1'use strict' 2 3var url = require('url') 4var qs = require('qs') 5var caseless = require('caseless') 6var uuid = require('uuid/v4') 7var oauth = require('oauth-sign') 8var crypto = require('crypto') 9var Buffer = require('safe-buffer').Buffer 10 11function OAuth (request) { 12 this.request = request 13 this.params = null 14} 15 16OAuth.prototype.buildParams = function (_oauth, uri, method, query, form, qsLib) { 17 var oa = {} 18 for (var i in _oauth) { 19 oa['oauth_' + i] = _oauth[i] 20 } 21 if (!oa.oauth_version) { 22 oa.oauth_version = '1.0' 23 } 24 if (!oa.oauth_timestamp) { 25 oa.oauth_timestamp = Math.floor(Date.now() / 1000).toString() 26 } 27 if (!oa.oauth_nonce) { 28 oa.oauth_nonce = uuid().replace(/-/g, '') 29 } 30 if (!oa.oauth_signature_method) { 31 oa.oauth_signature_method = 'HMAC-SHA1' 32 } 33 34 var consumer_secret_or_private_key = oa.oauth_consumer_secret || oa.oauth_private_key // eslint-disable-line camelcase 35 delete oa.oauth_consumer_secret 36 delete oa.oauth_private_key 37 38 var token_secret = oa.oauth_token_secret // eslint-disable-line camelcase 39 delete oa.oauth_token_secret 40 41 var realm = oa.oauth_realm 42 delete oa.oauth_realm 43 delete oa.oauth_transport_method 44 45 var baseurl = uri.protocol + '//' + uri.host + uri.pathname 46 var params = qsLib.parse([].concat(query, form, qsLib.stringify(oa)).join('&')) 47 48 oa.oauth_signature = oauth.sign( 49 oa.oauth_signature_method, 50 method, 51 baseurl, 52 params, 53 consumer_secret_or_private_key, // eslint-disable-line camelcase 54 token_secret // eslint-disable-line camelcase 55 ) 56 57 if (realm) { 58 oa.realm = realm 59 } 60 61 return oa 62} 63 64OAuth.prototype.buildBodyHash = function (_oauth, body) { 65 if (['HMAC-SHA1', 'RSA-SHA1'].indexOf(_oauth.signature_method || 'HMAC-SHA1') < 0) { 66 this.request.emit('error', new Error('oauth: ' + _oauth.signature_method + 67 ' signature_method not supported with body_hash signing.')) 68 } 69 70 var shasum = crypto.createHash('sha1') 71 shasum.update(body || '') 72 var sha1 = shasum.digest('hex') 73 74 return Buffer.from(sha1, 'hex').toString('base64') 75} 76 77OAuth.prototype.concatParams = function (oa, sep, wrap) { 78 wrap = wrap || '' 79 80 var params = Object.keys(oa).filter(function (i) { 81 return i !== 'realm' && i !== 'oauth_signature' 82 }).sort() 83 84 if (oa.realm) { 85 params.splice(0, 0, 'realm') 86 } 87 params.push('oauth_signature') 88 89 return params.map(function (i) { 90 return i + '=' + wrap + oauth.rfc3986(oa[i]) + wrap 91 }).join(sep) 92} 93 94OAuth.prototype.onRequest = function (_oauth) { 95 var self = this 96 self.params = _oauth 97 98 var uri = self.request.uri || {} 99 var method = self.request.method || '' 100 var headers = caseless(self.request.headers) 101 var body = self.request.body || '' 102 var qsLib = self.request.qsLib || qs 103 104 var form 105 var query 106 var contentType = headers.get('content-type') || '' 107 var formContentType = 'application/x-www-form-urlencoded' 108 var transport = _oauth.transport_method || 'header' 109 110 if (contentType.slice(0, formContentType.length) === formContentType) { 111 contentType = formContentType 112 form = body 113 } 114 if (uri.query) { 115 query = uri.query 116 } 117 if (transport === 'body' && (method !== 'POST' || contentType !== formContentType)) { 118 self.request.emit('error', new Error('oauth: transport_method of body requires POST ' + 119 'and content-type ' + formContentType)) 120 } 121 122 if (!form && typeof _oauth.body_hash === 'boolean') { 123 _oauth.body_hash = self.buildBodyHash(_oauth, self.request.body.toString()) 124 } 125 126 var oa = self.buildParams(_oauth, uri, method, query, form, qsLib) 127 128 switch (transport) { 129 case 'header': 130 self.request.setHeader('Authorization', 'OAuth ' + self.concatParams(oa, ',', '"')) 131 break 132 133 case 'query': 134 var href = self.request.uri.href += (query ? '&' : '?') + self.concatParams(oa, '&') 135 self.request.uri = url.parse(href) 136 self.request.path = self.request.uri.path 137 break 138 139 case 'body': 140 self.request.body = (form ? form + '&' : '') + self.concatParams(oa, '&') 141 break 142 143 default: 144 self.request.emit('error', new Error('oauth: transport_method invalid')) 145 } 146} 147 148exports.OAuth = OAuth 149