Skip to content

Commit

Permalink
Fix HMAC-SHA1 key creation.
Browse files Browse the repository at this point in the history
Per the OAuth 1.0 spec (https://oauth.net/core/1.0a/#anchor15), the consumer secret and the tokenSecret both need to be parameter-encoded before being concatenated with the "&". This change performs this encoding with PercentEncode().

Without this change, OAuth would fail for services that include special characters in either the Consumer secret or the Request Token secret, but would succeed for services that did not. Specifically, this fix allows this library to be used with the etrade API, which does include special characters in the Request Token secret.
  • Loading branch information
jerryryle authored and dghubble committed Aug 27, 2023
1 parent 79e2ef8 commit bb56188
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion signer.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ func (s *HMACSigner) Name() string {
}

func hmacSign(consumerSecret, tokenSecret, message string, algo func() hash.Hash) (string, error) {
signingKey := strings.Join([]string{consumerSecret, tokenSecret}, "&")
signingKey := strings.Join([]string{PercentEncode(consumerSecret), PercentEncode(tokenSecret)}, "&")
mac := hmac.New(algo, []byte(signingKey))
mac.Write([]byte(message))
signatureBytes := mac.Sum(nil)
Expand Down

0 comments on commit bb56188

Please sign in to comment.