Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow OAuth1 callback to specify query string parameters #2404

Closed
wants to merge 3 commits into from

Conversation

mitar
Copy link
Contributor

@mitar mitar commented Aug 14, 2014

They are then parsed and provided to underlying HTTP package. We have to parse them so that signing of requests works properly. In addition, nonce used in the request is stored in the response so that user can verify JWT payloads returned from the server.

They are then parsed and provided to underlying HTTP package. We have to
parse them so that signing of requests works properly. In addition,
nonce used in the request is stored in the response so that user can
verify JWT payloads returned from the server.
@mitar
Copy link
Contributor Author

mitar commented Aug 14, 2014

This is needed to support OAuth integration wiki MediaWiki/Wikipedia: https://github.com/mitar/bib2wikidata/tree/master/packages (Just imagine Wikipedia bots written in Meteor. ;-) )

var tokens = querystring.parse(response.content);

if (!tokens.oauth_token || !tokens.oauth_token_secret)
throw new Error(
"missing oauth token or secret", tokens);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not include tokens in the error string; in case one of them is present, we probably don't want it appearing in server logs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the other hand, any error message from the server is in response.content. It is quite useful for debugging. (So maybe we should display response.content if nor tokens.oauth_token nor tokens.oauth_token is available.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds reasonable to me.

@mitar
Copy link
Contributor Author

mitar commented Aug 20, 2014

Meta-question: do you want me to add a new commit on top of existing, or to edit and squash them together into one?

callback(error, response);
});
// We store nonce so that JWTs can be validated
response.nonce = headers.oauth_nonce;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

response will be undefined here if callback is passed.

@estark37
Copy link
Contributor

Thanks @mitar! New commit would be great, and then we might squash it before merging.

@mitar
Copy link
Contributor Author

mitar commented Aug 20, 2014

Tell me when you are done with the review, so that I can get to it. :-)

@estark37
Copy link
Contributor

Done for now :)

@mitar
Copy link
Contributor Author

mitar commented Aug 20, 2014

Done.

// (they are now in params)
parsedUrl.query = {};
parsedUrl.search = '';
url = urlModule.format(parsedUrl);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hrm... this doesn't look right to me. For a GET request, we don't necessarily want to wipe out the query parameters. (In fact, we probably don't want to.) Can we put this in a helper function instead and only use it where we are sure we want this behavior? (i.e. prepareRequestToken and prepareAccessToken)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are not removing the query parameter, params add it back then?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dictionary of request parameters to be encoded and placed in the URL (for GETs) or request body (for POSTs). If content or data is specified, params will always be placed in the URL.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh got it, okay! Sounds good

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason is also that one might want to use the same API for doing API requests then to the server, but that is also signed and OAuth1 wrapped.

@mitar
Copy link
Contributor Author

mitar commented Aug 22, 2014

Updated code style. Also in few other places. I hope it is OK.

@estark37
Copy link
Contributor

Thanks, merged.

@estark37 estark37 closed this Aug 22, 2014
@mitar
Copy link
Contributor Author

mitar commented Aug 22, 2014

Great! Thanks!

@mitar mitar deleted the oauth1-params branch August 22, 2014 16:56
abernix referenced this pull request Oct 17, 2016
They are then parsed and provided to underlying HTTP package. We have to
parse them so that signing of requests works properly. In addition,
nonce used in the request is stored in the response so that user can
verify JWT payloads returned from the server.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants