New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth parameters are not refreshed following a 302 redirect #1573
Comments
Is that an actual bug? Can you point us to the exact part of the RFC regarding this behavior? |
@simov the RFC does not outline behavior for this case specifically, but from Section 3.3:
I would assume "all requests" would include redirects. Here's a real-world example of where this becomes an issue with the Bitbucket API: this endpoint responds with a 302 and after following the redirect using the same parameters I get a 401. |
@simov I was working on a PR for this, do you agree it warrants a fix? When |
I also just realized that none of the OAuth params are stored on the |
- Cache the initial oauth options passed to request in _oauth.params - On subsequent calls to init() use the cached _oauth.params to invoke the oauth params generation logic again
- Cache the initial oauth options passed to request in _oauth.params - On subsequent calls to init() use the cached _oauth.params to invoke the oauth params generation logic again
@marshall007 I was able to reproduce the bug and submitted a PR #1574 (I hope you don't mind) Hopefully we're interpreting the specification correctly. I can't remember having that issue before, but I can't say if I had any redirects when making oauth requests either. |
@simov looks good, thanks! I'm pretty confident in our interpretation given that there are APIs in the wild that implement this behavior. |
Refresh the oauth_nonce on redirect (#1573)
After following a 302 Redirect, it appears the subsequent request is signed using the same OAuth parameters as the original request.
The text was updated successfully, but these errors were encountered: