fix: Remove oauth due to security vulnerability (#6)

Co-authored-by: Taylor Hobbs <[email protected]>

README.md

@@ -33,7 +33,6 @@ request('http://www.google.com', function (error, response, body) {
 - [Forms](#forms)
 - [HTTP Authentication](#http-authentication)
 - [Custom HTTP Headers](#custom-http-headers)
-- [OAuth Signing](#oauth-signing)
 - [Proxies](#proxies)
 - [Unix Domain Sockets](#unix-domain-sockets)
 - [TLS/SSL Protocol](#tlsssl-protocol)
@@ -375,97 +374,6 @@ request(options, callback);
 
 ---
 
-
-## OAuth Signing
-
-[OAuth version 1.0](https://tools.ietf.org/html/rfc5849) is supported. The
-default signing algorithm is
-[HMAC-SHA1](https://tools.ietf.org/html/rfc5849#section-3.4.2):
-
-```js
-// OAuth1.0 - 3-legged server side flow (Twitter example)
-// step 1
-const qs = require('querystring')
-  , oauth =
-    { callback: 'http://mysite.com/callback/'
-    , consumer_key: CONSUMER_KEY
-    , consumer_secret: CONSUMER_SECRET
-    }
-  , url = 'https://api.twitter.com/oauth/request_token'
-  ;
-request.post({url:url, oauth:oauth}, function (e, r, body) {
-  // Ideally, you would take the body in the response
-  // and construct a URL that a user clicks on (like a sign in button).
-  // The verifier is only available in the response after a user has
-  // verified with twitter that they are authorizing your app.
-
-  // step 2
-  const req_data = qs.parse(body)
-  const uri = 'https://api.twitter.com/oauth/authenticate'
-    + '?' + qs.stringify({oauth_token: req_data.oauth_token})
-  // redirect the user to the authorize uri
-
-  // step 3
-  // after the user is redirected back to your server
-  const auth_data = qs.parse(body)
-    , oauth =
-      { consumer_key: CONSUMER_KEY
-      , consumer_secret: CONSUMER_SECRET
-      , token: auth_data.oauth_token
-      , token_secret: req_data.oauth_token_secret
-      , verifier: auth_data.oauth_verifier
-      }
-    , url = 'https://api.twitter.com/oauth/access_token'
-    ;
-  request.post({url:url, oauth:oauth}, function (e, r, body) {
-    // ready to make signed requests on behalf of the user
-    const perm_data = qs.parse(body)
-      , oauth =
-        { consumer_key: CONSUMER_KEY
-        , consumer_secret: CONSUMER_SECRET
-        , token: perm_data.oauth_token
-        , token_secret: perm_data.oauth_token_secret
-        }
-      , url = 'https://api.twitter.com/1.1/users/show.json'
-      , qs =
-        { screen_name: perm_data.screen_name
-        , user_id: perm_data.user_id
-        }
-      ;
-    request.get({url:url, oauth:oauth, qs:qs, json:true}, function (e, r, user) {
-      console.log(user)
-    })
-  })
-})
-```
-
-For [RSA-SHA1 signing](https://tools.ietf.org/html/rfc5849#section-3.4.3), make
-the following changes to the OAuth options object:
-* Pass `signature_method : 'RSA-SHA1'`
-* Instead of `consumer_secret`, specify a `private_key` string in
-  [PEM format](http://how2ssl.com/articles/working_with_pem_files/)
-
-For [PLAINTEXT signing](http://oauth.net/core/1.0/#anchor22), make
-the following changes to the OAuth options object:
-* Pass `signature_method : 'PLAINTEXT'`
-
-To send OAuth parameters via query params or in a post body as described in The
-[Consumer Request Parameters](http://oauth.net/core/1.0/#consumer_req_param)
-section of the oauth1 spec:
-* Pass `transport_method : 'query'` or `transport_method : 'body'` in the OAuth
-  options object.
-* `transport_method` defaults to `'header'`
-
-To use [Request Body Hash](https://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html) you can either
-* Manually generate the body hash and pass it as a string `body_hash: '...'`
-* Automatically generate the body hash by passing `body_hash: true`
-
-[back to top](#table-of-contents)
-
-
----
-
-
 ## Proxies
 
 If you specify a `proxy` option, then the request (and any subsequent
@@ -792,7 +700,6 @@ The first argument can be either a `url` or an `options` object. The only requir
 ---
 
 - `auth` - a hash containing values `user` || `username`, `pass` || `password`, and `sendImmediately` (optional). See documentation above.
-- `oauth` - options for OAuth HMAC-SHA1 signing. See documentation above.
 - `hawk` - options for [Hawk signing](https://github.com/hueniverse/hawk). The `credentials` key must contain the necessary signing info, [see hawk docs for details](https://github.com/hueniverse/hawk#usage-example).
 - `aws` - `object` containing AWS signing information. Should have the properties `key`, `secret`, and optionally `session` (note that this only works for services that require session as part of the canonical string). Also requires the property `bucket`, unless you’re specifying your `bucket` as part of the path, or the request doesn’t use a bucket (i.e. GET Services). If you want to use AWS sign version 4 use the parameter `sign_version` with value `4` otherwise the default is version 2. If you are using SigV4, you can also include a `service` property that specifies the service name. **Note:** you need to `npm install aws4` first.
 - `httpSignature` - options for the [HTTP Signature Scheme](https://github.com/joyent/node-http-signature/blob/master/http_signing.md) using [Joyent's library](https://github.com/joyent/node-http-signature). The `keyId` and `key` properties must be specified. See the docs for other options.

examples/README.md

@@ -1,46 +1,6 @@
 
 # Authentication
 
-## OAuth
-
-### OAuth1.0 Refresh Token
-
-- http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html#anchor4
-- https://developer.yahoo.com/oauth/guide/oauth-refreshaccesstoken.html
-
-```js
-request.post('https://api.login.yahoo.com/oauth/v2/get_token', {
-  oauth: {
-    consumer_key: '...',
-    consumer_secret: '...',
-    token: '...',
-    token_secret: '...',
-    session_handle: '...'
-  }
-}, function (err, res, body) {
-  var result = require('querystring').parse(body)
-  // assert.equal(typeof result, 'object')
-})
-```
-
-### OAuth2 Refresh Token
-
-- https://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-6
-
-```js
-request.post('https://accounts.google.com/o/oauth2/token', {
-  form: {
-    grant_type: 'refresh_token',
-    client_id: '...',
-    client_secret: '...',
-    refresh_token: '...'
-  },
-  json: true
-}, function (err, res, body) {
-  // assert.equal(typeof body, 'object')
-})
-```
-
 # Multipart
 
 ## multipart/form-data
@@ -51,12 +11,6 @@ request.post('https://accounts.google.com/o/oauth2/token', {
 
 ```js
 request.post('https://up.flickr.com/services/upload', {
-  oauth: {
-    consumer_key: '...',
-    consumer_secret: '...',
-    token: '...',
-    token_secret: '...'
-  },
   // all meta data should be included here for proper signing
   qs: {
     title: 'My cat is awesome',
@@ -130,6 +84,6 @@ request.get({
         socksPort: 9050 // Defaults to 1080.
     }
 }, function (err, res) {
-    console.log(res.body); 
+    console.log(res.body);
 });
 ```

package.json

@@ -40,7 +40,6 @@
     "isstream": "~0.1.2",
     "json-stringify-safe": "~5.0.1",
     "mime-types": "~2.1.19",
-    "oauth-sign": "~0.9.0",
     "performance-now": "^2.1.0",
     "qs": "~6.5.2",
     "safe-buffer": "^5.1.2",

request.js

@@ -22,7 +22,6 @@ var getProxyFromURI = require('./lib/getProxyFromURI')
 var Querystring = require('./lib/querystring').Querystring
 var Har = require('./lib/har').Har
 var Auth = require('./lib/auth').Auth
-var OAuth = require('./lib/oauth').OAuth
 var hawk = require('./lib/hawk')
 var Multipart = require('./lib/multipart').Multipart
 var Redirect = require('./lib/redirect').Redirect
@@ -120,7 +119,6 @@ function Request (options) {
   }
   self._qs = new Querystring(self)
   self._auth = new Auth(self)
-  self._oauth = new OAuth(self)
   self._multipart = new Multipart(self)
   self._redirect = new Redirect(self)
   self._tunnel = new Tunnel(self)
@@ -442,12 +440,6 @@ Request.prototype.init = function (options) {
     setContentLength()
   }
 
-  if (options.oauth) {
-    self.oauth(options.oauth)
-  } else if (self._oauth.params && self.hasHeader('authorization')) {
-    self.oauth(self._oauth.params)
-  }
-
   var protocol = self.proxy && !self.tunnel ? self.proxy.protocol : self.uri.protocol
   var defaultModules = {'http:': http, 'https:': https}
   var httpModules = self.httpModules || {}
@@ -1423,13 +1415,6 @@ Request.prototype.hawk = function (opts) {
   var self = this
   self.setHeader('Authorization', hawk.header(self.uri, self.method, opts))
 }
-Request.prototype.oauth = function (_oauth) {
-  var self = this
-
-  self._oauth.onRequest(_oauth)
-
-  return self
-}
 
 Request.prototype.jar = function (jar) {
   var self = this