WP-API
OAuth signature not matched when data is url encoded
This subject has been discussed several times before, but the current solution is not correct yet for POST requests.
The situation: I'm updating a WP record which includes a URL post field like: url=http://siteurl.com/page?key=xxxyyy%3D (the string '%3D' needs to be preserved)
When the Oauth1 plugin processes the data, it receives the following post data: Array ( [url] => http://siteurl.com/page?key=xxxyyy%3D )
However when it passes through the normalize_parameters function it creates the following data: Array ( [url] => http%3A%2F%2Fsiteurl.com%2Fpage%3Fkey%3Dxxxyyy%3D )
(this decodes back into http://siteurl.com/page?key=xxxyyy= (instead of %3D).
Expected is: Array ( [url] => http%3A%2F%2Fsiteurl.com%2Fpage%3Fkey%3Dxxxyyy%253D )
(this decodes back into http://siteurl.com/page?key=xxxyyy%3D).
Conclusion: For POST data, the normalize_function should NOT rawurldecode the parameters as this is changing the incoming data hence the Oauth1 signature will not match anymore.
I can confirm that https://github.com/WP-API/OAuth1/pull/92 (when manually merged) is a fix for this issue. The merge is available on https://github.com/drsdre/OAuth1. If the authors of this plugin want, I can create a pull request.
The file name changed in that pull request does not even exist any more in the current version (which has been working fine for me for all OAuth requests and uploads for a long time now).
Are you using the latest 0.3 version of the OAuth plugin from here?: https://wordpress.org/plugins/rest-api-oauth1/
