feat(connectors): OAuth 1.0a engine — make ImmobilienScout24 actually authenticate#324
Merged
Merged
Conversation
…was unauthenticatable) ImmobilienScout24 never moved to OAuth 2.0: it requires every request to be signed with HMAC-SHA1 per OAuth 1.0a (two-legged). The connector was configured as OAUTH2 (token exchange + Bearer), so it returned 401 on every call no matter what credentials a user entered — and the manifest had no `instructions` telling users where to obtain credentials at all. Changes: - New `oauth1-signer.ts`: OAuth 1.0a HMAC-SHA1 signer (two- and three-legged). Signature base string + percent-encoding + param sorting cross-verified against the canonical Twitter vector AND independently with `openssl dgst`. - New `OAUTH1` auth type in the REST engine. Signing happens after query/body are built (the signature folds in query + form-urlencoded body params), unlike Bearer/API-key auth. - `OAUTH1` added to the AuthType enum (Prisma schema + migration, same pattern as the LOGIN_TOKEN addition). - IS24 manifest: authType OAUTH2 -> OAUTH1, two-legged authConfig (consumerKey/consumerSecret), accurate read-only description, and full `instructions` covering where to get credentials (selfservice portal, business-account requirement, sandbox/prod, partner approval). Tested: 19 engine/signer unit tests pass; live structural check against the real IS24 API confirms our signed Authorization header engages IS24's OAuth layer (returns `WWW-Authenticate: OAuth realm="IS24 API"`), where an unsigned request is rejected outright — only valid credentials remain.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| ) { | ||
| bodyParams = {}; | ||
| for (const [k, v] of new URLSearchParams(axiosConfig.data)) { | ||
| bodyParams[k] = v; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ImmobilienScout24 was unusable: every call returned 401, and the manifest had no
instructionsexplaining where to get credentials (it was the only credential-requiring connector missing them). A customer hit exactly this.Root cause: IS24 never adopted OAuth 2.0. Its API requires every request to be signed with HMAC-SHA1 per OAuth 1.0a (two-legged: consumer key + secret sign each request). Our connector was configured as
OAUTH2(token exchange +Bearer), which IS24 does not accept — so no credentials could ever work.Changes
oauth1-signer.ts— OAuth 1.0a HMAC-SHA1 signer (two- and three-legged). RFC 3986 encoding, signature base string, param sorting.OAUTH1auth type in the REST engine. Signed after query/body are built, since the OAuth 1.0a signature folds in query + form-urlencoded body params.OAUTH1added to theAuthTypeenum — Prisma schema + migration (same pattern as the priorLOGIN_TOKENenum addition; auto-applied byprisma migrate deployon boot).OAUTH2→OAUTH1, two-leggedauthConfig(consumerKey/consumerSecret), accurate read-only description, and fullinstructions— where to get credentials (selfservice.immobilienscout24.de, business account required, sandbox/prod, partner approval, paid price list).Testing
openssl dgst -sha1 -hmac(both agree).WWW-Authenticate: OAuth realm="IS24 API"+ structured OAuth error); an unsigned request is rejected outright. Only a valid business credential remains (which the end user supplies).Note on existing connectors
Runtime auth reads from the stored connector row, so the one existing IS24 connector (created under
OAUTH2) should be re-created after deploy to pick upOAUTH1+ the new instructions, then have realIS24_CLIENT_ID/IS24_CLIENT_SECRETentered.