oauth 0.5.14 → 1.1.6

data/lib/oauth/helper.rb

@@ -1,9 +1,12 @@
+# frozen_string_literal: true
+
+require "time"
 require "openssl"
 require "base64"
 
 module OAuth
   module Helper
-    extend self
+    module_function
 
     # Escape +value+ by URL encoding all non-reserved character.
     #
@@ -15,11 +18,33 @@ module OAuth
     end
 
     def _escape(string)
-      URI::DEFAULT_PARSER.escape(string, OAuth::RESERVED_CHARACTERS)
+      # Percent-encode per RFC 3986 (unreserved: A-Z a-z 0-9 - . _ ~)
+      # Encode by byte to ensure stable behavior across Ruby versions and encodings.
+      bytes = string.to_s.b.bytes
+      bytes.map do |b|
+        ch = b.chr
+        if ch =~ OAuth::RESERVED_CHARACTERS
+          "%%%02X" % b
+        else
+          ch
+        end
+      end.join
     end
 
     def unescape(value)
-      URI::DEFAULT_PARSER.unescape(value.gsub("+", "%2B"))
+      # Do NOT treat "+" as space; OAuth treats '+' as a literal plus unless percent-encoded.
+      str = value.to_s.gsub("+", "%2B")
+      # Decode %HH sequences; leave malformed sequences intact.
+      decoded = str.gsub(/%([0-9A-Fa-f]{2})/) { Regexp.last_match(1).to_i(16).chr }
+      # Prefer UTF-8 when the decoded bytes form valid UTF-8; otherwise, return as binary.
+      begin
+        utf8 = decoded.dup
+        utf8.force_encoding(Encoding::UTF_8)
+        decoded = utf8 if utf8.valid_encoding?
+      rescue NameError
+        # Older Rubies without Encoding constants: keep original encoding.
+      end
+      decoded
     end
 
     # Generate a random key of up to +size+ bytes. The value returned is Base64 encoded with non-word
@@ -28,9 +53,9 @@ module OAuth
       Base64.encode64(OpenSSL::Random.random_bytes(size)).gsub(/\W/, "")
     end
 
-    alias generate_nonce generate_key
+    alias_method :generate_nonce, :generate_key
 
-    def generate_timestamp #:nodoc:
+    def generate_timestamp # :nodoc:
       Time.now.to_i.to_s
     end
 
@@ -43,7 +68,8 @@ module OAuth
     # See Also: {OAuth core spec version 1.0, section 9.1.1}[http://oauth.net/core/1.0#rfc.section.9.1.1]
     def normalize(params)
       params.sort.map do |k, values|
-        if values.is_a?(Array)
+        case values
+        when Array
           # make sure the array has an element so we don't lose the key
           values << nil if values.empty?
           # multiple values were provided for a single key
@@ -54,7 +80,7 @@ module OAuth
               [escape(k), escape(v)].join("=")
             end
           end
-        elsif values.is_a?(Hash)
+        when Hash
           normalize_nested_query(values, k)
         else
           [escape(k), escape(values)].join("=")
@@ -99,7 +125,7 @@ module OAuth
         # strip and unescape
         val = unescape(v.strip)
         # strip quotes
-        val.sub(/^\"(.*)\"$/, '\1')
+        val.sub(/^"(.*)"$/, '\1')
       end
 
       # convert into a Hash

data/lib/oauth/oauth.rb

@@ -1,13 +1,37 @@
+# frozen_string_literal: true
+
 module OAuth
-  # request tokens are passed between the consumer and the provider out of
-  # band (i.e. callbacks cannot be used), per section 6.1.1
-  OUT_OF_BAND = "oob".freeze
+  # Out-Of-Band callback token value.
+  # OAuth 1.0 and 1.0a both support out-of-band flows, where callbacks cannot be used.
+  # See RFC 5849 (OAuth 1.0), Section 6.1.1: Obtaining an Unauthorized Request Token
+  # and the 1.0a errata. Providers treating "oob" as the callback URL indicate that
+  # the verifier (for 1.0a) will be communicated out of band to the Consumer.
+  OUT_OF_BAND = "oob"
 
-  # required parameters, per sections 6.1.1, 6.3.1, and 7
-  PARAMETERS = %w[oauth_callback oauth_consumer_key oauth_token
-                  oauth_signature_method oauth_timestamp oauth_nonce oauth_verifier
-                  oauth_version oauth_signature oauth_body_hash].freeze
+  # OAuth parameter keys this library recognizes when normalizing/signing requests.
+  # Notes on 1.0 vs 1.0a:
+  # - oauth_verifier: Introduced by OAuth 1.0a. Returned to the Consumer after user
+  #   authorization and required when exchanging a Request Token for an Access Token
+  #   (Section 6.3.1 in RFC 5849 / 1.0a change).
+  # - oauth_callback: Present in 1.0; 1.0a clarified that the Consumer MUST send it when
+  #   obtaining a Request Token (or use "oob") and that the Service Provider MUST return
+  #   oauth_callback_confirmed=true with the Request Token response to prevent session
+  #   fixation attacks. Note that oauth_callback_confirmed is a response parameter, not
+  #   a request signing parameter, and thus is not listed here.
+  # Other keys are common to both 1.0 and 1.0a.
+  PARAMETERS = %w[
+    oauth_callback
+    oauth_consumer_key
+    oauth_token
+    oauth_signature_method
+    oauth_timestamp
+    oauth_nonce
+    oauth_verifier
+    oauth_version
+    oauth_signature
+    oauth_body_hash
+  ].freeze
 
   # reserved character regexp, per section 5.1
-  RESERVED_CHARACTERS = /[^a-zA-Z0-9\-\.\_\~]/
+  RESERVED_CHARACTERS = /[^a-zA-Z0-9\-._~]/.freeze
 end

data/lib/oauth/oauth_test_helper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_controller"
 require "action_controller/test_process"
 

data/lib/oauth/optional.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module OAuth
+  # Helpers for optional, lazily loaded integrations.
+  module Optional
+    class << self
+      # Try to load EventMachine HTTP client support provided by em-http-request.
+      #
+      # Returns true if available, false if the dependency is not installed.
+      # Never raises LoadError.
+      def em_http_available?
+        # em-http-request provides "em-http" entrypoint
+        require "em-http"
+        true
+      rescue LoadError
+        false
+      end
+    end
+  end
+end

data/lib/oauth/request_proxy/action_controller_request.rb

@@ -1,56 +1,39 @@
 # frozen_string_literal: true
 
 require "active_support"
-require "active_support/version"
 require "action_controller"
 require "uri"
 
-if Gem::Version.new(ActiveSupport::VERSION::STRING) < Gem::Version.new("3")
-  # rails 2.x
-  require "action_controller/request"
-  unless ActionController::Request::HTTP_METHODS.include?("patch")
-    ActionController::Request::HTTP_METHODS << "patch"
-    ActionController::Request::HTTP_METHOD_LOOKUP["PATCH"] = :patch
-    ActionController::Request::HTTP_METHOD_LOOKUP["patch"] = :patch
-  end
-
-elsif Gem::Version.new(ActiveSupport::VERSION::STRING) < Gem::Version.new("4")
-  # rails 3.x
-  require "action_dispatch/http/request"
-  unless ActionDispatch::Request::HTTP_METHODS.include?("patch")
-    ActionDispatch::Request::HTTP_METHODS << "patch"
-    ActionDispatch::Request::HTTP_METHOD_LOOKUP["PATCH"] = :patch
-    ActionDispatch::Request::HTTP_METHOD_LOOKUP["patch"] = :patch
-  end
-
-else # rails 4.x and later - already has patch
-  require "action_dispatch/http/request"
-end
+require "action_dispatch/http/request"
 
 module OAuth
   module RequestProxy
     class ActionControllerRequest < OAuth::RequestProxy::Base
-      proxies(defined?(::ActionDispatch::AbstractRequest) ? ::ActionDispatch::AbstractRequest : ::ActionDispatch::Request)
+      proxies(::ActionDispatch::Request)
 
       def method
         request.method.to_s.upcase
       end
 
       def uri
-        request.url
+        options[:uri] || request.url
       end
 
       def parameters
         if options[:clobber_request]
           options[:parameters] || {}
         else
-          params = request_params.merge(query_params).merge(header_params)
+          # Rails proxies should expose array-style values for params to align with
+          # historical oauth gem behavior / specs. Header params remain scalars.
+          rq = wrap_values(request_params)
+          qq = wrap_values(query_params)
+          params = rq.merge(qq).merge(header_params)
           params.stringify_keys! if params.respond_to?(:stringify_keys!)
           params.merge(options[:parameters] || {})
         end
       end
 
-      # Override from OAuth::RequestProxy::Base to avoid roundtrip
+      # Override from OAuth::RequestProxy::Base to avoid round-trip
       # conversion to Hash or Array and thus preserve the original
       # parameter names
       def parameters_for_signature
@@ -64,11 +47,11 @@ module OAuth
           params << request.raw_post if raw_post_signature?
         end
 
-        params.
-          join("&").split("&").
-          reject { |s| s.match(/\A\s*\z/) }.
-          map { |p| p.split("=").map { |esc| CGI.unescape(esc) } }.
-          reject { |kv| kv[0] == "oauth_signature" }
+        params
+          .join("&").split("&")
+          .reject { |s| s.match(/\A\s*\z/) }
+          .map { |p| p.split("=").map { |esc| CGI.unescape(esc) } }
+          .reject { |kv| kv[0] == "oauth_signature" }
       end
 
       def raw_post_signature?

data/lib/oauth/request_proxy/action_dispatch_request.rb

@@ -6,6 +6,40 @@ module OAuth
   module RequestProxy
     class ActionDispatchRequest < OAuth::RequestProxy::RackRequest
       proxies ::ActionDispatch::Request
+
+      # Prefer the explicitly provided URI, which carries scheme/host info
+      # when ActionDispatch env may be minimal in tests.
+      def uri
+        options[:uri] || super
+      end
+
+      # Rails' ActionDispatch proxy should expose array-style parameters
+      # for request/query params to align with legacy oauth gem expectations.
+      def parameters
+        if options[:clobber_request]
+          options[:parameters] || {}
+        else
+          rq = wrap_values(request_params)
+          qq = wrap_values(query_params)
+          params = rq.merge(qq).merge(header_params)
+          params.merge(options[:parameters] || {})
+        end
+      end
+
+      protected
+
+      def query_params
+        # ActionDispatch::Request responds to GET
+        request.GET
+      end
+
+      def request_params
+        if request.content_type && request.content_type.to_s.downcase.start_with?("application/x-www-form-urlencoded")
+          request.POST
+        else
+          {}
+        end
+      end
     end
   end
 end

data/lib/oauth/request_proxy/base.rb

@@ -8,8 +8,10 @@ module OAuth
     class Base
       include OAuth::Helper
 
-      def self.proxies(klass)
-        OAuth::RequestProxy.available_proxies[klass] = self
+      class << self
+        def proxies(klass)
+          OAuth::RequestProxy.available_proxies[klass] = self
+        end
       end
 
       attr_accessor :request, :options, :unsigned_parameters
@@ -23,15 +25,15 @@ module OAuth
       ## OAuth parameters
 
       def oauth_callback
-        parameters["oauth_callback"]
+        [parameters["oauth_callback"]].flatten.first
       end
 
       def oauth_consumer_key
-        parameters["oauth_consumer_key"]
+        [parameters["oauth_consumer_key"]].flatten.first
       end
 
       def oauth_nonce
-        parameters["oauth_nonce"]
+        [parameters["oauth_nonce"]].flatten.first
       end
 
       def oauth_signature
@@ -40,37 +42,35 @@ module OAuth
       end
 
       def oauth_signature_method
-        case parameters["oauth_signature_method"]
-        when Array
-          parameters["oauth_signature_method"].first
-        else
-          parameters["oauth_signature_method"]
-        end
+        [parameters["oauth_signature_method"]].flatten.first
       end
 
       def oauth_timestamp
-        parameters["oauth_timestamp"]
+        [parameters["oauth_timestamp"]].flatten.first
       end
 
       def oauth_token
-        parameters["oauth_token"]
+        [parameters["oauth_token"]].flatten.first
       end
 
+      # OAuth 1.0a only: value returned to the Consumer after user authorization
+      # and required when exchanging a Request Token for an Access Token.
+      # Not present in OAuth 1.0 flows.
       def oauth_verifier
-        parameters["oauth_verifier"]
+        [parameters["oauth_verifier"]].flatten.first
       end
 
       def oauth_version
-        parameters["oauth_version"]
+        [parameters["oauth_version"]].flatten.first
       end
 
       # TODO: deprecate these
-      alias consumer_key oauth_consumer_key
-      alias token oauth_token
-      alias nonce oauth_nonce
-      alias timestamp oauth_timestamp
-      alias signature oauth_signature
-      alias signature_method oauth_signature_method
+      alias_method :consumer_key, :oauth_consumer_key
+      alias_method :token, :oauth_token
+      alias_method :nonce, :oauth_nonce
+      alias_method :timestamp, :oauth_timestamp
+      alias_method :signature, :oauth_signature
+      alias_method :signature_method, :oauth_signature_method
 
       ## Parameter accessors
 
@@ -79,15 +79,15 @@ module OAuth
       end
 
       def parameters_for_signature
-        parameters.reject { |k, _v| signature_and_unsigned_parameters.include?(k) }
+        parameters.select { |k, _v| !signature_and_unsigned_parameters.include?(k) }
       end
 
       def oauth_parameters
-        parameters.select { |k, _v| OAuth::PARAMETERS.include?(k) }.reject { |_k, v| v == "" }
+        parameters.select { |k, v| OAuth::PARAMETERS.include?(k) && !v.nil? && v != "" }
       end
 
       def non_oauth_parameters
-        parameters.reject { |k, _v| OAuth::PARAMETERS.include?(k) }
+        parameters.select { |k, _v| !OAuth::PARAMETERS.include?(k) }
       end
 
       def signature_and_unsigned_parameters
@@ -97,7 +97,7 @@ module OAuth
       # See 9.1.2 in specs
       def normalized_uri
         u = URI.parse(uri)
-        "#{u.scheme.downcase}://#{u.host.downcase}#{(u.scheme.casecmp("http").zero? && u.port != 80) || (u.scheme.casecmp("https").zero? && u.port != 443) ? ":#{u.port}" : ""}#{u.path && u.path != "" ? u.path : "/"}"
+        "#{u.scheme.downcase}://#{u.host.downcase}#{":#{u.port}" if (u.scheme.casecmp("http").zero? && u.port != 80) || (u.scheme.casecmp("https").zero? && u.port != 443)}#{(u.path && u.path != "") ? u.path : "/"}"
       end
 
       # See 9.1.1. in specs Normalize Request Parameters
@@ -127,17 +127,17 @@ module OAuth
       end
 
       # URI, including OAuth parameters
-      def signed_uri(with_oauth = true)
+      def signed_uri(with_oauth: true)
         if signed?
           params = if with_oauth
-                     parameters
-                   else
-                     non_oauth_parameters
-                   end
+            parameters
+          else
+            non_oauth_parameters
+          end
 
           [uri, normalize(params)].join("?")
         else
-          warn "This request has not yet been signed!"
+          warn("This request has not yet been signed!")
         end
       end
 
@@ -177,6 +177,17 @@ module OAuth
 
         {}
       end
+
+      # Utility to make parameter values array-style (or keep nil) so that
+      # subclasses can rely on array values for parameter merging/signing.
+      # Mirrors the implementation previously present in
+      # ActionDispatchRequest#wrap_values.
+      def wrap_values(hash)
+        return {} unless hash
+        hash.each_with_object({}) do |(k, v), acc|
+          acc[k] = (v.is_a?(Array) || v.nil?) ? v : [v]
+        end
+      end
     end
   end
 end

data/lib/oauth/request_proxy/em_http_request.rb

@@ -1,74 +1,75 @@
 # frozen_string_literal: true
 
 require "oauth/request_proxy/base"
-# em-http also uses adddressable so there is no need to require uri.
-require "em-http"
+require "oauth/optional"
 require "cgi"
 
-module OAuth
-  module RequestProxy
-    module EventMachine
-      class HttpRequest < OAuth::RequestProxy::Base
-        # A Proxy for use when you need to sign EventMachine::HttpClient instances.
-        # It needs to be called once the client is construct but before data is sent.
-        # Also see oauth/client/em-http
-        proxies ::EventMachine::HttpClient
+if OAuth::Optional.em_http_available?
+  module OAuth
+    module RequestProxy
+      module EventMachine
+        class HttpRequest < OAuth::RequestProxy::Base
+          # A Proxy for use when you need to sign EventMachine::HttpClient instances.
+          # It needs to be called once the client is construct but before data is sent.
+          # Also see oauth/client/em-http
+          proxies ::EventMachine::HttpClient
 
-        # Request in this con
+          # Request in this con
 
-        def method
-          request.req[:method]
-        end
+          def method
+            request.req[:method]
+          end
 
-        def uri
-          request.conn.normalize.to_s
-        end
+          def uri
+            request.conn.normalize.to_s
+          end
 
-        def parameters
-          if options[:clobber_request]
-            options[:parameters]
-          else
-            all_parameters
+          def parameters
+            if options[:clobber_request]
+              options[:parameters]
+            else
+              all_parameters
+            end
           end
-        end
 
-        protected
+          protected
 
-        def all_parameters
-          merged_parameters({}, post_parameters, query_parameters, options[:parameters])
-        end
+          def all_parameters
+            merged_parameters({}, post_parameters, query_parameters, options[:parameters])
+          end
 
-        def query_parameters
-          quer = request.req[:query]
-          hash_quer = if quer.respond_to?(:merge)
-                        quer
-                      else
-                        CGI.parse(quer.to_s)
-                      end
-          CGI.parse(request.conn.query.to_s).merge(hash_quer)
-        end
+          def query_parameters
+            quer = request.req[:query]
+            hash_quer = if quer.respond_to?(:merge)
+              quer
+            else
+              CGI.parse(quer.to_s)
+            end
+            CGI.parse(request.conn.query.to_s).merge(hash_quer)
+          end
 
-        def post_parameters
-          headers = request.req[:head] || {}
-          form_encoded = headers["Content-Type"].to_s.downcase.start_with?("application/x-www-form-urlencoded")
-          if %w[POST PUT].include?(method) && form_encoded
-            CGI.parse(request.normalize_body(request.req[:body]).to_s)
-          else
-            {}
+          def post_parameters
+            headers = request.req[:head] || {}
+            form_encoded = headers["Content-Type"].to_s.downcase.start_with?("application/x-www-form-urlencoded")
+            if %w[POST PUT].include?(method) && form_encoded
+              CGI.parse(request.normalize_body(request.req[:body]).to_s)
+            else
+              {}
+            end
           end
-        end
 
-        def merged_parameters(params, *extra_params)
-          extra_params.compact.each do |params_pairs|
-            params_pairs.each_pair do |key, value|
-              if params.key?(key)
-                params[key.to_s] += value
-              else
-                params[key.to_s] = [value].flatten
+          def merged_parameters(params, *extra_params)
+            extra_params.compact.each do |params_pairs|
+              params_pairs.each_pair do |key, value|
+                if params.key?(key)
+                  params[key.to_s] += value
+                else
+                  params[key.to_s] = [value].flatten
+                end
               end
             end
+            params
           end
-          params
         end
       end
     end

data/lib/oauth/request_proxy/jabber_request.rb

@@ -18,8 +18,15 @@ module OAuth
         oauth = @request.get_elements("//oauth").first
         return @params unless oauth
 
-        %w[ oauth_token oauth_consumer_key oauth_signature_method oauth_signature
-            oauth_timestamp oauth_nonce oauth_version ].each do |param|
+        %w[
+          oauth_token
+          oauth_consumer_key
+          oauth_signature_method
+          oauth_signature
+          oauth_timestamp
+          oauth_nonce
+          oauth_version
+        ].each do |param|
           next unless (element = oauth.first_element(param))
 
           @params[param] = element.text

data/lib/oauth/request_proxy/mock_request.rb

@@ -32,7 +32,7 @@ module OAuth
 
       def normalized_uri
         super
-      rescue
+      rescue StandardError
         # if this is a non-standard URI, it may not parse properly
         # in that case, assume that it's already been normalized
         uri

data/lib/oauth/request_proxy/net_http.rb

@@ -38,13 +38,11 @@ module OAuth
             request_params = CGI.parse(query_string)
             # request_params.each{|k,v| request_params[k] = [nil] if v == []}
 
-            if options[:parameters]
-              options[:parameters].each do |k, v|
-                if request_params.key?(k) && v
-                  request_params[k] << v
-                else
-                  request_params[k] = [v]
-                end
+            options[:parameters]&.each do |k, v|
+              if request_params.key?(k) && v
+                request_params[k] << v
+              else
+                request_params[k] = [v]
               end
             end
             request_params
@@ -71,7 +69,7 @@ module OAuth
           end
 
           def auth_header_params
-            return nil unless request["Authorization"] && request["Authorization"][0, 5] == "OAuth"
+            return unless request["Authorization"] && request["Authorization"][0, 5] == "OAuth"
 
             request["Authorization"]
           end

data/lib/oauth/request_proxy/rack_request.rb

@@ -26,10 +26,6 @@ module OAuth
         end
       end
 
-      def signature
-        parameters["oauth_signature"]
-      end
-
       protected
 
       def query_params

data/lib/oauth/request_proxy/rest_client_request.rb

@@ -34,11 +34,13 @@ module OAuth
           query ? CGI.parse(query) : {}
         end
 
-        def request_params; end
+        def request_params
+        end
 
         def post_parameters
           # Post params are only used if posting form data
-          if method == "POST" || method == "PUT"
+          is_form_data = request.payload && request.payload.headers["Content-Type"] == "application/x-www-form-urlencoded"
+          if is_form_data && (method == "POST" || method == "PUT")
             OAuth::Helper.stringify_keys(query_string_to_hash(request.payload.to_s) || {})
           else
             {}
@@ -51,9 +53,9 @@ module OAuth
           query.split("&").inject({}) do |result, q|
             k, v = q.split("=")
             if !v.nil?
-              result.merge(k => v)
+              result.merge({k => v})
             elsif !result.key?(k)
-              result.merge(k => true)
+              result.merge({k => true})
             else
               result
             end