/*
* Start with an HttpRequest.
* Throw if there are any attacks in the query.
* Throw if there are any attacks in the post body.
* Build up OAuth parameter list
* Sign it.
* Add OAuth parameters to new request
* Send it.
*/
public sRequest sanitizeAndSign(sRequest basereq, List <OAuth.Parameter> parameters)
{
if (parameters == null)
{
parameters = new List <OAuth.Parameter>();
}
UriBuilder target = new UriBuilder(basereq.getUri());
String query = target.getQuery();
target.setQuery(null);
parameters.AddRange(sanitize(OAuth.decodeForm(query)));
if (OAuth.isFormEncoded(basereq.ContentType))
{
parameters.AddRange(sanitize(OAuth.decodeForm(basereq.getPostBodyAsString())));
}
addIdentityParams(parameters);
addSignatureParams(parameters);
try
{
OAuthMessage signed = accessorInfo.getAccessor().newRequestMessage(
basereq.getMethod(), target.ToString(), parameters);
sRequest oauthHttpRequest = createHttpRequest(basereq, selectOAuthParams(signed));
// Following 302s on OAuth responses is unlikely to be productive.
oauthHttpRequest.FollowRedirects = false;
return(oauthHttpRequest);
}
catch (Exception e)
{
throw responseParams.oauthRequestException(OAuthError.UNKNOWN_PROBLEM,
"Error signing message", e);
}
}
private sRequest createHttpRequest(sRequest basereq, List <OAuth.Parameter> oauthParams)
{
AccessorInfo.OAuthParamLocation?paramLocation = accessorInfo.getParamLocation();
// paramLocation could be overriden by a run-time parameter to fetchRequest
sRequest result = new sRequest(basereq);
// If someone specifies that OAuth parameters go in the body, but then sends a request for
// data using GET, we've got a choice. We can throw some type of error, since a GET request
// can't have a body, or we can stick the parameters somewhere else, like, say, the header.
// We opt to put them in the header, since that stands some chance of working with some
// OAuth service providers.
if (paramLocation == AccessorInfo.OAuthParamLocation.POST_BODY &&
!result.getMethod().Equals("POST"))
{
paramLocation = AccessorInfo.OAuthParamLocation.AUTH_HEADER;
}
switch (paramLocation)
{
case AccessorInfo.OAuthParamLocation.AUTH_HEADER:
result.addHeader("Authorization", getAuthorizationHeader(oauthParams));
break;
case AccessorInfo.OAuthParamLocation.POST_BODY:
if (!OAuth.isFormEncoded(result.ContentType))
{
throw responseParams.oauthRequestException(OAuthError.INVALID_REQUEST,
"OAuth param location can only be post_body if post body is of " +
"type x-www-form-urlencoded");
}
String oauthData = OAuth.formEncode(oauthParams);
if (result.getPostBodyLength() == 0)
{
result.setPostBody(Encoding.UTF8.GetBytes(oauthData));
}
else
{
result.setPostBody(Encoding.UTF8.GetBytes(result.getPostBodyAsString() + '&' + oauthData));
}
break;
case AccessorInfo.OAuthParamLocation.URI_QUERY:
result.setUri(Uri.parse(OAuth.addParameters(result.getUri().ToString(), oauthParams)));
break;
}
return(result);
}
