Should URL::AddEscapeChars be updated?


#1

I recently revisited some OAuth / REST API stuff in a utility and, as an experiment, tried to to use as many of the enhanced JUCE classes as I could to replace the custom network stuff I used before.

For the most part it was painless, though JUCE’s newer Base64 class doesn’t have an overload of toBase64 that takes a const MemoryBock&. I also didn’t see a way to replace my HMAC-SHA1 function.

The one snag that I ran into is that URL::AddEscapeChars appears to encode to some variant of RFC1738. Many OAuth sites/APIs have gotten quite picky and expect RFC3986 parameter encoding, both as submitted and in the signature string.

To get WebInputStream / URL::CreateInputStream to work with all three OAuth sites I tried I had to tweak the existing call like this:

String URL::addEscapeChars (const String& s, const bool isParameter, bool roundBracketsAreLegal)
{
String legalChars (isParameter ? "_-.~" // "_-.*!'"
                               : ",$_-.*!'");

Params are percent encoded for everything but the 4 unreserved characters listed in RFC3986.

https://tools.ietf.org/html/rfc3986#page-13

The built in call had to be changed because WebInputStream uses it to create Post data, etc.

Maybe not a big deal for most users, but it was the one thing besides HMAC-SHA1 that stopped me from dropping a bunch of custom modules (base64, url, network, JSON, etc.) and native JUCE.


#2

Thanks, that seems like it’d be a good change! Will push something out today…


#3

Thanks! FWIW, the down and dirty HMAC-SHA1 is enclosed. Generating a signature is generally:

  • Make a string with verb, base url, and params
  • Encode with secret key
  • Include in headers

So if I was adding to a StringPairArray, it would look something like this:

// Sign and add to our base values
sigVals.set (“oauth_signature”, JBase64::encode (HMAC_SHA1::encode (signatureString, signingKey)));

JBase64 was my own Base64 encode, but I stripped it down to a wrapper for JUCE::Base64 that takes a MemoryBlock.

HMAC_SHA1.h (1.1 KB)
SHA1.cpp (5.4 KB)
HMAC_SHA1.cpp (2.2 KB)
SHA1.h (1.8 KB)