# OAuth 1.0a signature generator for node and the browser ### Compliant with [RFC 5843](http://tools.ietf.org/html/rfc5849) + [Errata ID 2550](http://www.rfc-editor.org/errata_search.php?rfc=5849) and [community spec](http://oauth.net/core/1.0a) [![Build Status](https://travis-ci.org/bettiolo/oauth-signature-js.png?branch=master)](https://travis-ci.org/bettiolo/oauth-signature-js) [![Bower version](https://badge.fury.io/bo/oauth-signature.svg)](http://badge.fury.io/bo/oauth-signature-js) [![NPM version](https://badge.fury.io/js/oauth-signature.png)](http://badge.fury.io/js/oauth-signature) [![Dependency Status](https://david-dm.org/bettiolo/oauth-signature-js.png?theme=shields.io)](https://david-dm.org/bettiolo/oauth-signature-js) ## Installation #### Install with `npm`: ```shell npm install oauth-signature ``` #### Install with `bower`: ```shell bower install oauth-signature ``` Add a ` ``` ## Usage To generate the OAuth signature call the following method: ```js oauthSignature.generate(httpMethod, url, parameters, consumerSecret, tokenSecret, options) ``` - `tokenSecret` is optional - `options` is optional the default `options` parameter is as follows ```js var options = { encodeSignature: true // will encode the signature following the RFC 3986 Spec by default } ``` ## Example The following is an example on how to generate the signature for the reference sample as defined in - http://oauth.net/core/1.0a/#rfc.section.A.5.1 - http://oauth.net/core/1.0a/#rfc.section.A.5.2 ```js var httpMethod = 'GET', url = 'http://photos.example.net/photos', parameters = { oauth_consumer_key : 'dpf43f3p2l4k3l03', oauth_token : 'nnch734d00sl2jdk', oauth_nonce : 'kllo9940pd9333jh', oauth_timestamp : '1191242096', oauth_signature_method : 'HMAC-SHA1', oauth_version : '1.0', file : 'vacation.jpg', size : 'original' }, consumerSecret = 'kd94hf93k423kf44', tokenSecret = 'pfkkdhi9sl3r4s00', // generates a RFC 3986 encoded, BASE64 encoded HMAC-SHA1 hash encodedSignature = oauthSignature.generate(httpMethod, url, parameters, consumerSecret, tokenSecret), // generates a BASE64 encode HMAC-SHA1 hash signature = oauthSignature.generate(httpMethod, url, parameters, consumerSecret, tokenSecret, { encodeSignature: false}); ``` The `encodedSignature` variable will contain the RFC 3986 encoded, BASE64 encoded HMAC-SHA1 hash, ready to be used as a query parameter in a request: `tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D`. The `signature` variable will contain the BASE64 HMAC-SHA1 hash, without encoding: `tR3+Ty81lMeYAr/Fid0kMTYa/WM=`. ## Requesting a protected resource Use the generated signature to populate the `oauth_signature` parameter to sign a protected resource as per [RFC](http://oauth.net/core/1.0a/#rfc.section.A.5.3). Example GET request using query string parameters: http://photos.example.net/photos?file=vacation.jpg&size=original&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_token=nnch734d00sl2jdk&oauth_signature_method=HMAC-SHA1&oauth_signature=tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D&oauth_timestamp=1191242096&oauth_nonce=kllo9940pd9333jh&oauth_version=1.0 ## Advantages This project has an extensive test coverage for all the corner cases present in the OAuth specifications ([RFC 5843](http://tools.ietf.org/html/rfc5849) + [Errata ID 2550](http://www.rfc-editor.org/errata_search.php?rfc=5849) and [OAuth.net community-based specification](http://oauth.net/core/1.0a)) Take a look at the test file [src/app/signature.tests.js](src/app/oauth-signature.tests.js) ## How do I run tests? The tests can be executed in your browser or in node ### Browser Open the file [src/test-runner.html](src/test-runner.html) in your browser You can also run them live: [src/test-runner.html](https://bettiolo.github.io/oauth-signature-js/src/test-runner.html) ### Node Execute `npm test` in the console ### Live example If you want to make a working experiment you can use the live version of the OAuth signature page at this url: http://bettiolo.github.io/oauth-reference-page/ And you can hit the echo OAuth endpoints at this url: http://echo.lab.madgex.com/ - url: **http://echo.lab.madgex.com/echo.ashx** - consumer key: **key** - consumer secret: **secret** - token: **accesskey** - token secret: **accesssecret** - nonce: **IMPORTANT!** generate a new one at EACH request otherwise you will get a 400 Bad Request - timestamp: **IMPORTANT!** refresh the timestamp before each call - fields: **add a field with name `foo` and value `bar`** A url similar to this one will be generated: `http://echo.lab.madgex.com/echo.ashx?foo=bar&oauth_consumer_key=key&oauth_nonce=643377115&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1410807318&oauth_token=accesskey&oauth_version=1.0&oauth_signature=zCmKoF9rVlNxAkD8wUCizFUajs4%3D` Click on the generated link on the right hand side and you will see the echo server returning `foo=bar` # Maintenance ## Updating uri-js/js-url `npm run update` ## Updating chai/mocha Update them via `npm` but also manually in `test-runner.html` ## Publish a new version ```bash npm version [major|minor|patch] git push git push --tags ```