oauth_body_hash about oauth-sign HOT 10 CLOSED

As far as I'm understanding you are going to need additional flag parameter for the sign method to indicate whether body hash should be used or not. Then you need to create that hash and add the oauth_body_hash parameter when creating the signature. Is that it?

from oauth-sign.

Yeah I think so. The new sign method could be

function sign (signMethod, httpMethod, base_uri, params, consumer_secret, token_secret, body) with body as the last parameter to preserve backwards compatibility.

The mere presence of the body will act as a truthy value to go ahead and create the hash.

from oauth-sign.

Actually now when I think about it probably the hash generation should not be part of this module, because this module is concerned only with generating the signature, not with generating the actual OAuth parameters. See how all of the OAuth parameters are being created prior calling this method here https://github.com/request/request/blob/master/lib/oauth.js

So if we follow that logic, the oauth_body_hash parameter should be created there instead.

from oauth-sign.

Oh you know what, you're totally right.

Do you think the oauth options object in request should have a new key body_hash as a boolean, and just have it be false implicitly?

The user can just do oauth = { body_hash: true } to tell https://github.com/request/request/blob/master/lib/oauth.js to build the oauth_body_hash parameter.

from oauth-sign.

That sounds good. Then after the initial loop there you can have

if (oa.oauth_body_hash) {
  oa.oauth_body_hash = // generate
} else {
  delete oa.oauth_body_hash // that's just in case it was false or something other than undefined
}

from oauth-sign.

Hmm wait, someone may want to generate it on their own, so you'll actually need a little bit of typechecking there. If it's string then use it, it it's boolean and true, generate it, otherwise delete it.

from oauth-sign.

When you say

someone may want to generate it on their own

it is just their own custom payload to pass to the generate function here oa.oauth_body_hash = // generate right? As opposed to request automatically grabbing the payload and passing it through the new generate function?

from oauth-sign.

Well the value for the oa.oauth_body_hash parameter should be a hash string right?

If that's the case, someone may want to pass their own hash string there and in fact there is a possibility that someone is already doing that.

The boolean option is intended for users that want to have the hash string, but don't want to generate it on their own.

from oauth-sign.

Gotcha, that makes a lot more sense. I guess it's time to code! I'll try to send a pull-request sometime today, unless you beat me to it haha

from oauth-sign.

👍 just make sure you have the proper tests too :)

from oauth-sign.