From bb5618856237e63c3cb37534b7a8b738d518801b Mon Sep 17 00:00:00 2001
From: Jerry Ryle <jerry@ryle.io>
Date: Wed, 7 Jun 2023 11:52:49 -0700
Subject: [PATCH] Fix HMAC-SHA1 key creation.

Per the OAuth 1.0 spec (https://oauth.net/core/1.0a/#anchor15), the consumer secret and the tokenSecret both need to be parameter-encoded before being concatenated with the "&". This change performs this encoding with PercentEncode().

Without this change, OAuth would fail for services that include special characters in either the Consumer secret or the Request Token secret, but would succeed for services that did not. Specifically, this fix allows this library to be used with the etrade API, which does include special characters in the Request Token secret.
---
 signer.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/signer.go b/signer.go
index 2f8ac5e..963aa5a 100644
--- a/signer.go
+++ b/signer.go
@@ -32,7 +32,7 @@ func (s *HMACSigner) Name() string {
 }
 
 func hmacSign(consumerSecret, tokenSecret, message string, algo func() hash.Hash) (string, error) {
-	signingKey := strings.Join([]string{consumerSecret, tokenSecret}, "&")
+	signingKey := strings.Join([]string{PercentEncode(consumerSecret), PercentEncode(tokenSecret)}, "&")
 	mac := hmac.New(algo, []byte(signingKey))
 	mac.Write([]byte(message))
 	signatureBytes := mac.Sum(nil)