Hello !

I've been spending days to make it work, without success...

Here is the question on Stackoverflow: http://stackoverflow.com/questions/36961045/simple-method-to-retrieve-twitter-user-timeline

& a plunker : https://plnkr.co/edit/kF9iqCOv31ZXuuy4vlSp?p=info

Thank you....

Johan

Nice work, congrats for your effort.

Some frameworks, like angularjs, encode parameters in their own core.

Therefore, using your library to calculate signatures can lead to a double encoding, making necessary to decode your encode to encode it again later.

var oauth_signature = decodeURIComponent(oauthSignature.generate(...));

Would you mind to add an optional boolean parameter encode (true by default) to your OAuthSignature.prototype.generate? (or any other solution)

I can proceed with the PR if you agree

So I just ran into #9 myself. I think @jmendiara has it a little mixed up in his example. Because of this line, if you were to generate a signature with parameters such as the following:

var params = {
     from: 0,
     another: false,
     to: 1
};

The signature base string would include something like: http://foo.com/bar?from=&another=&to=1 instead of http://foo.com/bar?from=0&another=false&to=1.

Without this, the user of the library would have to be mindful in always converting parameter values to strings. I also added tests so this fixes #9.

Any plans on upgrading uri-js for #34 #35 #38?

The compiled version: dist/oauth-signature.js

Does not work in node, because it uses the window object, before any checks for the window object:

/*! url - v1.8.6 - 2013-11-22 */window.url=functi ....
;(function() {
    'use strict';

    // In node there is no global Window object
    var isNode = (typeof window === 'undefined');

Cause falsy permissive comparisons, all falsy values are considered '' when computing the signature

var parameters = { 
 a: '',
 b: null,
 c: undefined,
 d: false,
 e: 0,
 f: [],
 g: true,
 h: 1
};
//...
var signature = oauthSignature.generate(httpMethod, url, parameters, consumerSecret, tokenSecret);

//URL used for signature
//a=&b=&c=&d=&e=&f=&g=true&h=1

This PR solves the false and 0 use case, following the same approach used for true and Number, creating an URL

//a=&b=&c=&d=false&e=0&f=&g=true&h=1

I imported the package in my angular project, my issue is that the function generate an invalid oauth signature. I tried to match it http://bettiolo.github.io/oauth-reference-page/ with the same data/parameters but the oauth signature does not match. Here's my code.

var httpMethod = 'GET';
var url = 'https://api.xero.com/oauth/RequestToken';
this.parameters = {
    oauth_consumer_key : '<consumer key>',
    oauth_nonce : '366871832',
    oauth_timestamp : '1521616286',
    oauth_signature_method : 'HMAC-SHA1',
    oauth_version : '1.0'

};
var consumerSecret = '<consumer secret>';
var encodedSignature = oauth.generate(httpMethod, url, this.parameters,consumerSecret);
var signature = oauth.generate(httpMethod, url, this.parameters, consumerSecret,
  { encodeSignature: false });

but when i am in the fisrt step for request token, it works well, the signature is right, the param 'tokenSecret' is empty, just when i put in the param 'tokenSecret' in the next step, the signature is wrong.

why? help me, the cryto function works bad when the the param 'tokenSecret' is set ？

Thx

----I have already solved it .-----

New vulnerabilities have been disclosed, and this project is affected. This pull request fixes one or more vulnerable packages in the npm dependencies of this project.

The PR includes:

• Changes to package.json to upgrade the vulnerable dependencies to a fixed version.

Vulnerabilities that will be fixed

With an upgrade:

• npm:uri-js:20160804 - potentially breaking change

As these vulnerabilities are now publicly known, attackers can try to use them against your application, making fixing them a matter of urgency.

You can read more about Snyk's upgrade and patch logic in Snyk's documentation.

Note that this pull request only addresses the newly disclosed vulnerabilities mentioned above. See the Snyk test report for this project to review and fix the full list of vulnerabilities.

Check the changes in this PR to ensure they won't cause issues with your project.

Stay secure, The Snyk team

Hi Marco

Thanks for this awesome tool. I used it in one of my Udacity Nanodegree projects to authenticate an ajax call to yelp. However, when the yelp-id for a business - which is part of the url - contains an umlaut (ö, ü, ä), then the returned encoded oauth signature is invalid.

Github project name: neighbourhood-map File: src/js/app.js Lines: 20-75 and 272-286

oauth-signature-js checks if a "window" global object exists to determine if it is running in the browser. While this works alone, it does not work when in conjunction with Browserify.

Browserify emulates Node's "module" global to properly expose objects. In order to work with Browserify (or Node "emulation") I modified the isNode flag to check for the non-existence of the module and module.exports global, instead of checking for the existence of the window global.

I don't know of a simple way to test that the code works with browserify and the current code does not. I added a test to prove that the "old" and "new" method of detection both return the same value when tested in the browser or in Node. Thus, no current implementations should be hindered by the update.

To add this project to bower, you have to perform the following steps:

Register the package in bower:

• npm install -g bower
• bower register oauth-signature https://github.com/bettiolo/oauth-signature-js.git

When releasing a new version:

• Increment bower.json version as you make in package.json
• Create a git tag for the version (ex: git tag 1.1.4 and git push --tags or make a Github Release)

Thats it. No need to publish to bower cause it uses your github tags for versioning

Hi, I am trying to use oauth_signature_method HMAC-SHA256, but it seems like its not supported (Auth fails). Can you please explain how to use this?

Thanks,

https://app.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472 Insecure Randomness affecting crypto-js package, versions <3.2.1

Affected versions of this package are vulnerable to Insecure Randomness. The secureRandom() method is supposed to return a cryptographically strong pseudo-random data string, but it is biased to certain digits. An attacker could be able to guess the created digits.

Remediation Upgrade crypto-js to version 3.2.1 or higher.

References GitHub Commit

GitHub Issue

Hi,

I'm very new to javascript. I'm trying to use the js for a filemaker project. Right now I'm very unable to get the example working in a regular html file.

Have a pretty simple HTML (textfile below) but all I get is a blank page. I'd expect a signature in the browser window.

Can someone point me in the right direction?

Thanks, Taco

TacoTest.txt

This may seem very basic but I'm stuck over here. I am getting the error oauthSignaure is undefined. I am trying to import it like: import oauthSignature from 'oauth-signature';

Also I have tried to use require with require() as well, but it doesn't work. Please let me know how can I use it with react-native?