OAuth signature does not match in some cases

[hissy]

Hi, I'm trying to retrieve posts with authentication required parameters. I'm using Zend_OAuth library, and already succeeded to get access token and get authentication required data. However, with some parameters, I got "OAuth signature does not match" error (code: json_oauth1_signature_mismatch). Here is my code. Very normal.

$token = new Zend_Oauth_Token_Access;
$token->setParams(array(
    Zend_Oauth_Token_Access::TOKEN_PARAM_KEY => $oauth_token,
    Zend_Oauth_Token_Access::TOKEN_SECRET_PARAM_KEY => $oauth_token_secret
));
$client = $token->getHttpClient(array(
    'consumerKey' => $oauth_key,
    'consumerSecret' => $oauth_secret
));
$client->setUri( $wp_rest_api_url . '/posts' );
$client->setParameterGet( 'filter[posts_per_page]', $num );
$client->setMethod( Zend_Http_Client::GET );
$res = $client->request();

The problem is the filter[posts_per_page] key.

In ZendFramework, encode each parameter key and values first, then build query string, finally urlencode it again.
https://github.com/zendframework/ZendOAuth/blob/c0eca2ca6e930a5464a6a76ac1eb293237304d2a/library/ZendOAuth/Signature/AbstractSignature.php#L115

In WP-API/OAuth1, each parameter key and values are not encoded.

OAuth1/lib/class-wp-json-authentication-oauth1.php

Line 597 in 7d14454

$string = $param_key . '=' . $param_value; // join with equals sign

So, which way is correct? IMHO, ZF way.
3.4.1.3.2. Parameters Normalization http://tools.ietf.org/html/rfc5849#section-3.4.1.3.2

But unfortunately, I don't have any experience of other OAuth provider, so I'd like to hear others opinion.

Thanks!

[hissy]

I found an another difference between WP-API with ZF. It seems multi-dimensional array are not enough sorted in signature string.

OAuth1/lib/class-wp-json-authentication-oauth1.php

Line 592 in 7d14454

$query_params = $this->join_with_equals_sign( $param_value, $query_params, $param_key );

https://github.com/zendframework/ZendOAuth/blob/c0eca2ca6e930a5464a6a76ac1eb293237304d2a/library/ZendOAuth/Signature/AbstractSignature.php#L153

[romuloctba]

I'm facing a very similar problem, and this is what I did to find the real reason (the base_uri):
I changed https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-json-authentication-oauth1.php#L563 to:
return new WP_Error( 'json_oauth1_signature_mismatch', __( 'OAuth signature does not match. Shoud be: ' .$signature. '. We are using this base uri: ' .$base_request_uri ), array( 'status' => 401 ) );

This returns me the signature does not match error with the baseURL so i can compare. And the plugin is triyng to generate the oauth_signature using the base_url host.com/folder/folder when the right base_uri should be host.com/folder.
Also, with this error message I get the expected (by the server) oauth_signature. If i put it in place of my script generated, it just works fine. So i'm guessing that the problem is the base_uri

the $base_request_uri is set here: https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-json-authentication-oauth1.php#L524

[hissy]

@romuloctba , base url issue is an another problem, and already pull-requested. See: #32

[romuloctba]

Oh, sorry, my bad, should've read better
I think you are right.

[archonia-chris]

I had the same issue (ZF2 and filter[posts_per_page]). I "fixed" this by changing the following:
class-wp-json-authentication-oauth1.php - join_with_equals_sign
Change

    $param_key = $key . '[' . $param_key . ']'; // Handle multi-dimensional array

to

    $param_key = $key . '%5B' . $param_key . '%5D'; // Handle multi-dimensional array

I also looked at what Google did:
http://oauth.googlecode.com/svn/code/javascript/example/signature.html

    parameters: context=edit&filter[posts_per_page]=6

Encoded as

    context%3Dedit%26filter%255Bposts_per_page%255D

So Google double-encodes just like ZF2 so I assume WP-API is incorrect.

[joehoyle]

This was fixed some time ago, in #154