osmlab / ohauth Goto Github PK

⛔️ DEPRECATED: JavaScript in-browser implemenation of OAuth1.0

Home Page: http://osmlab.github.io/ohauth/

License: ISC License

JavaScript 96.68% HTML 3.32%

oauth1 openstreetmap javascript deprecated

ohauth's Introduction

⛔️ This project has been deprecated and will not receive any regular maintenance.
The preferred authentication method for OpenStreetMap is now OAuth2, therefore this library isn't used anymore.

ohauth

A most-of-the-way OAuth 1.0 client implementation in Javascript. Meant to be an improvement over the default linked one because this uses idiomatic Javascript.

If you use this on a server different from the one authenticated against, you'll need to enable and use CORS for cross-origin resources. CORS is not available in IE before version IE10.

Demo

Try it out at: http://osmlab.github.io/ohauth/

Usage

As a file

wget https://raw.github.com/osmlab/ohauth/gh-pages/ohauth.js

With browserify

npm install ohauth
var ohauth = require('ohauth');

Compatibility

OpenStreetMap full & tested with iD
GitHub - partial, full flow is not possible because access_token API is not CORS-enabled

API

// generates an oauth-friendly timestamp
ohauth.timestamp();

// generates an oauth-friendly nonce
ohauth.nonce();

// generate a signature for an oauth request
ohauth.signature("myOauthSecret", "myTokenSecret", "percent&encoded&base&string");

// make an oauth request.
ohauth.xhr(method, url, auth, data, options, callback);

// options can be a header like
{ header: { 'Content-Type': 'text/xml' } }

ohauth.xhr('POST', url, o, null, {}, function(xhr) {
    // xmlhttprequest object
});

// generate a querystring from an object
ohauth.qsString({ foo: 'bar' });
// foo=bar

// generate an object from a querystring
ohauth.stringQs('foo=bar');
// { foo: 'bar' }

Just generating the headers

// create a function holding configuration
var auth = ohauth.headerGenerator({
    consumer_key: '...',
    consumer_secret: '...'
});

// pass just the data to produce the OAuth header with optional
// POST data (as long as it'll be form-urlencoded in the request)
var header = auth('GET', 'http://.../?a=1&b=2', { c: 3, d: 4 });
// or pass the POST data as an form-urlencoded
var header = auth('GET', 'http://.../?a=1&b=2', 'c=3&d=4');

ohauth's People

Contributors

Stargazers

Watchers

Forkers

tomhughes profonno tom-konda helnershingthapa seanpm2001

ohauth's Issues

An in-range update of tap is breaking the build 🚨

Version 10.7.2 of tap just got published.

Branch	Build failing 🚨
Dependency	tap
Current Version	10.7.1
Type	devDependency

This version is covered by your current version range and after updating it in your project the build failed.

As tap is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Status Details

❌ ci/circleci Your tests failed on CircleCI Details

Commits

The new version differs by 2 commits.

9e51611 v10.7.2
52d5983 t.rejects: handle getting expected error but not options

See the full diff

Not sure how things should work exactly?

There is a collection of frequently asked questions and of course you may always ask my humans.

Your Greenkeeper Bot 🌴

Version 10 of node.js has been released

Version 10 of Node.js (code name Dubnium) has been released! 🎊

To see what happens to your code in Node.js 10, Greenkeeper has created a branch with the following changes:

Added the new Node.js version to your .travis.yml

If you’re interested in upgrading this repo to Node.js 10, you can open a PR with these changes. Please note that this issue is just intended as a friendly reminder and the PR as a possible starting point for getting your code running on Node.js 10.

More information on this issue

Greenkeeper has checked the engines key in any package.json file, the .nvmrc file, and the .travis.yml file, if present.

engines was only updated if it defined a single version, not a range.
.nvmrc was updated to Node.js 10
.travis.yml was only changed if there was a root-level node_js that didn’t already include Node.js 10, such as node or lts/*. In this case, the new version was appended to the list. We didn’t touch job or matrix configurations because these tend to be quite specific and complex, and it’s difficult to infer what the intentions were.

For many simpler .travis.yml configurations, this PR should suffice as-is, but depending on what you’re doing it may require additional work or may not be applicable at all. We’re also aware that you may have good reasons to not update to Node.js 10, which is why this was sent as an issue and not a pull request. Feel free to delete it without comment, I’m a humble robot and won’t feel rejected 🤖

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

ohauth does not correctly decode URL parameters

If the query part of the URL contain parameters that were encoded as "application/x-www-form-urlencoded" string (i.e. something like "/something?query=spaced+words") then the stringQs function does not decode this plus signs as spaces (which it should according to section 3.4.1.3.1. of RFC 5849). The input string is only passed in decodeURIComponent. The current implementation looks like this:

ohauth.stringQs = function(str) {
    return str.split('&').filter(function (pair) {
        return pair !== '';
    }).reduce(function(obj, pair){
        var parts = pair.split('=');
        obj[decodeURIComponent(parts[0])] = (null === parts[1]) ?
            '' : decodeURIComponent(parts[1]);
        return obj;
    }, {});
};

This could be corrected by converting all '+' sign back to space before passing it in decodeURIComponent, like this:

ohauth.stringQs = function(str) {
    return str.split('&').filter(function (pair) {
        return pair !== '';
    }).reduce(function(obj, pair){
        var parts = pair.split('=');
        if(parts[1] === null) {
          obj[decodeURIComponent(parts[0])] = '';
        } else {
          obj[decodeURIComponent(parts[0])] = decodeURIComponent(parts[1].replace(/\+/g, ' '))
        }
        return obj;
    }, {});
};

Use --standalone instead of req.js

ohauth.js does not contains fix from PR #6

After two hours of debugging I discovered that ohauth.js did an incorrect calculation of the HMAC key. Only afterwards I checked the closed issues and discovered pull request #6 and saw that this issue had already been fixed (note to self: always check the issues first!).

Knowing this I was a little baffled that I encountered this error an the first place (after all, it has been fixed two month ago). The reason for that was surprisingly stupid: I downloaded ohauth.js but the fix only applies to index.js!

To me, it looks like that ohauth.js is some kind of build output (since it includes the library uses for hashing). Could you please update the ohauth.js file to include this fixe from pull request #6 ?!

popup

Is this still the standard way for iD's API to provide a login function?
Popups are no longer the way forward. In my tests, most browsers block them. Safari doesn't even give the user a notification. Popups have been abused unceremoniously.

Is there a way to change this to how the Tasking manager handles authorization?

Support typings

It would be great if this library had typings to allow easy integration to angular and modern development tool that provide intellisense.
I have created a partial typings of what I needed as can be seen below.
Instruction of how to add this can be found here:
https://www.typescriptlang.org/docs/handbook/declaration-files/publishing.html
In short, you need to add a index.d.ts file and add a link in the package.json file to it.
Here's what I wrote - I'm sure it's pretty partial/incorrect:

export interface IOAuthResponse {
    oauth_token: string;
    oauth_token_secret: string;
}

export interface IOAuthParams {
    oauth_consumer_key: string;
    oauth_signature_method: string;
    oauth_timestamp: number;
    oauth_nonce: string;
    oauth_token: string;
    oauth_signature: string;
}

export interface IOhAuth {
    signature: (authSecret: string, tokenSecret: string, parameters: string) => string;
    baseString: (method: string, url: string, params: IOAuthParams) => string;
    /**
     * generates a querystring from an object
     */
    qsString: (obj: {}) => string;
    /**
    * generate an object from a querystring
    */
    stringQs: (str: string) => IOAuthResponse;
    timestamp: () => number;
    nonce: () => string;
    xhr: (method: string, url: string, params: {}, data: {}, options: {}, callback: (err, xhr) => void) => void;
}

List of tuples instead of object for params?

Seems like repeated values should be represented, given the oauth spec

Using ohauth.signature() according to documented API generates TypeError

The API for ohauth.signature is as follows:

// generate a signature for an oauth request
ohauth.signature({
    oauth_consumer_key: '...',
    oauth_signature_method: '...',
    oauth_timestamp: '...',
    oauth_nonce: '...'
});

I call this method exactly as describe above, including the inline object initializer, and the consoles in both Chrome and Firefox report this:

Uncaught TypeError: Cannot read property 'length' of undefined

Doing a bit of digging, I discovered that the oauth.signature() method requires three parameters: oauth_secret, token_secret, and baseString. These were not described at all in the documentation. The TypeError is being thrown because the utf8Encode() method is trying to encode the data parameter, given by rstr_hmac() from the d parameter, which was given by oauth.signature() from the baseString parameter.

I'm guessing that the signature method was intended to take in consumer secret, a retrieved OAuth token, and an already-compiled base string. The documentation should be updated to reflect that.