From 9da7970511e787318914b79c0d1139a740bd14e5 Mon Sep 17 00:00:00 2001
From: Jerry Ryle <jerry@ryle.io>
Date: Wed, 7 Jun 2023 11:52:49 -0700
Subject: [PATCH] Fix HMAC-SHA1 key creation.

Per the OAuth 1.0 spec (https://oauth.net/core/1.0a/#anchor15), the consumer secret and the tokenSecret both need to be parameter-encoded before being concatenated with the "&". This change performs this encoding with PercentEncode().

Without this change, OAuth would fail for services that include special characters in either the Consumer secret or the Request Token secret, but would succeed for services that did not. Specifically, this fix allows this library to be used with the etrade API, which does include special characters in the Request Token secret.
---
 signer.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/signer.go b/signer.go
index 2f8ac5e..963aa5a 100644
--- a/signer.go
+++ b/signer.go
@@ -32,7 +32,7 @@ func (s *HMACSigner) Name() string {
 }
 
 func hmacSign(consumerSecret, tokenSecret, message string, algo func() hash.Hash) (string, error) {
-	signingKey := strings.Join([]string{consumerSecret, tokenSecret}, "&")
+	signingKey := strings.Join([]string{PercentEncode(consumerSecret), PercentEncode(tokenSecret)}, "&")
 	mac := hmac.New(algo, []byte(signingKey))
 	mac.Write([]byte(message))
 	signatureBytes := mac.Sum(nil)