/* * Start with an HttpRequest. * Throw if there are any attacks in the query. * Throw if there are any attacks in the post body. * Build up OAuth parameter list * Sign it. * Add OAuth parameters to new request * Send it. */ public sRequest sanitizeAndSign(sRequest basereq, List <OAuth.Parameter> parameters) { if (parameters == null) { parameters = new List <OAuth.Parameter>(); } UriBuilder target = new UriBuilder(basereq.getUri()); String query = target.getQuery(); target.setQuery(null); parameters.AddRange(sanitize(OAuth.decodeForm(query))); if (OAuth.isFormEncoded(basereq.ContentType)) { parameters.AddRange(sanitize(OAuth.decodeForm(basereq.getPostBodyAsString()))); } addIdentityParams(parameters); addSignatureParams(parameters); try { OAuthMessage signed = accessorInfo.getAccessor().newRequestMessage( basereq.getMethod(), target.ToString(), parameters); sRequest oauthHttpRequest = createHttpRequest(basereq, selectOAuthParams(signed)); // Following 302s on OAuth responses is unlikely to be productive. oauthHttpRequest.FollowRedirects = false; return(oauthHttpRequest); } catch (Exception e) { throw responseParams.oauthRequestException(OAuthError.UNKNOWN_PROBLEM, "Error signing message", e); } }
private sRequest createHttpRequest(sRequest basereq, List <OAuth.Parameter> oauthParams) { AccessorInfo.OAuthParamLocation?paramLocation = accessorInfo.getParamLocation(); // paramLocation could be overriden by a run-time parameter to fetchRequest sRequest result = new sRequest(basereq); // If someone specifies that OAuth parameters go in the body, but then sends a request for // data using GET, we've got a choice. We can throw some type of error, since a GET request // can't have a body, or we can stick the parameters somewhere else, like, say, the header. // We opt to put them in the header, since that stands some chance of working with some // OAuth service providers. if (paramLocation == AccessorInfo.OAuthParamLocation.POST_BODY && !result.getMethod().Equals("POST")) { paramLocation = AccessorInfo.OAuthParamLocation.AUTH_HEADER; } switch (paramLocation) { case AccessorInfo.OAuthParamLocation.AUTH_HEADER: result.addHeader("Authorization", getAuthorizationHeader(oauthParams)); break; case AccessorInfo.OAuthParamLocation.POST_BODY: if (!OAuth.isFormEncoded(result.ContentType)) { throw responseParams.oauthRequestException(OAuthError.INVALID_REQUEST, "OAuth param location can only be post_body if post body is of " + "type x-www-form-urlencoded"); } String oauthData = OAuth.formEncode(oauthParams); if (result.getPostBodyLength() == 0) { result.setPostBody(Encoding.UTF8.GetBytes(oauthData)); } else { result.setPostBody(Encoding.UTF8.GetBytes(result.getPostBodyAsString() + '&' + oauthData)); } break; case AccessorInfo.OAuthParamLocation.URI_QUERY: result.setUri(Uri.parse(OAuth.addParameters(result.getUri().ToString(), oauthParams))); break; } return(result); }