{
  "context": "This criteria evaluates how effectively the engineer uses the oauth-sign package to implement a complete OAuth 1.0a three-legged authentication flow. The focus is on correct usage of oauth-sign's signature generation functions across all phases of the OAuth flow.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "HMAC-SHA1 usage",
      "description": "Uses oauth-sign's hmacsign() function or sign() function with 'HMAC-SHA1' method for generating OAuth signatures across all flow phases",
      "max_score": 25
    },
    {
      "name": "Request token signing",
      "description": "Correctly signs request token phase by passing empty string or undefined for token_secret parameter to hmacsign(), since no token exists yet at this stage",
      "max_score": 15
    },
    {
      "name": "Access token signing",
      "description": "Correctly signs access token exchange by including both consumer_secret and request token secret in the hmacsign() call, demonstrating understanding of two-secret signing",
      "max_score": 20
    },
    {
      "name": "Authenticated request signing",
      "description": "Correctly signs authenticated API requests using hmacsign() with both consumer_secret and access token secret, properly mixing OAuth and application-specific parameters",
      "max_score": 20
    },
    {
      "name": "OAuth parameter construction",
      "description": "Constructs proper OAuth parameter objects including oauth_consumer_key, oauth_signature_method, oauth_timestamp, oauth_nonce, oauth_version, oauth_callback (request token), oauth_token (access/authenticated), oauth_verifier (access token), and oauth_signature",
      "max_score": 15
    },
    {
      "name": "Signature base string",
      "description": "Correctly passes httpMethod, base_uri, and params to hmacsign() ensuring proper signature base string generation according to OAuth specifications",
      "max_score": 5
    }
  ]
}