Search code examples
rubyoauthrubygemsrest-client

How to sign requests with custom access token for 2 legged oAuth

I using oauth-ruby gem for a while, and I already implemented 2 types of auth:

  1. default one
  2. and custom, which uses OTP sent via sms

Both of them works perfectly now

But now i'm trying to implement new(3) 2-legged oauth. And I ran in to issues which I actually can't understand. All my signed requests using access token from (3) are failing because of invalid token. For (1-2) it works without any issues.

Signing requests is implemented via RestClient.before_execution_proc:

RestClient.add_before_execution_proc do |req, params|
  access_token.sign!(req)
end

I suppose the problem comes from access_token = OAuth::AccessToken as there actual difference between other 2. Any suggestions or advices will be very helpful

1.

def default_oauth(login, pass, device: Device.new)
  @cookies = login_req(login, pass).cookies
  headers = common_headers.merge("Cookie" => @cookies)
  #Get request token
  request_token = consumer.get_request_token
  # Authorize request key
  authorize = RestClient.post(base_url + '/oauth/authorize',
                              { requestToken: request_token.token, authorize: 'Authorize'},
                              headers) {|response, request, result| response }
  auth_url_resp = RestClient.get(authorize.headers[:location], headers: headers) {|response, request, result| response }
  # Get Access key
  access_token = request_token.get_access_token
end

2.

def custom_oauth(phone, pin, otp: nil, device: Device.new)
  otp = phone.to_s[-5..-1] if otp.nil?
  resp = RestClient.post("#{base_url}/rest/smartphone/otp/sms-sender/#{phone}", '', common_headers) {|response, request, result| response }

  request_token = consumer.get_request_token
  payload = {
      device: device.to_h,
      otp: otp,
      password: pin.to_s,
      requestToken: request_token.token
  }
  headers = json_headers.merge('Cookie' => otp)
  authorize = RestClient.post(base_url + '/oauth/otp-authorization',
                              payload.to_json, headers) {|response, request, result| response }
  @access_token = request_token.get_access_token
end

3.

def new_oauth(login, pass, entry, device: Device.new)
  tkn = consumer.get_request_token.token
  payload = {
      username: login,
      password: pass.to_s,
      requestToken: tkn,
      entryPoint: entry,
      device: device.to_h
  }

  headers =json_headers(device.id)
  resp = RestClient.post("#{base_url}/oauth/login-authorization", payload.to_json, headers) {|response, request, result| response}
  hsh ={oauth_token: resp.headers[:accesstoken], oauth_token_secret: resp.headers[:tokensecret] }
  access_token = OAuth::AccessToken.from_hash(consumer, hsh)
end

Consumer:

def consumer
  @consumer ||= build_consumer
end

def build_consumer
  key = 'key_string'
  secret ='secret_string'
  OAuth::Consumer.new(key, secret, :site => base_url)
end
Solution

  • Issue was related to server (Spring) encoding stuff. oauth-ruby gem is escaping token secret (Combined secret or Encryption key) which is used for signature creation. Spring by default doing the same on server side.

    Unescaping access_token.secret fixed this issue:

    access_token.secret = OAuth::Helper.unescape(access_token.secret)