Encode secrets before computing signature.

jaredhanson · jaredhanson · commit cd2de9fcd94c · 2013-02-20T08:26:41.000-08:00
diff --git a/lib/passport-http-oauth/strategies/consumer.js b/lib/passport-http-oauth/strategies/consumer.js
@@ -298,8 +298,8 @@ ConsumerStrategy.prototype.authenticate = function(req) {
         }
 
       } else if (signatureMethod === 'HMAC-SHA256') {
-        var key = consumerSecret + '&';
-        if (tokenSecret) { key += tokenSecret; }
+        var key = utils.encode(consumerSecret) + '&';
+        if (tokenSecret) { key += utils.encode(tokenSecret); }
         var computedSignature = utils.hmacsha256(key, base);
 
         if (signature !== computedSignature) {

Original file line number	Diff line number	Diff line change
`@@ -298,8 +298,8 @@ ConsumerStrategy.prototype.authenticate = function(req) {`
`298`	`298`	`}`
`299`	`299`
`300`	`300`	`} else if (signatureMethod === 'HMAC-SHA256') {`
`301`		`- var key = consumerSecret + '&';`
`302`		`- if (tokenSecret) { key += tokenSecret; }`
	`301`	`+ var key = utils.encode(consumerSecret) + '&';`
	`302`	`+ if (tokenSecret) { key += utils.encode(tokenSecret); }`
`303`	`303`	`var computedSignature = utils.hmacsha256(key, base);`
`304`	`304`
`305`	`305`	`if (signature !== computedSignature) {`