Include url params in oauth1 signature

hypothesis · Feb 2, 2024 · 7aee6b0 · 7aee6b0
1 parent 5f8dbd4
commit 7aee6b0
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/lms/services/oauth1.py b/lms/services/oauth1.py
@@ -3,6 +3,7 @@
 import hmac
 import uuid
 from datetime import datetime
+from urllib import parse
 
 from oauthlib.oauth1.rfc5849 import signature
 from requests_oauthlib import OAuth1
@@ -46,6 +47,8 @@ def sign(self, url: str, method: str, data: dict) -> dict:
         # We don't have a token but the trailing `&` is required
         client_secret = application_instance.shared_secret + "&"
 
+        parsed_url = parse.urlparse(url)
+
         # Oauth values
         payload = {
             "oauth_version": "1.0",
@@ -59,11 +62,15 @@ def sign(self, url: str, method: str, data: dict) -> dict:
 
         # Clean parameters and generate the plain text to sign
         params = signature.collect_parameters(
-            body=payload, exclude_oauth_signature=False, with_realm=False
+            uri_query=parsed_url.query,
+            body=payload,
+            exclude_oauth_signature=False,
+            with_realm=False,
         )
         normalized_parameters = signature.normalize_parameters(params)
+        normalized_uri = signature.base_string_uri(url, parsed_url.netloc)
         base_string = signature.signature_base_string(
-            method, url, normalized_parameters
+            method, normalized_uri, normalized_parameters
         )
 
         # Generate the digest

diff --git a/tests/unit/lms/services/oauth1_test.py b/tests/unit/lms/services/oauth1_test.py
@@ -1,9 +1,7 @@
-import hashlib
 import json
 from unittest import mock
 
 import pytest
-from h_matchers import Any
 from requests import Request
 
 from lms.services.oauth1 import OAuth1Service
@@ -60,6 +58,17 @@ def test_we_can_be_used_to_sign_a_request(self, service, application_instance):
                 "GET",
                 "Jg5MXVnexhzMDTv7IBUy3goIGqc=",
             ),
+            # https://lti.tools/oauth/ with query param
+            (
+                "dpf43f3p2l4k3l03",
+                "kd94hf93k423kf44",
+                "kllo9940pd9333jh",
+                1191242096,
+                {"size": "original", "file": "vacation.jpg"},
+                "http://photos.example.net/photos?query=param",
+                "GET",
+                "Hw23z2Z8cXYc1utpLucO7isfYyA=",
+            ),
             # https://lti.tools/oauth/ with content items
             (
                 "dpf43f3p2l4k3l03",
@@ -103,7 +112,7 @@ def test_we_can_be_used_to_sign_a_request(self, service, application_instance):
             ),
         ],
     )
-    def test_sign_signature_value(
+    def test_sign(
         self,
         service,
         uuid,