oauth.js 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149
  1. 'use strict'
  2. var url = require('url')
  3. var qs = require('qs')
  4. var caseless = require('caseless')
  5. var uuid = require('uuid/v4')
  6. var oauth = require('oauth-sign')
  7. var crypto = require('crypto')
  8. var Buffer = require('safe-buffer').Buffer
  9. function OAuth (request) {
  10. this.request = request
  11. this.params = null
  12. }
  13. OAuth.prototype.buildParams = function (_oauth, uri, method, query, form, qsLib) {
  14. var oa = {}
  15. for (var i in _oauth) {
  16. oa['oauth_' + i] = _oauth[i]
  17. }
  18. if (!oa.oauth_version) {
  19. oa.oauth_version = '1.0'
  20. }
  21. if (!oa.oauth_timestamp) {
  22. oa.oauth_timestamp = Math.floor(Date.now() / 1000).toString()
  23. }
  24. if (!oa.oauth_nonce) {
  25. oa.oauth_nonce = uuid().replace(/-/g, '')
  26. }
  27. if (!oa.oauth_signature_method) {
  28. oa.oauth_signature_method = 'HMAC-SHA1'
  29. }
  30. var consumer_secret_or_private_key = oa.oauth_consumer_secret || oa.oauth_private_key // eslint-disable-line camelcase
  31. delete oa.oauth_consumer_secret
  32. delete oa.oauth_private_key
  33. var token_secret = oa.oauth_token_secret // eslint-disable-line camelcase
  34. delete oa.oauth_token_secret
  35. var realm = oa.oauth_realm
  36. delete oa.oauth_realm
  37. delete oa.oauth_transport_method
  38. var baseurl = uri.protocol + '//' + uri.host + uri.pathname
  39. var params = qsLib.parse([].concat(query, form, qsLib.stringify(oa)).join('&'))
  40. oa.oauth_signature = oauth.sign(
  41. oa.oauth_signature_method,
  42. method,
  43. baseurl,
  44. params,
  45. consumer_secret_or_private_key, // eslint-disable-line camelcase
  46. token_secret // eslint-disable-line camelcase
  47. )
  48. if (realm) {
  49. oa.realm = realm
  50. }
  51. return oa
  52. }
  53. OAuth.prototype.buildBodyHash = function (_oauth, body) {
  54. if (['HMAC-SHA1', 'RSA-SHA1'].indexOf(_oauth.signature_method || 'HMAC-SHA1') < 0) {
  55. this.request.emit('error', new Error('oauth: ' + _oauth.signature_method +
  56. ' signature_method not supported with body_hash signing.'))
  57. }
  58. var shasum = crypto.createHash('sha1')
  59. shasum.update(body || '')
  60. var sha1 = shasum.digest('hex')
  61. return Buffer.from(sha1, 'hex').toString('base64')
  62. }
  63. OAuth.prototype.concatParams = function (oa, sep, wrap) {
  64. wrap = wrap || ''
  65. var params = Object.keys(oa).filter(function (i) {
  66. return i !== 'realm' && i !== 'oauth_signature'
  67. }).sort()
  68. if (oa.realm) {
  69. params.splice(0, 0, 'realm')
  70. }
  71. params.push('oauth_signature')
  72. return params.map(function (i) {
  73. return i + '=' + wrap + oauth.rfc3986(oa[i]) + wrap
  74. }).join(sep)
  75. }
  76. OAuth.prototype.onRequest = function (_oauth) {
  77. var self = this
  78. self.params = _oauth
  79. var uri = self.request.uri || {}
  80. var method = self.request.method || ''
  81. var headers = caseless(self.request.headers)
  82. var body = self.request.body || ''
  83. var qsLib = self.request.qsLib || qs
  84. var form
  85. var query
  86. var contentType = headers.get('content-type') || ''
  87. var formContentType = 'application/x-www-form-urlencoded'
  88. var transport = _oauth.transport_method || 'header'
  89. if (contentType.slice(0, formContentType.length) === formContentType) {
  90. contentType = formContentType
  91. form = body
  92. }
  93. if (uri.query) {
  94. query = uri.query
  95. }
  96. if (transport === 'body' && (method !== 'POST' || contentType !== formContentType)) {
  97. self.request.emit('error', new Error('oauth: transport_method of body requires POST ' +
  98. 'and content-type ' + formContentType))
  99. }
  100. if (!form && typeof _oauth.body_hash === 'boolean') {
  101. _oauth.body_hash = self.buildBodyHash(_oauth, self.request.body.toString())
  102. }
  103. var oa = self.buildParams(_oauth, uri, method, query, form, qsLib)
  104. switch (transport) {
  105. case 'header':
  106. self.request.setHeader('Authorization', 'OAuth ' + self.concatParams(oa, ',', '"'))
  107. break
  108. case 'query':
  109. var href = self.request.uri.href += (query ? '&' : '?') + self.concatParams(oa, '&')
  110. self.request.uri = url.parse(href)
  111. self.request.path = self.request.uri.path
  112. break
  113. case 'body':
  114. self.request.body = (form ? form + '&' : '') + self.concatParams(oa, '&')
  115. break
  116. default:
  117. self.request.emit('error', new Error('oauth: transport_method invalid'))
  118. }
  119. }
  120. exports.OAuth = OAuth