OAuth 1.0a Request Authorization

2.2.6 · active · verified Tue Apr 21

oauth-1.0a is a JavaScript library providing a streamlined way to authorize requests using the OAuth 1.0a protocol in both Node.js and browser environments. It abstracts away the complexities of generating `oauth_consumer_key`, `oauth_nonce`, `oauth_signature`, and other OAuth 1.0a parameters, allowing developers to use their preferred HTTP client (e.g., `request`, `jQuery.ajax`). The current stable version is 2.2.6, with minor updates addressing dependency bumps and TypeScript type improvements. A key differentiator is its separation of cryptographic hashing, requiring users to provide a `hash_function` implementation, which allows for flexibility with native Node.js `crypto` or browser-specific libraries like CryptoJS. It aims to simplify integration with popular OAuth 1.0a services like Twitter, Flickr, and Bitbucket.

Common errors

```
TypeError: (0, _oauth10a.OAuth) is not a function
```
cause Attempting to import `OAuth` as a named export when it is a default export in an ESM context.

fix Change `import { OAuth } from 'oauth-1.0a'` to `import OAuth from 'oauth-1.0a'`.
```
Error: Cannot find module 'crypto'
```
cause The `node:crypto` module is not available in the current Node.js environment or bundler setup.

fix Verify that your Node.js installation includes the crypto module. If using a bundler (like Webpack for browser), ensure `node:crypto` is correctly polyfilled or stubbed, or provide a browser-specific `hash_function`.
```
Error: Missing consumer key or secret.
```
cause The `consumer.key` or `consumer.secret` properties were not provided or were empty strings during `OAuth` initialization.

fix Ensure that `consumer.key` and `consumer.secret` are valid, non-empty strings in the configuration object passed to `OAuth()`.

Warnings

breaking Version 2.0.0 introduced breaking changes: `consumer.public` was renamed to `consumer.key`, and the `CryptoJS` dependency was removed. Users must now provide their own `hash_function` implementation.
Fix: Update your consumer object to use `key` instead of `public`. Implement a custom `hash_function` using `node:crypto` for Node.js or a browser-compatible crypto library.
gotcha The `crypto` module in Node.js is not guaranteed to be present in all environments, especially in highly customized or restricted Node.js builds. If `require('crypto')` throws an error, the native crypto module is unavailable.
Fix: Ensure your Node.js environment includes the `crypto` module. If not, consider a different hash function implementation or environment.
gotcha For browser usage, you *must* explicitly provide a browser-compatible cryptographic hashing library (e.g., Google's CryptoJS) as the `hash_function`. The library does not bundle one.
Fix: Include a client-side crypto library (e.g., CryptoJS) in your project and configure `oauth-1.0a` to use its hashing functions.
gotcha The `oauth-1.0a` package exports a default function. Using named imports like `import { OAuth } from 'oauth-1.0a'` will result in `undefined` for `OAuth` in ESM environments.
Fix: Use default import syntax: `import OAuth from 'oauth-1.0a'`.

Install

npm install oauth-1.0a npm
yarn add oauth-1.0a yarn
pnpm add oauth-1.0a pnpm

Imports

OAuth
wrong:
```
import { OAuth } from 'oauth-1.0a'
```
correct:
```
import OAuth from 'oauth-1.0a'
```
The library exports a default function, so it should be imported without curly braces in ESM contexts.
OAuth (CommonJS)
```
const OAuth = require('oauth-1.0a')
```
This is the standard CommonJS `require` pattern for Node.js environments.

hash_function (HMAC-SHA1)

wrong:

import { createHmac } from 'crypto'; // Not always safe or cross-platform.

correct:

import * as crypto from 'node:crypto';
// ... in config:
hash_function(base_string, key) {
  return crypto.createHmac('sha1', key).update(base_string).digest('base64');
}

The library requires a `hash_function` to be provided. For Node.js, `node:crypto` is recommended for robust and secure hashing. Browser implementations will need a client-side crypto library like CryptoJS.

Quickstart

This quickstart demonstrates how to initialize the `oauth-1.0a` library for Node.js, configure a SHA1 hash function using `node:crypto`, and generate authorization data for a sample GET request. It shows how to obtain the authorization header required for sending authenticated requests to OAuth 1.0a services.

import * as crypto from 'node:crypto';
import OAuth from 'oauth-1.0a';

const consumerKey = process.env.OAUTH_CONSUMER_KEY ?? '';
const consumerSecret = process.env.OAUTH_CONSUMER_SECRET ?? '';

const oauth = OAuth({
    consumer: { key: consumerKey, secret: consumerSecret },
    signature_method: 'HMAC-SHA1',
    hash_function(base_string, key) {
        return crypto
            .createHmac('sha1', key)
            .update(base_string)
            .digest('base64');
    },
});

const request_data = {
    url: 'https://api.twitter.com/1.1/account/verify_credentials.json',
    method: 'GET',
    data: {},
};

// Example token (for user-specific requests)
const token = {
    key: process.env.OAUTH_TOKEN_KEY ?? '',
    secret: process.env.OAUTH_TOKEN_SECRET ?? ''
};

const authorized_request = oauth.authorize(request_data, token);

// To get the header for an HTTP client:
const headers = oauth.toHeader(authorized_request);

console.log('Authorization Header:', headers.Authorization);
// Example of how you would typically send the request with 'fetch' or similar:
// fetch(request_data.url, {
//   method: request_data.method,
//   headers: {
//     ...headers,
//     'Content-Type': 'application/json' // Or other appropriate content type
//   }
// }).then(res => res.json()).then(data => console.log(data));

console.log('OAuth authorization data generated successfully.');

view raw JSON →