oauth 0.5.6 → 1.1.5

data/lib/oauth/helper.rb

@@ -1,9 +1,12 @@
-require 'openssl'
-require 'base64'
+# frozen_string_literal: true
+
+require "time"
+require "openssl"
+require "base64"
 
 module OAuth
   module Helper
-    extend self
+    module_function
 
     # Escape +value+ by URL encoding all non-reserved character.
     #
@@ -15,22 +18,44 @@ module OAuth
     end
 
     def _escape(string)
-      URI::DEFAULT_PARSER.escape(string, OAuth::RESERVED_CHARACTERS)
+      # Percent-encode per RFC 3986 (unreserved: A-Z a-z 0-9 - . _ ~)
+      # Encode by byte to ensure stable behavior across Ruby versions and encodings.
+      bytes = string.to_s.b.bytes
+      bytes.map do |b|
+        ch = b.chr
+        if ch =~ OAuth::RESERVED_CHARACTERS
+          "%%%02X" % b
+        else
+          ch
+        end
+      end.join
     end
 
     def unescape(value)
-      URI::DEFAULT_PARSER.unescape(value.gsub('+', '%2B'))
+      # Do NOT treat "+" as space; OAuth treats '+' as a literal plus unless percent-encoded.
+      str = value.to_s.gsub("+", "%2B")
+      # Decode %HH sequences; leave malformed sequences intact.
+      decoded = str.gsub(/%([0-9A-Fa-f]{2})/) { Regexp.last_match(1).to_i(16).chr }
+      # Prefer UTF-8 when the decoded bytes form valid UTF-8; otherwise, return as binary.
+      begin
+        utf8 = decoded.dup
+        utf8.force_encoding(Encoding::UTF_8)
+        decoded = utf8 if utf8.valid_encoding?
+      rescue NameError
+        # Older Rubies without Encoding constants: keep original encoding.
+      end
+      decoded
     end
 
     # Generate a random key of up to +size+ bytes. The value returned is Base64 encoded with non-word
     # characters removed.
-    def generate_key(size=32)
-      Base64.encode64(OpenSSL::Random.random_bytes(size)).gsub(/\W/, '')
+    def generate_key(size = 32)
+      Base64.encode64(OpenSSL::Random.random_bytes(size)).gsub(/\W/, "")
     end
 
     alias_method :generate_nonce, :generate_key
 
-    def generate_timestamp #:nodoc:
+    def generate_timestamp # :nodoc:
       Time.now.to_i.to_s
     end
 
@@ -43,22 +68,27 @@ module OAuth
     # See Also: {OAuth core spec version 1.0, section 9.1.1}[http://oauth.net/core/1.0#rfc.section.9.1.1]
     def normalize(params)
       params.sort.map do |k, values|
-        if values.is_a?(Array)
+        case values
+        when Array
           # make sure the array has an element so we don't lose the key
           values << nil if values.empty?
           # multiple values were provided for a single key
-          values.sort.collect do |v|
-            [escape(k),escape(v)] * "="
+          if values[0].is_a?(Hash)
+            normalize_nested_query(values, k)
+          else
+            values.sort.collect do |v|
+              [escape(k), escape(v)].join("=")
+            end
           end
-        elsif values.is_a?(Hash)
+        when Hash
           normalize_nested_query(values, k)
         else
-          [escape(k),escape(values)] * "="
+          [escape(k), escape(values)].join("=")
         end
       end * "&"
     end
 
-    #Returns a string representation of the Hash like in URL query string
+    # Returns a string representation of the Hash like in URL query string
     # build_nested_query({:level_1 => {:level_2 => ['value_1','value_2']}}, 'prefix'))
     #   #=> ["prefix%5Blevel_1%5D%5Blevel_2%5D%5B%5D=value_1", "prefix%5Blevel_1%5D%5Blevel_2%5D%5B%5D=value_2"]
     def normalize_nested_query(value, prefix = nil)
@@ -72,7 +102,7 @@ module OAuth
           normalize_nested_query(v, prefix ? "#{prefix}[#{k}]" : k)
         end.flatten.sort
       else
-        [escape(prefix), escape(value)] * "="
+        [escape(prefix), escape(value)].join("=")
       end
     end
 
@@ -86,16 +116,16 @@ module OAuth
     #
     def parse_header(header)
       # decompose
-      params = header[6,header.length].split(/[,=&]/)
+      params = header[6, header.length].split(/[,=&]/)
 
       # odd number of arguments - must be a malformed header.
-      raise OAuth::Problem.new("Invalid authorization header") if params.size % 2 != 0
+      raise OAuth::Problem, "Invalid authorization header" if params.size.odd?
 
       params.map! do |v|
         # strip and unescape
         val = unescape(v.strip)
         # strip quotes
-        val.sub(/^\"(.*)\"$/, '\1')
+        val.sub(/^"(.*)"$/, '\1')
       end
 
       # convert into a Hash

data/lib/oauth/oauth.rb

@@ -1,13 +1,37 @@
+# frozen_string_literal: true
+
 module OAuth
-  # request tokens are passed between the consumer and the provider out of
-  # band (i.e. callbacks cannot be used), per section 6.1.1
+  # Out-Of-Band callback token value.
+  # OAuth 1.0 and 1.0a both support out-of-band flows, where callbacks cannot be used.
+  # See RFC 5849 (OAuth 1.0), Section 6.1.1: Obtaining an Unauthorized Request Token
+  # and the 1.0a errata. Providers treating "oob" as the callback URL indicate that
+  # the verifier (for 1.0a) will be communicated out of band to the Consumer.
   OUT_OF_BAND = "oob"
 
-  # required parameters, per sections 6.1.1, 6.3.1, and 7
-  PARAMETERS = %w(oauth_callback oauth_consumer_key oauth_token
-    oauth_signature_method oauth_timestamp oauth_nonce oauth_verifier
-    oauth_version oauth_signature oauth_body_hash)
+  # OAuth parameter keys this library recognizes when normalizing/signing requests.
+  # Notes on 1.0 vs 1.0a:
+  # - oauth_verifier: Introduced by OAuth 1.0a. Returned to the Consumer after user
+  #   authorization and required when exchanging a Request Token for an Access Token
+  #   (Section 6.3.1 in RFC 5849 / 1.0a change).
+  # - oauth_callback: Present in 1.0; 1.0a clarified that the Consumer MUST send it when
+  #   obtaining a Request Token (or use "oob") and that the Service Provider MUST return
+  #   oauth_callback_confirmed=true with the Request Token response to prevent session
+  #   fixation attacks. Note that oauth_callback_confirmed is a response parameter, not
+  #   a request signing parameter, and thus is not listed here.
+  # Other keys are common to both 1.0 and 1.0a.
+  PARAMETERS = %w[
+    oauth_callback
+    oauth_consumer_key
+    oauth_token
+    oauth_signature_method
+    oauth_timestamp
+    oauth_nonce
+    oauth_verifier
+    oauth_version
+    oauth_signature
+    oauth_body_hash
+  ].freeze
 
   # reserved character regexp, per section 5.1
-  RESERVED_CHARACTERS = /[^a-zA-Z0-9\-\.\_\~]/
+  RESERVED_CHARACTERS = /[^a-zA-Z0-9\-._~]/.freeze
 end

data/lib/oauth/oauth_test_helper.rb

@@ -1,5 +1,7 @@
-require 'action_controller'
-require 'action_controller/test_process'
+# frozen_string_literal: true
+
+require "action_controller"
+require "action_controller/test_process"
 
 module OAuth
   module OAuthTestHelper
@@ -8,7 +10,7 @@ module OAuth
       incoming.request_uri = request.path
       incoming.host = request.uri.host
       incoming.env["SERVER_PORT"] = request.uri.port
-      incoming.env['REQUEST_METHOD'] = request.http_method
+      incoming.env["REQUEST_METHOD"] = request.http_method
       incoming
     end
 
@@ -18,7 +20,7 @@ module OAuth
       incoming.host = request.uri.host
       incoming.env["HTTP_AUTHORIZATION"] = request.to_auth_string
       incoming.env["SERVER_PORT"] = request.uri.port
-      incoming.env['REQUEST_METHOD'] = request.http_method
+      incoming.env["REQUEST_METHOD"] = request.http_method
       incoming
     end
   end

data/lib/oauth/optional.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module OAuth
+  # Helpers for optional, lazily loaded integrations.
+  module Optional
+    class << self
+      # Try to load EventMachine HTTP client support provided by em-http-request.
+      #
+      # Returns true if available, false if the dependency is not installed.
+      # Never raises LoadError.
+      def em_http_available?
+        # em-http-request provides "em-http" entrypoint
+        require "em-http"
+        true
+      rescue LoadError
+        false
+      end
+    end
+  end
+end

data/lib/oauth/request_proxy/action_controller_request.rb

@@ -1,90 +1,72 @@
-require 'active_support'
-require "active_support/version"
-require 'action_controller'
-require 'uri'
+# frozen_string_literal: true
 
-if
-  Gem::Version.new(ActiveSupport::VERSION::STRING) < Gem::Version.new("3")
-then # rails 2.x
-  require 'action_controller/request'
-  unless ActionController::Request::HTTP_METHODS.include?("patch")
-    ActionController::Request::HTTP_METHODS << "patch"
-    ActionController::Request::HTTP_METHOD_LOOKUP["PATCH"] = :patch
-    ActionController::Request::HTTP_METHOD_LOOKUP["patch"] = :patch
-  end
+require "active_support"
+require "action_controller"
+require "uri"
 
-elsif
-  Gem::Version.new(ActiveSupport::VERSION::STRING) < Gem::Version.new("4")
-then # rails 3.x
-  require 'action_dispatch/http/request'
-  unless ActionDispatch::Request::HTTP_METHODS.include?("patch")
-    ActionDispatch::Request::HTTP_METHODS << "patch"
-    ActionDispatch::Request::HTTP_METHOD_LOOKUP["PATCH"] = :patch
-    ActionDispatch::Request::HTTP_METHOD_LOOKUP["patch"] = :patch
-  end
+require "action_dispatch/http/request"
 
-else # rails 4.x and later - already has patch
-  require 'action_dispatch/http/request'
-end
+module OAuth
+  module RequestProxy
+    class ActionControllerRequest < OAuth::RequestProxy::Base
+      proxies(::ActionDispatch::Request)
 
-module OAuth::RequestProxy
-  class ActionControllerRequest < OAuth::RequestProxy::Base
-    proxies(defined?(ActionDispatch::AbstractRequest) ? ActionDispatch::AbstractRequest : ActionDispatch::Request)
-
-    def method
-      request.method.to_s.upcase
-    end
+      def method
+        request.method.to_s.upcase
+      end
 
-    def uri
-      request.url
-    end
+      def uri
+        options[:uri] || request.url
+      end
 
-    def parameters
-      if options[:clobber_request]
-        options[:parameters] || {}
-      else
-        params = request_params.merge(query_params).merge(header_params)
-        params.stringify_keys! if params.respond_to?(:stringify_keys!)
-        params.merge(options[:parameters] || {})
+      def parameters
+        if options[:clobber_request]
+          options[:parameters] || {}
+        else
+          # Rails proxies should expose array-style values for params to align with
+          # historical oauth gem behavior / specs. Header params remain scalars.
+          rq = wrap_values(request_params)
+          qq = wrap_values(query_params)
+          params = rq.merge(qq).merge(header_params)
+          params.stringify_keys! if params.respond_to?(:stringify_keys!)
+          params.merge(options[:parameters] || {})
+        end
       end
-    end
 
-    # Override from OAuth::RequestProxy::Base to avoid roundtrip
-    # conversion to Hash or Array and thus preserve the original
-    # parameter names
-    def parameters_for_signature
-      params = []
-      params << options[:parameters].to_query if options[:parameters]
+      # Override from OAuth::RequestProxy::Base to avoid round-trip
+      # conversion to Hash or Array and thus preserve the original
+      # parameter names
+      def parameters_for_signature
+        params = []
+        params << options[:parameters].to_query if options[:parameters]
 
-      unless options[:clobber_request]
-        params << header_params.to_query
-        params << request.query_string unless query_string_blank?
+        unless options[:clobber_request]
+          params << header_params.to_query
+          params << request.query_string unless query_string_blank?
 
-        if raw_post_signature?
-          params << request.raw_post
+          params << request.raw_post if raw_post_signature?
         end
-      end
 
-      params.
-        join('&').split('&').
-        reject { |s| s.match(/\A\s*\z/) }.
-        map { |p| p.split('=').map{|esc| CGI.unescape(esc)} }.
-        reject { |kv| kv[0] == 'oauth_signature'}
-    end
+        params
+          .join("&").split("&")
+          .reject { |s| s.match(/\A\s*\z/) }
+          .map { |p| p.split("=").map { |esc| CGI.unescape(esc) } }
+          .reject { |kv| kv[0] == "oauth_signature" }
+      end
 
-    def raw_post_signature?
-      (request.post? || request.put?) && request.content_type.to_s.downcase.start_with?("application/x-www-form-urlencoded")
-    end
+      def raw_post_signature?
+        (request.post? || request.put?) && request.content_type.to_s.downcase.start_with?("application/x-www-form-urlencoded")
+      end
 
-  protected
+      protected
 
-    def query_params
-      request.query_parameters
-    end
+      def query_params
+        request.query_parameters
+      end
 
-    def request_params
-      request.request_parameters
+      def request_params
+        request.request_parameters
+      end
     end
-
   end
 end

data/lib/oauth/request_proxy/action_dispatch_request.rb

@@ -1,7 +1,45 @@
-require 'oauth/request_proxy/rack_request'
+# frozen_string_literal: true
 
-module OAuth::RequestProxy
-  class ActionDispatchRequest < OAuth::RequestProxy::RackRequest
-    proxies ActionDispatch::Request
+require "oauth/request_proxy/rack_request"
+
+module OAuth
+  module RequestProxy
+    class ActionDispatchRequest < OAuth::RequestProxy::RackRequest
+      proxies ::ActionDispatch::Request
+
+      # Prefer the explicitly provided URI, which carries scheme/host info
+      # when ActionDispatch env may be minimal in tests.
+      def uri
+        options[:uri] || super
+      end
+
+      # Rails' ActionDispatch proxy should expose array-style parameters
+      # for request/query params to align with legacy oauth gem expectations.
+      def parameters
+        if options[:clobber_request]
+          options[:parameters] || {}
+        else
+          rq = wrap_values(request_params)
+          qq = wrap_values(query_params)
+          params = rq.merge(qq).merge(header_params)
+          params.merge(options[:parameters] || {})
+        end
+      end
+
+      protected
+
+      def query_params
+        # ActionDispatch::Request responds to GET
+        request.GET
+      end
+
+      def request_params
+        if request.content_type && request.content_type.to_s.downcase.start_with?("application/x-www-form-urlencoded")
+          request.POST
+        else
+          {}
+        end
+      end
+    end
   end
 end