/oauth-1.0a

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

preserve sorted parameters - allows working with JIRA #48

Merged
merged 4 commits into from May 7, 2017

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@asharpe-squiz @ddo @gits2501 @andrewsharpe
@asharpe-squiz
Contributor

asharpe-squiz commented May 3, 2017

See https://tools.ietf.org/html/rfc5849#section-3.4.1.3.2
@ddo

This comment has been minimized.

Sign in to view
Owner

ddo commented May 3, 2017

ty.

it's called at line 134 and line 136 also.
@asharpe-squiz

This comment has been minimized.

Sign in to view
Contributor

asharpe-squiz commented May 3, 2017

I believe those calls have already been dealt with. Please check the diff again and let me know.
@asharpe-squiz

This comment has been minimized.

Sign in to view
Contributor

asharpe-squiz commented May 5, 2017

Tested this code against JIRA 6 and it's working
@ddo

This comment has been minimized.

Sign in to view
Owner

ddo commented May 5, 2017

please check the new commit, then we can merge this PR
@asharpe-squiz

This comment has been minimized.

Sign in to view
Contributor

asharpe-squiz commented May 6, 2017

That's great! I added one more change to stop parameters like "x_custom_oauth_thing" getting into the Authorization header
@andrewsharpe
restore formatting
Loading status checks…
e7da54a

@ddo ddo merged commit d2defec into ddo:master May 7, 2017
1 check passed

1 check passed

semaphoreci The build passed on Semaphore.
Details
@ddo

This comment has been minimized.

Sign in to view
Owner

ddo commented May 7, 2017

ty
@gits2501

This comment has been minimized.

Sign in to view

gits2501 commented May 25, 2017
edited

Im sorry to interrupt you're pull req' thread. But as far I understand you're offering option of you library to work directly in browser. This mean that consumer secret and key that suppose to be private are hard coded into script (feeded as a plain javascript object with plain text strings as a secret and a key). That means I could:

  • visit website that uses your library,
  • exam the script that uses your library and copy paste consumer secret and key
  • make exact site like one I visited
  • and since I have that website's/app's consumer key and secret I can make valid requests for tokens
  • and do very dishonest action towards user pool of the site I faked

As far as I know, twitter for example does not enforce callback URL's to be same. Meaning afther I make fake site and user approve my request to act in their name, callback url that twitter is redirecting that user can be anything. Because callback is sett dynamically trough javascript in request tokens step .
I'm I missing something here?!
@ddo

This comment has been minimized.

Sign in to view
Owner

ddo commented May 25, 2017

hi

https://github.com/ddo/oauth-1.0a#client-side-usage-caution
@gits2501

This comment has been minimized.

Sign in to view

gits2501 commented May 25, 2017
edited

How this have anything to do with CORS? It has to do with javascript object that has stored plain text as consumer secret and key. CORS is security against accessing resources across domain that do not support at least JSONP or when server does not emit " Access Control Allow Origin:* " header. Twitter assigns to you your consumer secret, when you make your website/app account on twitter. And you use it to make authenticated requests to twitter API, in other words secret allows you to use API in the name of your app and users of your app. That's the whole point, no CORS restriction applies. Your consumer secret is no secret when I can get it merely by inspecting code in browser.

I think you should make another line in your README.md where you state this clearly.
@ddo

This comment has been minimized.

Sign in to view
Owner

ddo commented May 26, 2017

ty, PR is welcome.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment