oauth 1.1.0 → 1.1.1

data/lib/oauth/consumer.rb

@@ -19,8 +19,11 @@ module OAuth
     end
 
     unless defined?(CA_FILE)
-      CA_FILES = %w[/etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
-                    /usr/share/curl/curl-ca-bundle.crt].freeze
+      CA_FILES = %w[
+        /etc/ssl/certs/ca-certificates.crt
+        /etc/pki/tls/certs/ca-bundle.crt
+        /usr/share/curl/curl-ca-bundle.crt
+      ].freeze
       CA_FILES.each do |ca_file|
         if File.exist?(ca_file)
           CA_FILE = ca_file
@@ -70,12 +73,12 @@ module OAuth
         # spec. Possible values are true and false
         body_hash_enabled: true,
 
-        oauth_version: "1.0"
-      }
+        oauth_version: "1.0",
+      },
     )
 
     attr_accessor :options, :key, :secret
-    attr_writer   :site, :http
+    attr_writer :site, :http
 
     # Create a new consumer instance by passing it a configuration hash:
     #
@@ -101,7 +104,7 @@ module OAuth
     #   @photos=@access_token.get('/photos.xml')
     #
     def initialize(consumer_key, consumer_secret, options = {})
-      @key    = consumer_key
+      @key = consumer_key
       @secret = consumer_secret
 
       # ensure that keys are symbols
@@ -116,12 +119,12 @@ module OAuth
 
     def debug_output
       @debug_output ||= case @options[:debug_output]
-                        when nil, false
-                        when true
-                          $stdout
-                        else
-                          @options[:debug_output]
-                        end
+      when nil, false
+      when true
+        $stdout
+      else
+        @options[:debug_output]
+      end
     end
 
     # The HTTP object for the site. The HTTP Object is what you get when you do Net::HTTP.new
@@ -132,51 +135,93 @@ module OAuth
     # Contains the root URI for this site
     def uri(custom_uri = nil)
       if custom_uri
-        @uri  = custom_uri
+        @uri = custom_uri
         @http = create_http # yike, oh well. less intrusive this way
       else # if no custom passed, we use existing, which, if unset, is set to site uri
         @uri ||= URI.parse(site)
       end
     end
 
+    # Exchanges a verified Request Token for an Access Token.
+    #
+    # OAuth 1.0 vs 1.0a:
+    # - 1.0a requires including oauth_verifier (as returned by the Provider after
+    #   user authorization) when performing this exchange in a 3‑legged flow.
+    # - 1.0 flows did not include oauth_verifier.
+    #
+    # Usage (3‑legged):
+    #   access_token = request_token.get_access_token(oauth_verifier: params[:oauth_verifier])
+    #
+    # @param request_token [OAuth::RequestToken] The authorized request token
+    # @param request_options [Hash] OAuth or request options (include :oauth_verifier for 1.0a)
+    # @param arguments [Array] Optional POST body and headers
+    # @yield [response_body] If a block is given, yields the raw response body.
+    # @return [OAuth::AccessToken]
     def get_access_token(request_token, request_options = {}, *arguments, &block)
-      response = token_request(http_method, (access_token_url? ? access_token_url : access_token_path), request_token,
-                               request_options, *arguments, &block)
+      response = token_request(
+        http_method,
+        (access_token_url? ? access_token_url : access_token_path),
+        request_token,
+        request_options,
+        *arguments,
+        &block
+      )
       OAuth::AccessToken.from_hash(self, response)
     end
 
     # Makes a request to the service for a new OAuth::RequestToken
     #
-    #  @request_token = @consumer.get_request_token
+    # Example:
+    #   @request_token = @consumer.get_request_token
     #
     # To include OAuth parameters:
-    #
-    #  @request_token = @consumer.get_request_token \
-    #    :oauth_callback => "http://example.com/cb"
+    #   @request_token = @consumer.get_request_token(
+    #     oauth_callback: "http://example.com/cb"
+    #   )
     #
     # To include application-specific parameters:
+    #   @request_token = @consumer.get_request_token({}, foo: "bar")
     #
-    #  @request_token = @consumer.get_request_token({}, :foo => "bar")
+    # OAuth 1.0 vs 1.0a:
+    # - In 1.0a, the Consumer SHOULD send oauth_callback when obtaining a request token
+    #   (or explicitly use OUT_OF_BAND) and the Provider MUST include
+    #   oauth_callback_confirmed=true in the response.
+    # - This library defaults oauth_callback to OUT_OF_BAND ("oob") when not provided,
+    #   which works for both 1.0 and 1.0a, and mirrors common provider behavior.
+    # - The oauth_callback_confirmed response is parsed by the token classes; it is not
+    #   part of the signature base string and thus is not signed.
     #
-    # TODO oauth_callback should be a mandatory parameter
+    # TODO: In a future major release, oauth_callback may be made mandatory unless
+    #       request_options[:exclude_callback] is set, to reflect 1.0a guidance.
+    #
+    # @param request_options [Hash] OAuth options for the request. Notably
+    #   :oauth_callback can be set to a URL, or OAuth::OUT_OF_BAND ("oob").
+    # @param arguments [Array] Optional POST body and headers
+    # @yield [response_body] If a block is given, yields the raw response body.
+    # @return [OAuth::RequestToken]
     def get_request_token(request_options = {}, *arguments, &block)
       # if oauth_callback wasn't provided, it is assumed that oauth_verifiers
       # will be exchanged out of band
       request_options[:oauth_callback] ||= OAuth::OUT_OF_BAND unless request_options[:exclude_callback]
 
       response = if block
-                   token_request(
-                     http_method,
-                     (request_token_url? ? request_token_url : request_token_path),
-                     nil,
-                     request_options,
-                     *arguments,
-                     &block
-                   )
-                 else
-                   token_request(http_method, (request_token_url? ? request_token_url : request_token_path), nil,
-                                 request_options, *arguments)
-                 end
+        token_request(
+          http_method,
+          (request_token_url? ? request_token_url : request_token_path),
+          nil,
+          request_options,
+          *arguments,
+          &block
+        )
+      else
+        token_request(
+          http_method,
+          (request_token_url? ? request_token_url : request_token_path),
+          nil,
+          request_options,
+          *arguments,
+        )
+      end
       OAuth::RequestToken.from_hash(self, response)
     end
 
@@ -191,23 +236,23 @@ module OAuth
     #   @consumer.request(:post, '/people', @token, {}, @person.to_xml, { 'Content-Type' => 'application/xml' })
     #
     def request(http_method, path, token = nil, request_options = {}, *arguments)
-      unless %r{^/}.match?(path)
+      unless %r{^/} =~ path
         @http = create_http(path)
         _uri = URI.parse(path)
-        path = "#{_uri.path}#{_uri.query ? "?#{_uri.query}" : ""}"
+        path = "#{_uri.path}#{"?#{_uri.query}" if _uri.query}"
       end
 
       # override the request with your own, this is useful for file uploads which Net::HTTP does not do
       req = create_signed_request(http_method, path, token, request_options, *arguments)
-      return nil if block_given? && (yield(req) == :done)
+      return if block_given? && (yield(req) == :done)
 
       rsp = http.request(req)
       # check for an error reported by the Problem Reporting extension
       # (https://wiki.oauth.net/ProblemReporting)
       # note: a 200 may actually be an error; check for an oauth_problem key to be sure
       if !(headers = rsp.to_hash["www-authenticate"]).nil? &&
-         (h = headers.grep(/^OAuth /)).any? &&
-         h.first.include?("oauth_problem")
+          (h = headers.grep(/^OAuth /)).any? &&
+          h.first.include?("oauth_problem")
 
         # puts "Header: #{h.first}"
 
@@ -247,7 +292,7 @@ module OAuth
           # TODO this also drops subsequent values from multi-valued keys
           CGI.parse(response.body).each_with_object({}) do |(k, v), h|
             h[k.strip.to_sym] = v.first
-            h[k.strip]        = v.first
+            h[k.strip] = v.first
           end
         end
       when (300..399)
@@ -286,7 +331,7 @@ module OAuth
     end
 
     def request_endpoint
-      return nil if @options[:request_endpoint].nil?
+      return if @options[:request_endpoint].nil?
 
       @options[:request_endpoint].to_s
     end
@@ -355,24 +400,30 @@ module OAuth
       _url = request_endpoint unless request_endpoint.nil?
 
       our_uri = if _url.nil? || _url[0] =~ %r{^/}
-                  URI.parse(site)
-                else
-                  your_uri = URI.parse(_url)
-                  if your_uri.host.nil?
-                    # If the _url is a path, missing the leading slash, then it won't have a host,
-                    # and our_uri *must* have a host, so we parse site instead.
-                    URI.parse(site)
-                  else
-                    your_uri
-                  end
-                end
+        URI.parse(site)
+      else
+        your_uri = URI.parse(_url)
+        if your_uri.host.nil?
+          # If the _url is a path, missing the leading slash, then it won't have a host,
+          # and our_uri *must* have a host, so we parse site instead.
+          URI.parse(site)
+        else
+          your_uri
+        end
+      end
 
       if proxy.nil?
         http_object = Net::HTTP.new(our_uri.host, our_uri.port)
       else
         proxy_uri = proxy.is_a?(URI) ? proxy : URI.parse(proxy)
-        http_object = Net::HTTP.new(our_uri.host, our_uri.port, proxy_uri.host, proxy_uri.port, proxy_uri.user,
-                                    proxy_uri.password)
+        http_object = Net::HTTP.new(
+          our_uri.host,
+          our_uri.port,
+          proxy_uri.host,
+          proxy_uri.port,
+          proxy_uri.user,
+          proxy_uri.password,
+        )
       end
 
       http_object.use_ssl = (our_uri.scheme == "https")
@@ -453,7 +504,7 @@ module OAuth
     end
 
     def marshal_dump(*_args)
-      { key: @key, secret: @secret, options: @options }
+      {key: @key, secret: @secret, options: @options}
     end
 
     def marshal_load(data)

data/lib/oauth/errors/problem.rb

@@ -7,7 +7,7 @@ module OAuth
     def initialize(problem, request = nil, params = {})
       super(request)
       @problem = problem
-      @params  = params
+      @params = params
     end
 
     def to_s

data/lib/oauth/helper.rb

@@ -18,11 +18,33 @@ module OAuth
     end
 
     def _escape(string)
-      URI::DEFAULT_PARSER.escape(string, OAuth::RESERVED_CHARACTERS)
+      # Percent-encode per RFC 3986 (unreserved: A-Z a-z 0-9 - . _ ~)
+      # Encode by byte to ensure stable behavior across Ruby versions and encodings.
+      bytes = string.to_s.b.bytes
+      bytes.map do |b|
+        ch = b.chr
+        if ch =~ OAuth::RESERVED_CHARACTERS
+          "%%%02X" % b
+        else
+          ch
+        end
+      end.join
     end
 
     def unescape(value)
-      URI::DEFAULT_PARSER.unescape(value.gsub("+", "%2B"))
+      # Do NOT treat "+" as space; OAuth treats '+' as a literal plus unless percent-encoded.
+      str = value.to_s.gsub("+", "%2B")
+      # Decode %HH sequences; leave malformed sequences intact.
+      decoded = str.gsub(/%([0-9A-Fa-f]{2})/) { Regexp.last_match(1).to_i(16).chr }
+      # Prefer UTF-8 when the decoded bytes form valid UTF-8; otherwise, return as binary.
+      begin
+        utf8 = decoded.dup
+        utf8.force_encoding(Encoding::UTF_8)
+        decoded = utf8 if utf8.valid_encoding?
+      rescue NameError
+        # Older Rubies without Encoding constants: keep original encoding.
+      end
+      decoded
     end
 
     # Generate a random key of up to +size+ bytes. The value returned is Base64 encoded with non-word
@@ -31,7 +53,7 @@ module OAuth
       Base64.encode64(OpenSSL::Random.random_bytes(size)).gsub(/\W/, "")
     end
 
-    alias generate_nonce generate_key
+    alias_method :generate_nonce, :generate_key
 
     def generate_timestamp # :nodoc:
       Time.now.to_i.to_s

data/lib/oauth/oauth.rb

@@ -1,14 +1,36 @@
 # frozen_string_literal: true
 
 module OAuth
-  # request tokens are passed between the consumer and the provider out of
-  # band (i.e. callbacks cannot be used), per section 6.1.1
+  # Out-Of-Band callback token value.
+  # OAuth 1.0 and 1.0a both support out-of-band flows, where callbacks cannot be used.
+  # See RFC 5849 (OAuth 1.0), Section 6.1.1: Obtaining an Unauthorized Request Token
+  # and the 1.0a errata. Providers treating "oob" as the callback URL indicate that
+  # the verifier (for 1.0a) will be communicated out of band to the Consumer.
   OUT_OF_BAND = "oob"
 
-  # required parameters, per sections 6.1.1, 6.3.1, and 7
-  PARAMETERS = %w[oauth_callback oauth_consumer_key oauth_token
-                  oauth_signature_method oauth_timestamp oauth_nonce oauth_verifier
-                  oauth_version oauth_signature oauth_body_hash].freeze
+  # OAuth parameter keys this library recognizes when normalizing/signing requests.
+  # Notes on 1.0 vs 1.0a:
+  # - oauth_verifier: Introduced by OAuth 1.0a. Returned to the Consumer after user
+  #   authorization and required when exchanging a Request Token for an Access Token
+  #   (Section 6.3.1 in RFC 5849 / 1.0a change).
+  # - oauth_callback: Present in 1.0; 1.0a clarified that the Consumer MUST send it when
+  #   obtaining a Request Token (or use "oob") and that the Service Provider MUST return
+  #   oauth_callback_confirmed=true with the Request Token response to prevent session
+  #   fixation attacks. Note that oauth_callback_confirmed is a response parameter, not
+  #   a request signing parameter, and thus is not listed here.
+  # Other keys are common to both 1.0 and 1.0a.
+  PARAMETERS = %w[
+    oauth_callback
+    oauth_consumer_key
+    oauth_token
+    oauth_signature_method
+    oauth_timestamp
+    oauth_nonce
+    oauth_verifier
+    oauth_version
+    oauth_signature
+    oauth_body_hash
+  ].freeze
 
   # reserved character regexp, per section 5.1
   RESERVED_CHARACTERS = /[^a-zA-Z0-9\-._~]/.freeze

data/lib/oauth/optional.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module OAuth
+  # Helpers for optional, lazily loaded integrations.
+  module Optional
+    class << self
+      # Try to load EventMachine HTTP client support provided by em-http-request.
+      #
+      # Returns true if available, false if the dependency is not installed.
+      # Never raises LoadError.
+      def em_http_available?
+        # em-http-request provides "em-http" entrypoint
+        require "em-http"
+        true
+      rescue LoadError
+        false
+      end
+    end
+  end
+end

data/lib/oauth/request_proxy/action_controller_request.rb

@@ -16,14 +16,18 @@ module OAuth
       end
 
       def uri
-        request.url
+        options[:uri] || request.url
       end
 
       def parameters
         if options[:clobber_request]
           options[:parameters] || {}
         else
-          params = request_params.merge(query_params).merge(header_params)
+          # Rails proxies should expose array-style values for params to align with
+          # historical oauth gem behavior / specs. Header params remain scalars.
+          rq = wrap_values(request_params)
+          qq = wrap_values(query_params)
+          params = rq.merge(qq).merge(header_params)
           params.stringify_keys! if params.respond_to?(:stringify_keys!)
           params.merge(options[:parameters] || {})
         end
@@ -43,11 +47,11 @@ module OAuth
           params << request.raw_post if raw_post_signature?
         end
 
-        params.
-          join("&").split("&").
-          reject { |s| s.match(/\A\s*\z/) }.
-          map { |p| p.split("=").map { |esc| CGI.unescape(esc) } }.
-          reject { |kv| kv[0] == "oauth_signature" }
+        params
+          .join("&").split("&")
+          .reject { |s| s.match(/\A\s*\z/) }
+          .map { |p| p.split("=").map { |esc| CGI.unescape(esc) } }
+          .reject { |kv| kv[0] == "oauth_signature" }
       end
 
       def raw_post_signature?

data/lib/oauth/request_proxy/action_dispatch_request.rb

@@ -6,6 +6,47 @@ module OAuth
   module RequestProxy
     class ActionDispatchRequest < OAuth::RequestProxy::RackRequest
       proxies ::ActionDispatch::Request
+
+      # Prefer the explicitly provided URI, which carries scheme/host info
+      # when ActionDispatch env may be minimal in tests.
+      def uri
+        options[:uri] || super
+      end
+
+      # Rails' ActionDispatch proxy should expose array-style parameters
+      # for request/query params to align with legacy oauth gem expectations.
+      def parameters
+        if options[:clobber_request]
+          options[:parameters] || {}
+        else
+          rq = wrap_values(request_params)
+          qq = wrap_values(query_params)
+          params = rq.merge(qq).merge(header_params)
+          params.merge(options[:parameters] || {})
+        end
+      end
+
+      protected
+
+      def query_params
+        # ActionDispatch::Request responds to GET
+        request.GET
+      end
+
+      def request_params
+        if request.content_type && request.content_type.to_s.downcase.start_with?("application/x-www-form-urlencoded")
+          request.POST
+        else
+          {}
+        end
+      end
+
+      def wrap_values(hash)
+        return {} unless hash
+        hash.each_with_object({}) do |(k, v), acc|
+          acc[k] = (v.is_a?(Array) || v.nil?) ? v : [v]
+        end
+      end
     end
   end
 end

data/lib/oauth/request_proxy/base.rb

@@ -56,6 +56,9 @@ module OAuth
         parameters["oauth_token"]
       end
 
+      # OAuth 1.0a only: value returned to the Consumer after user authorization
+      # and required when exchanging a Request Token for an Access Token.
+      # Not present in OAuth 1.0 flows.
       def oauth_verifier
         parameters["oauth_verifier"]
       end
@@ -65,12 +68,12 @@ module OAuth
       end
 
       # TODO: deprecate these
-      alias consumer_key oauth_consumer_key
-      alias token oauth_token
-      alias nonce oauth_nonce
-      alias timestamp oauth_timestamp
-      alias signature oauth_signature
-      alias signature_method oauth_signature_method
+      alias_method :consumer_key, :oauth_consumer_key
+      alias_method :token, :oauth_token
+      alias_method :nonce, :oauth_nonce
+      alias_method :timestamp, :oauth_timestamp
+      alias_method :signature, :oauth_signature
+      alias_method :signature_method, :oauth_signature_method
 
       ## Parameter accessors
 
@@ -97,7 +100,7 @@ module OAuth
       # See 9.1.2 in specs
       def normalized_uri
         u = URI.parse(uri)
-        "#{u.scheme.downcase}://#{u.host.downcase}#{(u.scheme.casecmp("http").zero? && u.port != 80) || (u.scheme.casecmp("https").zero? && u.port != 443) ? ":#{u.port}" : ""}#{u.path && u.path != "" ? u.path : "/"}"
+        "#{u.scheme.downcase}://#{u.host.downcase}#{":#{u.port}" if (u.scheme.casecmp("http").zero? && u.port != 80) || (u.scheme.casecmp("https").zero? && u.port != 443)}#{(u.path && u.path != "") ? u.path : "/"}"
       end
 
       # See 9.1.1. in specs Normalize Request Parameters
@@ -130,14 +133,14 @@ module OAuth
       def signed_uri(with_oauth: true)
         if signed?
           params = if with_oauth
-                     parameters
-                   else
-                     non_oauth_parameters
-                   end
+            parameters
+          else
+            non_oauth_parameters
+          end
 
           [uri, normalize(params)].join("?")
         else
-          warn "This request has not yet been signed!"
+          warn("This request has not yet been signed!")
         end
       end
 

data/lib/oauth/request_proxy/em_http_request.rb

@@ -1,74 +1,75 @@
 # frozen_string_literal: true
 
 require "oauth/request_proxy/base"
-# em-http also uses adddressable so there is no need to require uri.
-require "em-http"
+require "oauth/optional"
 require "cgi"
 
-module OAuth
-  module RequestProxy
-    module EventMachine
-      class HttpRequest < OAuth::RequestProxy::Base
-        # A Proxy for use when you need to sign EventMachine::HttpClient instances.
-        # It needs to be called once the client is construct but before data is sent.
-        # Also see oauth/client/em-http
-        proxies ::EventMachine::HttpClient
+if OAuth::Optional.em_http_available?
+  module OAuth
+    module RequestProxy
+      module EventMachine
+        class HttpRequest < OAuth::RequestProxy::Base
+          # A Proxy for use when you need to sign EventMachine::HttpClient instances.
+          # It needs to be called once the client is construct but before data is sent.
+          # Also see oauth/client/em-http
+          proxies ::EventMachine::HttpClient
 
-        # Request in this con
+          # Request in this con
 
-        def method
-          request.req[:method]
-        end
+          def method
+            request.req[:method]
+          end
 
-        def uri
-          request.conn.normalize.to_s
-        end
+          def uri
+            request.conn.normalize.to_s
+          end
 
-        def parameters
-          if options[:clobber_request]
-            options[:parameters]
-          else
-            all_parameters
+          def parameters
+            if options[:clobber_request]
+              options[:parameters]
+            else
+              all_parameters
+            end
           end
-        end
 
-        protected
+          protected
 
-        def all_parameters
-          merged_parameters({}, post_parameters, query_parameters, options[:parameters])
-        end
+          def all_parameters
+            merged_parameters({}, post_parameters, query_parameters, options[:parameters])
+          end
 
-        def query_parameters
-          quer = request.req[:query]
-          hash_quer = if quer.respond_to?(:merge)
-                        quer
-                      else
-                        CGI.parse(quer.to_s)
-                      end
-          CGI.parse(request.conn.query.to_s).merge(hash_quer)
-        end
+          def query_parameters
+            quer = request.req[:query]
+            hash_quer = if quer.respond_to?(:merge)
+              quer
+            else
+              CGI.parse(quer.to_s)
+            end
+            CGI.parse(request.conn.query.to_s).merge(hash_quer)
+          end
 
-        def post_parameters
-          headers = request.req[:head] || {}
-          form_encoded = headers["Content-Type"].to_s.downcase.start_with?("application/x-www-form-urlencoded")
-          if %w[POST PUT].include?(method) && form_encoded
-            CGI.parse(request.normalize_body(request.req[:body]).to_s)
-          else
-            {}
+          def post_parameters
+            headers = request.req[:head] || {}
+            form_encoded = headers["Content-Type"].to_s.downcase.start_with?("application/x-www-form-urlencoded")
+            if %w[POST PUT].include?(method) && form_encoded
+              CGI.parse(request.normalize_body(request.req[:body]).to_s)
+            else
+              {}
+            end
           end
-        end
 
-        def merged_parameters(params, *extra_params)
-          extra_params.compact.each do |params_pairs|
-            params_pairs.each_pair do |key, value|
-              if params.key?(key)
-                params[key.to_s] += value
-              else
-                params[key.to_s] = [value].flatten
+          def merged_parameters(params, *extra_params)
+            extra_params.compact.each do |params_pairs|
+              params_pairs.each_pair do |key, value|
+                if params.key?(key)
+                  params[key.to_s] += value
+                else
+                  params[key.to_s] = [value].flatten
+                end
               end
             end
+            params
           end
-          params
         end
       end
     end