.1.
 func (a *auther) setRequestTokenAuthHeader(req *http.Request) error {
 	oauthParams := a.commonOAuthParams()
-	oauthParams[oauthCallbackParam] = a.config.CallbackURL
+
 	params, err := collectParameters(req, oauthParams)
 	if err != nil {
 		return err
 	}
+
+	oauthParams[oauthCallbackParam] = a.config.CallbackURL
+	if bodyHash, ok := params[oauthBodyHash]; ok {
+		oauthParams[oauthBodyHash] = bodyHash
+	}
+
 	signatureBase := signatureBase(req, params)
 	signature, err := a.signer().Sign("", signatureBase)
 	if err != nil {
@@ -84,17 +90,24 @@ func (a *auther) setRequestTokenAuthHeader(req *http.Request) error {
 // (token credential) according to RFC 5849 2.3.
 func (a *auther) setAccessTokenAuthHeader(req *http.Request, requestToken, requestSecret, verifier string) error {
 	oauthParams := a.commonOAuthParams()
-	oauthParams[oauthTokenParam] = requestToken
-	oauthParams[oauthVerifierParam] = verifier
+
 	params, err := collectParameters(req, oauthParams)
 	if err != nil {
 		return err
 	}
+
+	oauthParams[oauthTokenParam] = requestToken
+	oauthParams[oauthVerifierParam] = verifier
+	if bodyHash, ok := params[oauthBodyHash]; ok {
+		oauthParams[oauthBodyHash] = bodyHash
+	}
+
 	signatureBase := signatureBase(req, params)
 	signature, err := a.signer().Sign(requestSecret, signatureBase)
 	if err != nil {
 		return err
 	}
+
 	oauthParams[oauthSignatureParam] = signature
 	req.Header.Set(authorizationHeaderParam, authHeaderValue(oauthParams))
 	return nil
@@ -104,21 +117,29 @@ func (a *auther) setAccessTokenAuthHeader(req *http.Request, requestToken, reque
 // requests with an AccessToken (token credential) according to RFC 5849 3.1.
 func (a *auther) setRequestAuthHeader(req *http.Request, accessToken *Token) error {
 	oauthParams := a.commonOAuthParams()
+
 	var tokenSecret string
 	if accessToken != nil {
 		oauthParams[oauthTokenParam] = accessToken.Token
 		tokenSecret = accessToken.TokenSecret
 	}
+
 	params, err := collectParameters(req, oauthParams)
 	if err != nil {
 		return err
 	}
+
 	signatureBase := signatureBase(req, params)
 	signature, err := a.signer().Sign(tokenSecret, signatureBase)
 	if err != nil {
 		return err
 	}
+
 	oauthParams[oauthSignatureParam] = signature
+	if bodyHash, ok := params[oauthBodyHash]; ok {
+		oauthParams[oauthBodyHash] = bodyHash
+	}
+
 	req.Header.Set(authorizationHeaderParam, authHeaderValue(oauthParams))
 	return nil
 }