Merge pull request WP-API#22 from jtsternberg/master

Create additional methods to handle recursive signature string handling.  Closes WP-API#22.

Author: rachelbaker

lib/class-wp-json-authentication-oauth1.php

@@ -115,7 +115,7 @@ public function get_parameters( $require_token = true, $extra = array() ) {
 				_n(
 					'Missing OAuth parameter %s',
 					'Missing OAuth parameters %s',
-					count( $errors ) 
+					count( $errors )
 				),
 				implode(', ', $errors )
 			);
@@ -431,7 +431,7 @@ public function get_access_token( $oauth_token ) {
 	/**
 	 * Generate a new access token
 	 *
-	 * @param string $oauth_consumer_key Consumer key 
+	 * @param string $oauth_consumer_key Consumer key
 	 * @param string $oauth_token Request token key
 	 * @return WP_Error|array OAuth token data on success, error otherwise
 	 */
@@ -528,19 +528,13 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul
 		unset( $params['oauth_signature'] );
 
 		// normalize parameter key/values
-		array_walk( $params, array( $this, 'normalize_parameters' ) );
+		array_walk_recursive( $params, array( $this, 'normalize_parameters' ) );
 
 		// sort parameters
 		if ( ! uksort( $params, 'strcmp' ) )
 			return new WP_Error( 'json_oauth1_failed_parameter_sort', __( 'Invalid Signature - failed to sort parameters' ), array( 'status' => 401 ) );
 
-		// form query string
-		$query_params = array();
-
-		foreach ( $params as $param_key => $param_value ) {
-			$query_params[] = $param_key . '%3D' . $param_value; // join with equals sign
-		}
-		$query_string = implode( '%26', $query_params ); // join with ampersand
+		$query_string = $this->create_signature_string( $params );
 
 		$token = (array) $token;
 		$string_to_sign = $http_method . '&' . $base_request_uri . '&' . $query_string;
@@ -558,7 +552,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul
 			case 'HMAC-SHA256':
 				$hash_algorithm = 'sha256';
 				break;
-			
+
 			default:
 				return new WP_Error( 'json_oauth1_invalid_signature_method', __( 'Signature method is invalid' ), array( 'status' => 401 ) );
 		}
@@ -572,6 +566,41 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul
 		return true;
 	}
 
+	/**
+	 * Creates a signature string from all query parameters
+	 *
+	 * @since  0.1
+	 * @param  array  $params Array of query parameters
+	 * @return string         Signature string
+	 */
+	public function create_signature_string( $params ) {
+		return implode( '%26', $this->join_with_equals_sign( $params ) ); // join with ampersand
+	}
+
+	/**
+	 * Creates an array of urlencoded strings out of each array key/value pairs
+	 *
+	 * @since  0.1.0
+	 * @param  array  $params       Array of parameters to convert.
+	 * @param  array  $query_params Array to extend.
+	 * @param  string $key          Optional Array key to append
+	 * @return string               Array of urlencoded strings
+	 */
+	public function join_with_equals_sign( $params, $query_params = array(), $key = '' ) {
+		foreach ( $params as $param_key => $param_value ) {
+			if ( is_array( $param_value ) ) {
+				$query_params = $this->join_with_equals_sign( $param_value, $query_params, $param_key );
+			} else {
+				if ( $key ) {
+					$param_key = $key . '[' . $param_key . ']'; // Handle multi-dimensional array
+				}
+				$string = $param_key . '=' . $param_value; // join with equals sign
+				$query_params[] = urlencode( $string );
+			}
+		}
+		return $query_params;
+	}
+
 	/**
 	 * Normalize each parameter by assuming each parameter may have already been encoded, so attempt to decode, and then
 	 * re-encode according to RFC 3986
@@ -588,7 +617,7 @@ protected function normalize_parameters( &$key, &$value ) {
 
 	/**
 	 * Verify that the timestamp and nonce provided with the request are valid
-	 * 
+	 *
 	 * This prevents replay attacks against the request. A timestamp is only
 	 * valid within 15 minutes of the current time, and a nonce is valid if it
 	 * has not been used within the last 15 minutes.