From c43f9157c344b6d7aa6339b297d40de89eed9bbd Mon Sep 17 00:00:00 2001 From: Justin Shreve Date: Fri, 19 Jun 2015 15:05:51 +0000 Subject: [PATCH] When generating the signature to compare, append a trailing &. The OAuth spec (http://tools.ietf.org/html/rfc5849#section-3.4.2) states that a & character must be present, even if a token secret is not a part of the request. --- includes/api/class-wc-api-authentication.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/includes/api/class-wc-api-authentication.php b/includes/api/class-wc-api-authentication.php index 651b0f175a0..3ca15457be8 100644 --- a/includes/api/class-wc-api-authentication.php +++ b/includes/api/class-wc-api-authentication.php @@ -264,7 +264,8 @@ class WC_API_Authentication { $hash_algorithm = strtolower( str_replace( 'HMAC-', '', $params['oauth_signature_method'] ) ); - $signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $keys['consumer_secret'], true ) ); + $secret = $keys['consumer_secret'] . '&'; + $signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $secret, true ) ); if ( ! hash_equals( $signature, $consumer_signature ) ) { throw new Exception( __( 'Invalid Signature - provided signature does not match', 'woocommerce' ), 401 );