简体   繁体   English

如何在基本字符串签名 OAuth1 中包含查询参数

[英]How to include query params in the base string signature OAuth1

I need to retrieve some data through the gravity forms API (which is installed as a plugin in a WordPress server).我需要通过重力 forms API(作为插件安装在 WordPress 服务器中)检索一些数据。 I must implement OAuth 1.0.我必须实现 OAuth 1.0。 Some of the ruby gems available for this type of authentication don't work pretty well for me, so I decided to implement it myself.一些可用于此类身份验证的 ruby gem 对我来说效果不佳,所以我决定自己实现它。

I'm able to sign the base string if I don't add extra params but once I add them I get the error Invalid signature - provided signature does not match.如果我不添加额外的参数,我可以对基本字符串进行签名,但是一旦添加它们,我就会收到错误Invalid signature - provided signature does not match.

My code looks like this:我的代码如下所示:

# This OAUTH implementation works without extra query params.
require 'httparty'
OAUTH_TOKEN = "API customer secret token"
OAUTH_PASSWORD = "API customer key token"

url = 'https://localhost/wp-json/gf/v2/entries'

params = "oauth_consumer_key=#{OAUTH_TOKEN}&oauth_nonce=#{SecureRandom.hex}&oauth_signature_method=HMAC-SHA1&oauth_timestamp=#{Time.now.to_i}&oauth_token=#{OAUTH_PASSWORD}&oauth_version=1.0"
base_string = 'GET&' + CGI.escape(url) + '&' + CGI.escape(params)
secret = "#{OAUTH_PASSWORD}&#{}"
oauth_signature = sign(secret, base_string)
testable_url = url + '?' + params + '&oauth_signature=' + oauth_signature

response = HTTParty.get(testable_url)

def sign( secret, base_string )
  CGI.escape(Base64.encode64("#{OpenSSL::HMAC.digest('sha1', secret, base_string)}").chomp)
end

But once I add the query params I need, it crashes.但是一旦我添加了我需要的查询参数,它就会崩溃。

query_params = 'search={"field_filters":[{"key":"'+form['key']+'","value":"'+email+'","operator":"is"},{"key":"source_url","value":"'+form['source_url'].to_s+'","operator":"is"}]}'

I'm updating the base_string to include the query_params then I sign it again and I update the final url我正在更新 base_string 以包含 query_params 然后我再次签名并更新最终的 url

base_string = 'GET&' + CGI.escape(url) + '&' + CGI.escape(query_params) + '&' + CGI.escape(params)
oauth_signature = sign(secret, base_string)
testable_url = url + '?' + query_params + '&' + params + '&oauth_signature=' + oauth_signature

As a result I get the following URL结果我得到以下 URL

"https://localhost/wp-json/gf/v2/entries?search={\"field_filters\":[{\"key\":\"2\",\"value\":\"some@email.com\",\"operator\":\"is\"},{\"key\":\"source_url\",\"value\":\"https://localhost/some_url_i_need/\",\"operator\":\"is\"}]}&oauth_consumer_key=APICUSTOMERSECRET&oauth_nonce=81a6ce4dcabd5ec1059f66ca7ae727e3&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1607594914&oauth_token=APICUSTOMER_TOKEN&oauth_version=1.0&oauth_signature=LIZpR27KNHsw3iWArJjSs%2FsvIek%3D"

Which doesn't work due to the Invalid signature - provided signature does not match.由于Invalid signature - provided signature does not match. error.错误。

As suggested in the documentation and other posts I've read ( https://stackoverflow.com/a/4789210 ), I've sorted the params (basically I added search param I need at the end of the base string and that didn't solve my issue.正如我读过的文档和其他帖子( https://stackoverflow.com/a/4789210 )中所建议的那样,我已经对参数进行了排序(基本上我在基本字符串的末尾添加了我需要的search参数并且没有解决不了我的问题。

Note: It works in Postman, and the URL that Postman generates is pretty much like the one I get with Ruby.注意:它在 Postman 和 Postman 生成的 URL 中工作,与我使用 Z90446A21FC5615BC703DZ 得到的非常相似

One of your issue is that you forgot to escape the ampersand between your query_params and regular params :您的问题之一是您忘记转义query_params和常规params之间的 & 符号:

base_string = 'GET&' + CGI.escape(url) + '&' + CGI.escape(query_params) + '&' + CGI.escape(params)

You have to turn that last '&' into '%26' or pull the concatenation into the CGI.escape .您必须将最后一个'&'变成'%26'或将串联拉入CGI.escape

base_string = 'GET&' + CGI.escape(url) + '&' + CGI.escape(query_params + '&' + params)

Watch out for empty params though with this.不过要注意空params

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM