[PR #657] [MERGED] 🐛 Encode signature parameters when using PLAINTEXT format #706

New issue

Closed

opened 2026-03-03 17:29:46 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 17:29:46 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/OAuthSwift/OAuthSwift/pull/657
Author: @phatblat
Created: 5/18/2021
Status: ✅ Merged
Merged: 5/18/2021
Merged by: @phimage

Base: master ← Head: encode-signature

📝 Commits (2)

51b8570 🐛 Encode oauth_signature parameters
2a41a37 🚨 Fix trailing whitespace

📊 Changes

4 files changed (+4 additions, -5 deletions)

View changed files

📝 Sources/Handler/ASWebAuthenticationURLHandler.swift (+0 -1)
📝 Sources/OAuth1Swift.swift (+2 -2)
📝 Sources/OAuthSwiftCredential.swift (+1 -1)
📝 Sources/OAuthSwiftHTTPRequest.swift (+1 -1)

📄 Description

Handling for the PLAINTEXT signature format was added in #623. However, the values used were not the urlEncoded values and thus could cause issues if one of those values contained unsupported characters.

This PR adds encoding to these values.

References

RFC-5849 section 3.4.4: PLAINTEXT

   The "PLAINTEXT" method does not employ a signature algorithm.  It
   MUST be used with a transport-layer mechanism such as TLS or SSL (or
   sent over a secure channel with equivalent protections).  It does not
   utilize the signature base string or the "oauth_timestamp" and
   "oauth_nonce" parameters.

   The "oauth_signature" protocol parameter is set to the concatenated
   value of:

   1.  The client shared-secret, after being encoded (Section 3.6).

   2.  An "&" character (ASCII code 38), which MUST be included even
       when either secret is empty.

   3.  The token shared-secret, after being encoded (Section 3.6).

RFC-5849 section 3.6: Percent Encoding

TL;DR: Special URL percent encoding for the Authorization header.

   2.  The values are then escaped using the [RFC3986] percent-encoding
       (%XX) mechanism as follows:

       *  Characters in the unreserved character set as defined by
          [RFC3986], Section 2.3 (ALPHA, DIGIT, "-", ".", "_", "~") MUST
          NOT be encoded.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/OAuthSwift/OAuthSwift/pull/657 **Author:** [@phatblat](https://github.com/phatblat) **Created:** 5/18/2021 **Status:** ✅ Merged **Merged:** 5/18/2021 **Merged by:** [@phimage](https://github.com/phimage) **Base:** `master` ← **Head:** `encode-signature` --- ### 📝 Commits (2) - [`51b8570`](https://github.com/OAuthSwift/OAuthSwift/commit/51b85706504f51dac8c50eaaee7bb346f10ddc45) 🐛 Encode oauth_signature parameters - [`2a41a37`](https://github.com/OAuthSwift/OAuthSwift/commit/2a41a37fa7e7eef86b55eb980c3edb62c9642701) 🚨 Fix trailing whitespace ### 📊 Changes **4 files changed** (+4 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `Sources/Handler/ASWebAuthenticationURLHandler.swift` (+0 -1) 📝 `Sources/OAuth1Swift.swift` (+2 -2) 📝 `Sources/OAuthSwiftCredential.swift` (+1 -1) 📝 `Sources/OAuthSwiftHTTPRequest.swift` (+1 -1) </details> ### 📄 Description Handling for the PLAINTEXT signature format was added in #623. However, the values used were *not* the `urlEncoded` values and thus could cause issues if one of those values contained unsupported characters. This PR adds encoding to these values. ## References RFC-5849 section [3.4.4](https://datatracker.ietf.org/doc/html/rfc5849#section-3.4.4): PLAINTEXT ``` The "PLAINTEXT" method does not employ a signature algorithm. It MUST be used with a transport-layer mechanism such as TLS or SSL (or sent over a secure channel with equivalent protections). It does not utilize the signature base string or the "oauth_timestamp" and "oauth_nonce" parameters. The "oauth_signature" protocol parameter is set to the concatenated value of: 1. The client shared-secret, after being encoded (Section 3.6). 2. An "&" character (ASCII code 38), which MUST be included even when either secret is empty. 3. The token shared-secret, after being encoded (Section 3.6). ``` RFC-5849 section [3.6](https://datatracker.ietf.org/doc/html/rfc5849#section-3.6): Percent Encoding TL;DR: Special URL percent encoding for the Authorization header. ``` 2. The values are then escaped using the [RFC3986] percent-encoding (%XX) mechanism as follows: * Characters in the unreserved character set as defined by [RFC3986], Section 2.3 (ALPHA, DIGIT, "-", ".", "_", "~") MUST NOT be encoded. ``` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>