get_parameters returns all params, not just oauth_ ones

[duncanjbrown]

I use nginx, and I have a line in my nginx.conf that looks like this:

try_files $uri $uri/ /index.php?q=$uri&$args; 

This means that when my OAuth client hits /oauth1/request, WP receives a q parameter as well as the usual OAuth params. Because WP_JSON_Authentication_OAuth1::get_parameters doesn't strip it out, it's an automatic 401 from the plugin because the signature doesn't match.

I fixed it by unsetting $params['q'] before get_parameters returns. Obviously this won't work in all cases, so I attempted a patch that stripped all params that weren't in

$param_names = array(
            'oauth_consumer_key',
            'oauth_timestamp',
            'oauth_nonce',
            'oauth_signature',
            'oauth_signature_method'
        );

but that caused some other issue. Happy to investigate further if this is considered worth fixing.

[rmccue]

This is correct; the way that OAuth signatures work is by signing the entire request. I'm not sure why you have that line in your nginx.conf (it's certainly not required for WP), but you can fix it on the PHP side by doing unset( $_GET['q'] ) if you're unable to change nginx.

[sftsk]

Hello,

just got into the same problem. The mentioned setup for NGINX is needed so WordPress will work behind a Load Balancer under certain circumstances.

Unfortunately it can't be changed. I do not want to unset unset( $_GET['q'] ) globally like mentioned by you as it might break things in other places.

Wouldn't it be possible to provide a filter/ hook to the parameters you are using so that they could be changed for nginx?

Right now I've added this unset($params['q']); after $params = array_merge( $params, $oauth_params ); and it seems to work but I would prefer not to "hack" the plugin.

Thank you for your help and the great plugin!