OAuth1.0 header in Node.js

Question

I've been using an API via postman that uses OAuth1.0, successfully. Now I'm building an API that calls this API but I'm having trouble when trying to set up the equivalent in javascript of the OAuth1.0. The header looks like this:

'Authorization': 'OAuth oauth_consumer_key="XXX",oauth_token="XXX",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1559312415",oauth_nonce="XXX",oauth_version="1.0",oauth_signature="XXX"'

My problem is related to oauth_nonce and oauth_signature. What are the hash function that I can use to generate those 2 parameters.
Also, I'm using AXIOS for the request.
Thanks for your time.

Answer 1

I was able to figure out a solution with Axios. I created an OauthHelper class to generate the Authorization header:

const crypto = require('crypto');
const oauth1a = require('oauth-1.0a');

const CONSUMERKEY = '<consumerKey>';
const CONSUMERSECRET = '<consumerSecret>';
const TOKENKEY = '<tokenKey>';
const TOKENSECRET = '<tokenSecret>';

class Oauth1Helper {
    static getAuthHeaderForRequest(request) {
        const oauth = oauth1a({
            consumer: { key: CONSUMERKEY, secret: CONSUMERSECRET },
            signature_method: 'HMAC-SHA1',
            hash_function(base_string, key) {
                return crypto
                    .createHmac('sha1', key)
                    .update(base_string)
                    .digest('base64')
            },
        })

        const authorization = oauth.authorize(request, {
            key: TOKENKEY,
            secret: TOKENSECRET,
        });

        return oauth.toHeader(authorization);
    }
}

module.exports = Oauth1Helper;

Then I was just able to make the post from wherever I need via Axios:

const request = {
    url: 'https://api-domain.com',
    method: 'POST',
    body: {
        "uniqueId": 1234
    }
};

const authHeader = Oauth1Helper.getAuthHeaderForRequest(request);

return await axios.post(
    request.url,
    request.body,
    { headers: authHeader });

Answer 2

Here's one that doesn't need a package.

You'll need makeHeader(consumer, token, request) which works for me with Node's https.request but should also work for Axios.

const crypto = require('crypto');
const { stringify: qStringify } = require('querystring');
const { httpOptions, fetch } = require('./fetch');

function nonce() {
  return crypto.randomBytes(16).toString('hex');
}

function sign(baseStr, key) {
  return crypto.createHmac('sha1', key).update(baseStr).digest('base64');
}

function percentEncode(str) {
  const notEscapedRe = /[!'()*]/g;
  return encodeURIComponent(str).replace(notEscapedRe, (c) => `%${c.charCodeAt(0).toString(16)}`);
}

function makeObjStr(parameters, quote = '"', split = ',') {
  const ordered = Object.fromEntries(Object.entries(parameters).sort());
  return Object.entries(ordered).map(([key, value]) => `${percentEncode(key)}=${quote}${percentEncode(value)}${quote}`).join(split);
}

function authHeader(parameters) {
  return { Authorization: `OAuth ${makeObjStr(parameters)}` };
}

function makeHeader(consumer, token, request) {
  const oauthData = {
    oauth_consumer_key: consumer.key,
    oauth_token: token.key,
    oauth_nonce: nonce(),
    oauth_signature_method: 'HMAC-SHA1',
    oauth_timestamp: Math.floor(Date.now() / 1000),
    oauth_version: '1.0',
  };
  const baseStr = [
    request.method.toUpperCase(),
    percentEncode(request.url),
    percentEncode(makeObjStr({ ...request.data, ...oauthData }, '', '&')),
  ].join('&');
  const signingKey = [percentEncode(consumer.secret), percentEncode(token.secret)].join('&');
  return authHeader({
    ...oauthData,
    oauth_signature: sign(baseStr, signingKey),
  });
}

function oAuth1Fetch({
  consumer, token, hostname, path, query = {},
}) {
  const request = {
    method: 'GET',
    url: `https://${hostname}${path}`,
    data: query,
  };
  return fetch({
    ...httpOptions,
    headers: makeHeader(consumer, token, request),
    hostname,
    path: `${path}?${qStringify(query)}`,
  });
}

module.exports = {
  oAuth1Fetch,
};

Here's my fetch:

const { Agent, request } = require('https');

const httpOptions = {
  agent: new Agent({ keepAlive: true }),
  'User-Agent': `AWS Lambda Node/${process.version} surflog.app`,
  // Accept: 'application/json',
};

function fetch(options) {
  return new Promise((resolve, reject) => {
    const req = request(options, (res) => {
      const data = [];
      res.on('data', (chunk) => data.push(chunk));
      res.on('end', () => {
        const result = Buffer.concat(data).toString();
        console.log(res.statusCode);
        if (res.statusCode >= 200 && res.statusCode < 300) {
          resolve(result);
        } else {
          reject(result);
        }
      });
    });
    req.setTimeout(6000, (err) => {
      console.warn(err);
      console.warn('Timeout', options.hostname);
    });
    req.on('error', reject);
    req.end();
  });
}

module.exports = {
  httpOptions,
  fetch,
};

An example:

oAuth1Fetch({
  consumer: {
    key: 'xyz',
    secret: 'xyz',
  },
  token: {
    key: 'xyz',
    secret: 'xyz',
  },
  hostname: 'apis.garmin.com',
  path: '/wellness-api/rest/backfill/activities',
  query: {
    summaryStartTimeInSeconds: 1609459200,
    summaryEndTimeInSeconds: 1609459200 + 7776000,
  },
}).then(console.log).catch(console.error);