tessl/npm-oauth-sign
OAuth 1.0 signature generation for HTTP requests supporting HMAC-SHA1, HMAC-SHA256, RSA-SHA1, and PLAINTEXT methods
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
To install, run
npx @tessl/cli install tessl/npm-oauth-sign@0.9.0index.mddocs/
OAuth Sign
OAuth Sign is a standalone OAuth 1.0 signature generation library for Node.js. It provides comprehensive support for all standard OAuth 1.0 signature methods including HMAC-SHA1, HMAC-SHA256, RSA-SHA1, and PLAINTEXT, with full RFC 5849 compliance for parameter normalization and signature base string generation.
Package Information
- Package Name: oauth-sign
- Package Type: npm
- Language: JavaScript (Node.js)
- Installation:
npm install oauth-sign
Core Imports
const { sign, hmacsign, hmacsign256, rsasign, plaintext, rfc3986, generateBase } = require("oauth-sign");For specific functions:
const { hmacsign } = require("oauth-sign"); // Most common usage
const { sign } = require("oauth-sign"); // Universal signature functionBasic Usage
const { hmacsign, sign } = require("oauth-sign");
// HMAC-SHA1 signature (most common)
const signature = hmacsign(
'POST',
'https://api.twitter.com/oauth/request_token',
{
oauth_callback: 'http://localhost:3005/callback',
oauth_consumer_key: 'your_consumer_key',
oauth_nonce: 'generated_nonce',
oauth_signature_method: 'HMAC-SHA1',
oauth_timestamp: '1234567890',
oauth_version: '1.0'
},
'consumer_secret',
'token_secret'
);
// Universal signature function
const signature2 = sign(
'HMAC-SHA1',
'POST',
'https://api.twitter.com/oauth/request_token',
{ /* oauth parameters */ },
'consumer_secret',
'token_secret'
);Architecture
OAuth Sign implements OAuth 1.0 signature generation with these core components:
- Signature Methods: Four supported OAuth 1.0 signature methods with dedicated functions
- Universal Interface: Single
sign()function that delegates to appropriate signature method - RFC 5849 Compliance: Proper parameter normalization, sorting, and encoding per OAuth 1.0 specification
- Utility Functions: RFC 3986 URL encoding and signature base string generation
- Pure Node.js: Uses only built-in
cryptomodule with no external dependencies
Capabilities
HMAC-SHA1 Signature Generation
Generates OAuth 1.0 signatures using HMAC-SHA1 cryptographic method.
/**
* Generate HMAC-SHA1 OAuth signature
* @param {string} httpMethod - HTTP method (GET, POST, etc.)
* @param {string} base_uri - Base URL for the request
* @param {Object} params - OAuth parameters and request parameters
* @param {string} consumer_secret - OAuth consumer secret
* @param {string} [token_secret] - OAuth token secret (optional)
* @returns {string} Base64-encoded HMAC-SHA1 signature
*/
function hmacsign(httpMethod, base_uri, params, consumer_secret, token_secret);Usage Example:
const { hmacsign } = require("oauth-sign");
const signature = hmacsign(
'POST',
'https://api.twitter.com/oauth/access_token',
{
oauth_consumer_key: 'GDdmIQH6jhtmLUypg82g',
oauth_nonce: '9zWH6qe0qG7Lc1telCn7FhUbLyVdjEaL3MO5uHxn8',
oauth_signature_method: 'HMAC-SHA1',
oauth_token: '8ldIZyxQeVrFZXFOZH5tAwj6vzJYuLQpl0WUEYtWc',
oauth_timestamp: '1272323047',
oauth_verifier: 'pDNg57prOHapMbhv25RNf75lVRd6JDsni1AJJIDYoTY',
oauth_version: '1.0'
},
'MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98',
'x6qpRnlEmW9JbQn4PQVVeVG8ZLPEx6A0TOebgwcuA'
);HMAC-SHA256 Signature Generation
Generates OAuth 1.0 signatures using HMAC-SHA256 cryptographic method for enhanced security.
/**
* Generate HMAC-SHA256 OAuth signature
* @param {string} httpMethod - HTTP method (GET, POST, etc.)
* @param {string} base_uri - Base URL for the request
* @param {Object} params - OAuth parameters and request parameters
* @param {string} consumer_secret - OAuth consumer secret
* @param {string} [token_secret] - OAuth token secret (optional)
* @returns {string} Base64-encoded HMAC-SHA256 signature
*/
function hmacsign256(httpMethod, base_uri, params, consumer_secret, token_secret);Usage Example:
const { hmacsign256 } = require("oauth-sign");
const signature = hmacsign256(
'POST',
'http://api.twitter.com/1/statuses/update.json',
{
oauth_consumer_key: 'GDdmIQH6jhtmLUypg82g',
oauth_nonce: 'oElnnMTQIZvqvlfXM56aBLAf5noGD0AQR3Fmi7Q6Y',
oauth_signature_method: 'HMAC-SHA256',
oauth_token: '819797-Jxq8aYUDRmykzVKrgoLhXSq67TEa5ruc4GJC2rWimw',
oauth_timestamp: '1272325550',
oauth_version: '1.0',
status: 'setting up my twitter 私のさえずりを設定する'
},
'MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98',
'J6zix3FfA9LofH0awS24M3HcBYXO5nI1iYe8EfBA'
);RSA-SHA1 Signature Generation
Generates OAuth 1.0 signatures using RSA-SHA1 cryptographic method with private key.
/**
* Generate RSA-SHA1 OAuth signature using private key
* @param {string} httpMethod - HTTP method (GET, POST, etc.)
* @param {string} base_uri - Base URL for the request
* @param {Object} params - OAuth parameters and request parameters
* @param {string} private_key - RSA private key in PEM format
* @param {string} [token_secret] - OAuth token secret (unused for RSA)
* @returns {string} Base64-encoded RSA-SHA1 signature
*/
function rsasign(httpMethod, base_uri, params, private_key, token_secret);PLAINTEXT Signature Generation
Generates OAuth 1.0 PLAINTEXT signatures by concatenating consumer and token secrets.
/**
* Generate PLAINTEXT OAuth signature (simple key concatenation)
* @param {string} consumer_secret - OAuth consumer secret
* @param {string} [token_secret] - OAuth token secret (optional)
* @returns {string} RFC 3986 encoded concatenated key string
*/
function plaintext(consumer_secret, token_secret);Usage Example:
const { plaintext } = require("oauth-sign");
const signature = plaintext('consumer_secret', 'token_secret');
// Result: 'consumer_secret&token_secret'Universal Signature Function
Universal signature function that delegates to the appropriate signature method based on the first parameter.
/**
* Universal signature function supporting all OAuth 1.0 signature methods
* @param {string} signMethod - Signature method ('HMAC-SHA1', 'HMAC-SHA256', 'RSA-SHA1', 'PLAINTEXT')
* @param {string} httpMethod - HTTP method (GET, POST, etc.)
* @param {string} base_uri - Base URL for the request
* @param {Object} params - OAuth parameters and request parameters
* @param {string} consumer_secret - OAuth consumer secret or RSA private key for RSA-SHA1
* @param {string} [token_secret] - OAuth token secret (optional)
* @returns {string} Signature string in appropriate format for the selected method
* @throws {Error} If unsupported signature method is provided
*/
function sign(signMethod, httpMethod, base_uri, params, consumer_secret, token_secret);Usage Example:
const { sign } = require("oauth-sign");
// HMAC-SHA1
const hmacSignature = sign(
'HMAC-SHA1',
'POST',
'https://api.example.com/endpoint',
{ oauth_consumer_key: 'key', oauth_nonce: 'nonce' },
'consumer_secret',
'token_secret'
);
// PLAINTEXT
const plaintextSignature = sign(
'PLAINTEXT',
'GET',
'http://example.com',
{},
'consumer_secret',
'token_secret'
);
// Error handling
try {
const invalidSignature = sign('INVALID-METHOD', 'GET', 'http://example.com', {}, 'secret');
} catch (error) {
console.error('Unsupported signature method:', error.message);
}RFC 3986 URL Encoding
RFC 3986 compliant URL encoding function with stricter encoding than standard encodeURIComponent.
/**
* RFC 3986 compliant URL encoding function
* @param {string} str - String to encode
* @returns {string} RFC 3986 encoded string
*/
function rfc3986(str);Usage Example:
const { rfc3986 } = require("oauth-sign");
const encoded = rfc3986("Hello World! (test)");
// Result: "Hello%20World%21%20%28test%29"
// More strict than encodeURIComponent
const standard = encodeURIComponent("Hello!");
const rfc = rfc3986("Hello!");
console.log(standard); // "Hello!"
console.log(rfc); // "Hello%21"OAuth Signature Base String Generation
Generates OAuth signature base string according to RFC 5849 with proper parameter normalization.
/**
* Generate OAuth signature base string according to RFC 5849
* @param {string} httpMethod - HTTP method (normalized to uppercase)
* @param {string} base_uri - Base URL for the request
* @param {Object} params - Parameters to include in signature base string
* @returns {string} OAuth signature base string
*/
function generateBase(httpMethod, base_uri, params);Usage Example:
const { generateBase } = require("oauth-sign");
const baseString = generateBase(
'POST',
'https://api.twitter.com/oauth/request_token',
{
oauth_callback: 'http://localhost:3005/callback',
oauth_consumer_key: 'GDdmIQH6jhtmLUypg82g',
oauth_nonce: 'QP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk',
oauth_signature_method: 'HMAC-SHA1',
oauth_timestamp: '1272323042',
oauth_version: '1.0'
}
);
// Result: normalized and encoded base string for signature generationParameter Handling
OAuth Sign handles complex parameter structures with full OAuth 1.0 compliance:
Nested Objects
Objects in parameters are flattened using bracket notation:
const params = {
oauth_consumer_key: 'key',
filter: { number: "-1", active: "true" }
};
// Becomes: oauth_consumer_key=key&filter[number]=-1&filter[active]=trueArray Values
Array values are expanded into multiple key-value pairs:
const params = {
oauth_consumer_key: 'key',
tags: ['javascript', 'oauth', 'nodejs']
};
// Becomes: oauth_consumer_key=key&tags=javascript&tags=oauth&tags=nodejsEmpty and Undefined Values
Empty or undefined parameter values are handled gracefully:
const params = {
oauth_consumer_key: 'key',
optional_param: '',
undefined_param: undefined
};
// Empty strings are included, undefined values are handled safelyError Handling
OAuth Sign provides clear error handling for invalid inputs:
Unsupported Signature Methods
const { sign } = require("oauth-sign");
try {
sign('INVALID-METHOD', 'GET', 'http://example.com', {}, 'secret');
} catch (error) {
console.error(error.message); // "Signature method not supported: INVALID-METHOD"
}Cryptographic Errors
Invalid private keys or malformed cryptographic inputs will throw Node.js crypto module errors:
const { rsasign } = require("oauth-sign");
try {
rsasign('POST', 'http://example.com', {}, 'invalid_private_key');
} catch (error) {
// Handle crypto module errors for invalid keys
}