Module: OAuth::Helper

Extended by:
Helper
Included in:
Net::HTTPRequest, Client::Helper, Helper, RequestProxy::Base, Server, Signature::Base, Token
Defined in:
lib/oauth/helper.rb

Instance Method Summary collapse

Instance Method Details

#bytes(a) ⇒ Object

Creates a per byte enumerator for a string regardless of RUBY VERSION



91
92
93
94
95
96
97
98
 
# File 'lib/oauth/helper.rb', line 91

def bytes(a)
  return [] if a.nil?
  if a.respond_to?(:bytes)
    a.bytes
  else
    Enumerable::Enumerator.new(a, :each_byte)
  end
end

#escape(value) ⇒ Object

Escape value by URL encoding all non-reserved character.

See Also: OAuth core spec version 1.0, section 5.1



12
13
14
 
# File 'lib/oauth/helper.rb', line 12

def escape(value)
  URI::escape(value.to_s, OAuth::RESERVED_CHARACTERS)
end

#generate_key(size = 32) ⇒ Object Also known as: generate_nonce

Generate a random key of up to size bytes. The value returned is Base64 encoded with non-word characters removed.



18
19
20
 
# File 'lib/oauth/helper.rb', line 18

def generate_key(size=32)
  Base64.encode64(OpenSSL::Random.random_bytes(size)).gsub(/\W/, '')
end

#generate_timestampObject

:nodoc:



24
25
26
 
# File 'lib/oauth/helper.rb', line 24

def generate_timestamp #:nodoc:
  Time.now.to_i.to_s
end

#normalize(params) ⇒ Object

Normalize a Hash of parameter values. Parameters are sorted by name, using lexicographical byte value ordering. If two or more parameters share the same name, they are sorted by their value. Parameters are concatenated in their sorted order into a single string. For each parameter, the name is separated from the corresponding value by an “=” character, even if the value is empty. Each name-value pair is separated by an “&” character.

See Also: OAuth core spec version 1.0, section 9.1.1



35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/oauth/helper.rb', line 35

def normalize(params)
  params.sort.map do |k, values|

    if values.is_a?(Array)
      # multiple values were provided for a single key
      values.sort.collect do |v|
        [escape(k),escape(v)] * "="
      end
    else
      [escape(k),escape(values)] * "="
    end
  end * "&"
end

#parse_header(header) ⇒ Object

Parse an Authorization / WWW-Authenticate header into a hash. Takes care of unescaping and removing surrounding quotes. Raises a OAuth::Problem if the header is not parsable into a valid hash. Does not validate the keys or values.

hash = parse_header(headers['Authorization'] || headers['WWW-Authenticate'])
hash['oauth_timestamp']
  #=>"1234567890"

Raises:



57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
# File 'lib/oauth/helper.rb', line 57

def parse_header(header)
  # decompose
  params = header[6,header.length].split(/[,=]/)

  # odd number of arguments - must be a malformed header.
  raise OAuth::Problem.new("Invalid authorization header") if params.size % 2 != 0

  params.map! do |v|
    # strip and unescape
    val = unescape(v.strip)
    # strip quotes
    val.sub(/^\"(.*)\"$/, '\1')
  end

  # convert into a Hash
  Hash[*params.flatten]
end

#secure_equals(a, b) ⇒ Object

A secure version of equals meant to avoid timing attacks as specified here codahale.com/a-lesson-in-timing-attacks/



77
78
79
80
81
82
83
84
 
# File 'lib/oauth/helper.rb', line 77

def secure_equals(a,b)
  return a==b unless a.is_a?(String)&&b.is_a?(String)
  result = 0
  bytes(a).zip(bytes(b)).each do |x,y|
    result |= (x ^ y)
  end
  (result == 0) && (a.length == b.length)
end

#unescape(value) ⇒ Object 



86
87
88
 
# File 'lib/oauth/helper.rb', line 86

def unescape(value)
  URI.unescape(value.gsub('+', '%2B'))
end