"+" symbol in the oauth_signature is valid or not

Mohankumar_tmk · 2013-02-22T14:24:18.000Z

I make a call to get request tokens for my app using the below api.

“https://api.twitter.com/oauth/request_token”

I send all the required parameters and I get the request tokens.

But for past 2-3 days I am seeing some issue when I make a call to get request tokens.

When i tried to debug the issue I found that if there is “+” symbol in the oauth_signature, I get error response like “Failed to validate signature and token - 401”

For example :- oauth_signature is “kPYkvmczGB6A8TcKGSYumahbvzw” i get the request tokens - no issues.

oauth_signature is “ognkYrbz1lXxWBJWSm+PUvJ9FT8=” I get the error response.

I did tried many times and got to conclusion that “+” symblo in the oauth_signature is the issue.

I am seeing this issue for past two days only.

I am using javascript library to generate the oauth_signature.(shah1.js)

In the wiki page “+” and “/” are valid symbols in the oauth_signature.

I need to demo/submit my app on March 1st to my team and can you please help me fix this issue. I don’t want to show this inconsistent behavior to my team

This is code which I am using to generate the signature.

function core_hmac_sha1(key, data)
{
  var bkey = str2binb(key);
  if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);

  var ipad = Array(16), opad = Array(16);
  for(var i = 0; i < 16; i++)
  {
    ipad[i] = bkey[i] ^ 0x36363636;
    opad[i] = bkey[i] ^ 0x5C5C5C5C;
  }

  var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz);
  return core_sha1(opad.concat(hash), 512 + 160);
}

function binb2hex(binarray)
{
  var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
  var str = "";
  for(var i = 0; i < binarray.length * 4; i++)
  {
    str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) +
           hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8  )) & 0xF);
  }
  return str;
}

function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}

data = GET&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Ftweetoffline.appspot.com%252FTwitter-Authorize.html%26oauth_consumer_key%3DDPunrpPrUKshHXGj2VXv4w%26oauth_nonce%3DRT7K5w%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1361543572%26oauth_version%3D1.0"

key = XXXXXXX

Thanks,
Mohan

episod · 2013-02-22T14:41:48.000Z

The “+” character is a valid character for signatures, but you’ll need to encode it or it will otherwise be considered a " " character instead. We discourage using OAuth through Javascript.

Mohankumar_tmk · 2013-02-22T18:37:00.000Z

I am encoding the oauth_signature.

OAuth.percentEncode(message.parameters.oauth_signature)

here is the code i am using to encode. Do you see any issues with these logic.


  percentEncode: function percentEncode(s) {
        if (s == null) {
            return "";
        }
        if (s instanceof Array) {
            var e = "";
            for (var i = 0; i < s.length; ++s) {
                if (e != "") e += '&';
                e += OAuth.percentEncode(s[i]);
            }
            return e;
        }
        s = encodeURIComponent(s);
        // Now replace the values which encodeURIComponent doesn't do
        // encodeURIComponent ignores: - _ . ! ~ * ' ( )
        // OAuth dictates the only ones you can ignore are: - _ . ~
        // Source: http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Functions:encodeURIComponent
        s = s.replace(/\!/g, "%21");
        s = s.replace(/\*/g, "%2A");
        s = s.replace(/\'/g, "%27");
        s = s.replace(/\(/g, "%28");
        s = s.replace(/\)/g, "%29");
        return s;
    }

Mohankumar_tmk · 2013-02-22T18:58:00.000Z

Ex:-

ZOfv6Eq5vB9rD+BEueZvfhLiaHU=

is encoded to ZOfv6Eq5vB9rD%2BBEueZvfhLiaHU%3D

is encoded to %2B

I have uploaded my app to google cloud engine. so that you can look into the issue.
Please access this url.
http://tweetoffline.appspot.com/