guzzle / oauth-subscriber Goto Github PK
View Code? Open in Web Editor NEWSigns Guzzle requests using OAuth 1.0 (Guzzle 6+)
License: MIT License
Signs Guzzle requests using OAuth 1.0 (Guzzle 6+)
License: MIT License
was wondering how Guzzel will be able to retrieve the nonce and timestamp when request is fired, usually in 2 legged it should generate automatically but i don't see when i do $request-all() dump from laravel. end point.
Hello,
is there a particular reason why the oauth_callback parameter from OAuth1.0a was removed from the Guzzle Plugin?
It was available as an optional parameter in the "old" Guzzle3 plugin (Guzzle3/plugin-oauth@34604f6)
On my system, $body is a GuzzleHttp\Stream\Stream which does not appear to have any readLine methods.
Fatal error: Call to undefined method GuzzleHttp\Stream\Stream::readLine() in C:\home\ahundiak\zayso2016\oauth\vendor\guzzlehttp\oauth-subscriber\tests\Oauth1Test.php on line 270
guzzlehttp/guzzle 4.2.1
guzzlehttp/oauth-subscriber 0.1.2
guzzlehttp/streams 2.1.0
The rest of the tests work fine.
I was having some issues using this plugin with the Xero API, trying to POST data. I came across this discussion - https://community.xero.com/developer/discussion/24421/
If you see Tony Rule's comment where he says "When using POST, any form parameters need to be included in the signature base string, whereas PUT method doesn't use them. http://oauth.net/core/1.0a/#anchor13"
I changed my guzzle request to use PUT instead and it worked. I am wondering if this oauth plugin should detect the request type and include any form fields in the base string.
PHP version: 8.1.3
Guzzle version: 7.4.1
Description
Function GuzzleHttp\Psr7\parse_query() used in Oauth1.php was removed and this leads to undefined function error.
How to reproduce
Using oauth-subscriber and Guzzle 7.4.1 run a signed oAuth query.
Possible Solution
Code needs updating to Query::parse() and Query:build().
What is the correct way to generate the signature for requests with query string that has no key=value just a string without "=" sign for example https://domain/path?querystring
The service im connecting with for urls like that returns invalid signature error.
So who is not compliant with the RFC ? the service or the subscriber implementation ?
With one simple modification to the prepareParameters method i got the requests working, I can make a PR but i dont know it would be a valid change.
private function prepareParameters($data)
{
// Parameters are sorted by name, using lexicographical byte value
// ordering. Ref: Spec: 9.1.1 (1).
uksort($data, 'strcmp');
foreach ($data as $key => $value) {
if ($value === null) {
// unset($data[$key]); // current code
$data[$key] = ""; // modification needed to make requests with a valid sig
}
}
return $data;
}
I see the example use rsa signature method. I need to know if I can use the hmac-sha256 signature method to create the OAuth1.
Thank you
PHP 8.0.0
Description
Trying to use this in PHP* and the following error is generated when using $client->request();
In Oauth1.php line 267:
Function openssl_free_key() is deprecated
How to reproduce
Use with PHP8
Possible Solution
Remove this reference as PHP automatically frees the memory.
Could you tag 0.1.1 please because it allows us to use stable guzzle 4.0.
The move to Guzzle 6 is not going to be simple for some applications and there are fixes that are not included in 0.2.0.
It seems to me like 55c001f5cbcfab5f44792426538cba5bd53168f2
was the last commit before the BC break was made?
PHP version: 7.3.27
Description
The Oauth1::getSignature()
is attempting to leverage GuzzleHttp\Psr7\parse_query()
. Howevern the parse_query() was deprecated, and in later versions of GuzzleHttp\Psr7, unavailable. So updating these packages renders this one unusable.
The problem is simply that oauth-subscriber's composer.json isn't restrictive enough. It depends on '"guzzlehttp/guzzle": "^6.0|^7.0"', which in turn depends on '"guzzlehttp/psr7": "^1.7 || ^2.0",'. But guzzlehttp/psr7 v2.0 is what removes that function.
How to reproduce
Any use of the Oauth1::getSignature()
method will trigger this.
Possible Solution
Either observe the deprecation notice's instructions and replace these function calls with GuzzleHttp\Psr7\Query::parse()
, or just add a more-explicit dependency on guzzlehttp/psr7 that limits it to just '^1.7', and not '^2.0'.
I am trying to request_token
to twitter with the following code. However this is giving the undefined index here https://github.com/guzzle/oauth-subscriber/blob/master/src/Oauth1.php#L243
$middleware = new Oauth1([
'consumer_key' => 'key',
'consumer_secret' => 'secret'
]);
$stack->push($middleware);
$client = new Client([
'base_uri' => 'https://api.twitter.com/',
'handler' => $stack,
'auth' => 'oauth'
]);
$res = $client->post('oauth/request_token', ['form_params' => ['oauth_callback' => 'http://mysite.com/callback']]);
If I change the Oauth1 config to look to include the token_secret and set it to false it works but I don't think this is right.
$middleware = new Oauth1([
'consumer_key' => 'key',
'consumer_secret' => 'secret',
'token_secret' => false
]);
Hello there,
The following is taken from the README file
You can set the auth request option to oauth for all requests sent by the client by extending the array you feed to new Client with auth => oauth.
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
use GuzzleHttp\Subscriber\Oauth\Oauth1;
$stack = HandlerStack::create();
$middleware = new Oauth1([
'consumer_key' => 'my_key',
'consumer_secret' => 'my_secret',
'token' => 'my_token',
'token_secret' => 'my_token_secret'
]);
$stack->push($middleware);
$client = new Client([
'base_uri' => 'https://api.twitter.com/1.1/',
'handler' => $stack,
'auth' => 'oauth'
]);
// Now you don't need to add the auth parameter
$res = $client->get('statuses/home_timeline.json');
Note
You can omit the token and token_secret options to use two-legged OAuth.
It says i can't ommit the token and token secret for two-legged aoth but whe i get rid of those two keys i get thr following exception:
Notice: Undefined index: token_secret in /homepages/42/d560140073/htdocs/oggo/guzzle/vendor/guzzlehttp/oauth-subscriber/src/Oauth1.php on line 243
My question is, does omitting means deleting them or keeping the keys but with an empty value ?
Thank you.
Is trailing slash a must for base_uri? All requests fail with a 404 whenever base_uri doesn't end with a '/'
Not sure if PSR7 specifies base_uri to be so.
There a lot of PR unmerged and also issues opened. Is there a reason why is all stopped?
Problem is with these lines in GuzzleHttp\Subscriber\Oauth\Oauth1::sign_RSA_SHA1()
:
$privateKey = openssl_pkey_get_private(
file_get_contents($this->config['consumer_secret']),
$this->config['consumer_secret']
);
We have to use $this->config['consumer_secret']
for private key's path, but then $this->config['consumer_secret']
is also used as passphrase and it's not working.
I have two ideas:
private_key
attribute in constructor's $config
so sign_RSA_SHA1()
could use $this->config['private_key']
. Maybe $this->config['private_key_passphrase']
also? In my opinion it would be most readable.sign_RSA_SHA1()
could use $this->config['consumer_key']
for private key's path and $this->config['consumer_secret']
for optional passphrase. But it could be misleading.When you add a post parameter with a null
value it the entire key value pair is removed from the base signature string, however Guzzle will send the post parameter as an empty parameter. Meaning the server will have a signing mismatch.
One of two things could happen
null
parameters are first coerced into empty strings (probably not what we want?)null
values should not be added to the PostBody
objects.When passing a request object created via ServerRequest::fromGlobals()
an incorrect signature is generated. It seems that the parameter 'oauth_signature' is unset and then re-added after adding the body contents to the params in method getSignature()
. Clearing the body fixes the issue.
Code to reproduce the issue:
use GuzzleHttp\Subscriber\Oauth\Oauth1;
use GuzzleHttp\Psr7\ServerRequest;
use function GuzzleHttp\Psr7\stream_for;
$oauth = new Oauth1([
'consumer_key' => 'key',
'consumer_secret' => 'secret',
'token_secret' => ''
]);
$signature = $oauth->getSignature(ServerRequest::fromGlobals(), $_POST);
var_dump($signature === $_POST['oauth_signature']); // false
$signature = $oauth->getSignature(ServerRequest::fromGlobals()->withBody(stream_for()), $_POST);
var_dump($signature === $_POST['oauth_signature']); // true
Possible fix:
Move the line that unsets the 'oauth_signature' parameter after the code that adds the body contents and query parameters:
public function getSignature(RequestInterface $request, array $params)
{
// Add POST fields if the request uses POST fields and no files
if ($request->getHeaderLine('Content-Type') == 'application/x-www-form-urlencoded') {
$body = \GuzzleHttp\Psr7\parse_query($request->getBody()->getContents());
$params += $body;
}
// Parse & add query string parameters as base string parameters
$query = $request->getUri()->getQuery();
$params += \GuzzleHttp\Psr7\parse_query($query);
// Remove oauth_signature if present
// Ref: Spec: 9.1.1 ("The oauth_signature parameter MUST be excluded.")
unset($params['oauth_signature']);
Please note that switching Composer to use dev-master solves this problem..
When pulling version 0.1.x through Composer, the version being returned is 0.1.1 which does not have the callback param support added.
I propose that version 0.1.2 is released, so that people with 0.1.x required in their projects can get the latest change.
Thanks
Hi,
I'm trying to use this library but don't really know how to create OAuth token and OAuth secret. Would you please help me?
Thanks
$oauth_consumer_key = '6481-6163-0300';
$consumer_secret = '3qrq46dabjokwsgk4owwk8k4scs00o400kccwc0gs4048k8css';
$oauth_nonce = md5(uniqid(mt_rand(), true));
$oauth_version = "1.0";
$oauth_signature_method = "HMAC-SHA1";
$oauth_token = ???????????????
$oauth_secret = ???????????????
As Guzzle moved to version 6 there are some major changes that doesn't allow to easily adopt your code. I think quite a lot of people would really appreciate if you produce a solution for v6.
At the moment, a single Guzzle client can be set up with this handler, and the operation of the handler can be enabled or disabled by passing the auth
parameter to a request send: oauth1
turns it in and null
turns it off.
I would like to go one step further, and allow an oauth_token
and oauth_token_secret
to be passed into the request as options. These should allow the token and secret to be set for that request, and to override the values given to the OAuth1 object when it was created.
Why? It's about making token refreshing more invisible to the application. When a HTTP request is made, it may fail if the token has expired. This can be caught, a fresh token requested, then the HTTP request fired off again. The application should not have to get involved in the logic of this, except for being signalled to persist the new token and secret.
Now, at the moment, to resent the request with new tokens, a new OAuth handler needs to be created. Then a new handler stack. Then a new Guzzle client. This is all done at a very low level where the full configuration used to create all these things may not be known. What's more, the Guzzle client and the OAuth1 handler are immutable, and do not have any with*
methods for cloning with a few configuration changes, so we have no workaround.
I'm using this with Xero in the context of a Partner Application. The way OAuth straps itself across every level of API access at he moment, instead of staying nicely in one or two layers, makes for very messy applications. I'm trying to get the OAuth functionality (request and token refreshes) to stay close to where the Guzzle requests are sent.
Is this something that would be acceptable to submit? Useful to anyone else? Am I just missing something - maybe OAuth is neat and easy-peasy, and I'm somehow making it messy and difficult?
PHP version: 7.4.12
Description
Getting an error "Attempted to call function "parse_query" from namespace "GuzzleHttp\Psr7"." In Oauth1.php line 149.
Seems like Guzzle moved functions to another place
Guzzle v7.3.0
oauth-subscriber v0.5.0
How to reproduce
Check functions locations. Functions called from old places
Possible Solution
Update library to be compatible with guzzle v7.3
Additional context
I use oauth-subscriber 0.1.*@dev and Guzzle 5.0 for one of my packages (https://github.com/abhishekbhardwaj/Twitter-API-PHP) and when installing that package on a Laravel project via Composer, it errors out saying "could not be resolved to an installable set of packages".
Adding the following to the Laravel project:
"minimum-stability": "dev",
"prefer-stable": true
..fixes it but then it pulls in unstable versions of other packages as well.
Installing all other dependencies manually into the Laravel project also fixes it but then..
Since this package is working with GuzzleHttp 5.0, how about adding a tag so that Composer can install it without hiccups?
Or any other suggestion would be great as well.
$stack = HandlerStack::create();
$middleware = new Oauth1( array(
'consumer_key' => $user_info['consumer_key'],
'consumer_secret' => $user_info['consumer_secret'],
'signature_method' => Oauth1::SIGNATURE_METHOD_HMAC,
'token' => '', 'token_secret' => ''
)
);
$stack->push( $middleware );
$client = new Client( array(
'base_uri' => sprintf( '%s/wp-json/wc/v2/', rtrim( $user_info['site_url'], '/' ) ),
'handler' => $stack,
'auth' => 'oauth',
)
);
$client->post( 'products',
array(
'json' => array(
'name' => $cart_good['goods_name'],
'type' => 'simple',
'regular_price' => $cart_good['shop_price'],
'description' => $cart_good['goods_desc'],
)
)
);
Hi there, this library used to work with previous version of woocommerce.
After i update woocommerce to latest version, it completely not working.
I keep getting invalid signature
Wordpress : 4.8
Woocommerce : 3.1.1
Please, create new release with latest changes.
Thank you!
I've been using Guzzle to get data from my API, but when I try and post data to the API I get the following error:
Fatal error: Uncaught exception 'GuzzleHttp\Exception\ClientException' with message 'Client error response [url] http://www.mywebsite.bar/rest/v4/foo/ [status code] 401 [reason phrase] Unauthorized : Invalid signature
The code I'm using to send the data looks like this
$request = $this->client->post('http://www.mywebsite.bar/rest/v4/foo/' ,
array('Content-Type: application/x-www-form-urlencoded'),
array());
$request->setBody($my_data); #set body!
$response = $request->send();
return $response;
Using the same client to get data works fine
$res = $this->client->get( $url);
return $res->getBody();
Using OAuth I've managed to post the data to the API like this
$my_data['name'] = 'Bob';
$my_data['age'] = 34;
$my_data['location[home]'] = 'foo';
$my_data['location[work]'] = 'bar';
$oauth->fetch( $url , $my_data , OAUTH_HTTP_METHOD_POST );
Sending the array to the API this way works fine.
I'm using guzzlehttp/oauth-subscriber
for all the oauth side.
What am I doing wrong with Guzzle?
Thanks
When using oauth-subscriber
in cron for multiple times their is a memory leak. Here is a basic test I did.
function oauth_1_stack($token = NULL, $token_secret = NULL)
{
$stack = HandlerStack::create();
$middleware = new Oauth1([
'consumer_key' => 'my_key',
'consumer_secret' => 'my_secret',
'token' => $token,
'token_secret' => $token_secret,
]);
$stack->push($middleware);
$options = [
'handler' => $stack,
'auth' => 'oauth'
];
unset($stack, $middleware);
return $options;
}
echo "<pre>";
echo memory_get_usage() . "\n"; // 4017480
$options = oauth_1_stack();
echo memory_get_usage() . "\n"; // 4509824
unset($options);
echo memory_get_usage() . "\n"; // 4480032
echo "</pre>";
trying to install via composer and ive got the required packages set to
"guzzlehttp/guzzle": "~6.0",
"guzzlehttp/oauth-subscriber": "0.2.*",
But when doing a composer update I get:
Problem 1
- guzzlehttp/oauth-subscriber 0.2.0 requires guzzlehttp/guzzle ~4.0|~5.0 -> satisfiable by guzzlehttp/guzzle[5.3.x-dev].
- guzzlehttp/oauth-subscriber 0.2.0 requires guzzlehttp/guzzle ~4.0|~5.0 -> satisfiable by guzzlehttp/guzzle[5.3.x-dev].
- Conclusion: don't install guzzlehttp/guzzle 5.3.x-dev
- Installation request for guzzlehttp/oauth-subscriber 0.2.* -> satisfiable by guzzlehttp/oauth-subscriber[0.2.0].
Ive tried minimum-stability on dev and stable
When sending a request which uses a query containing duplicate parameter keys, the signature is incorrectly generated.
eg. ?parameter=myvalue¶mter=myvalue2
This is being caused by the usage of "http_build_query" instead of the Guzzle "build_query" function in "createBaseString".
PHP version: 7.4.29
Description
I've installed "guzzlehttp/oauth-subscriber": "^0.5"
via composer (v2.3.10). I'm using it in Drupal to request an API call.
I've included
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
use GuzzleHttp\Subscriber\Oauth\Oauth1;
use GuzzleHttp\Exception\ConnectException;
use GuzzleHttp\Exception\ClientException;
use GuzzleHttp\Exception\ServerException;
in the code and have used it as
$client = new Client([
'base_uri' => $this->getBaseUri(),
'handler' => $this->getAuthHandler(),
'auth' => 'oauth',
]);
$stack = HandlerStack::create();
$middleware = new Oauth1([
'realm' => account_id,
'consumer_key' => consumer_key,
'consumer_secret' => consumer_secret,
'token' => token_id,
'token_secret'=> token_secret,
'signature_method' => 'HMAC-SHA256',
]);
$stack->push($middleware);
It is basically an import function which fetches data from third party API. When I run the import it gives an error Error: Call to undefined function GuzzleHttp\Psr7\parse_query() in GuzzleHttp\Subscriber\Oauth\Oauth1->getSignature() (line 149 of C:\xampp\htdocs\mystore2\vendor\guzzlehttp\oauth-subscriber\src\Oauth1.php).
I look forward to any suggestions/help. Thanks in advance!
There is a bug in the method signUsingHmacSha1()
.
To create the $key
it EVER uses both $this->config['consumer_secret']
and $this->config['token_secret']
.
The problem arises when there is no token_secret
set.
In fact, the method works in this way:
/**
* @param string $baseString
*
* @return string
*/
private function signUsingHmacSha1($baseString)
{
$key = rawurlencode($this->config['consumer_secret'])
. '&' . rawurlencode($this->config['token_secret']);
return hash_hmac('sha1', $baseString, $key, true);
}
If a token isn't set the ampersand is anyway added to $key
and this causes the encoding of a wrong string and the generation of a wrong key.
To fix the bug is sufficient an if
statement, this way:
/**
* @param string $baseString
*
* @return string
*/
private function signUsingHmacSha1($baseString)
{
$key = rawurlencode($this->config['consumer_secret'])
// Add token only if present to avoid wrong encoding due to the superflous ampersand (&)
if(isset($this->config['token_secret']) && !empty($this->config['token_secret'])) {
$key .= '&' . rawurlencode($this->config['token_secret']);
}
return hash_hmac('sha1', $baseString, $key, true);
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.