Add a whitelist in options for header parameters that do not begin with oauth_

[williamkmlau]

Right now the toHeader() function will strip away all parameters that don't begin with "oauth_", I have added a white list option to deal with cases where there are non-standard headers such as xoauth that is required in the Authorization string.

[ddo]

is this really necessary? you can modify the header after got it from toHeader()

[williamkmlau]

is this really necessary? you can modify the header after got it from toHeader()

I think its necessary for 2 main reasons, abstraction and consistency.

Firstly for abstraction.
The toHeader() method takes the oauth parameters and creates an authorization string that is comma separated, URI encoded and sorted by name.
You are correct in saying the header can be modified, but that would mean the user has to URI encode and then insert each extra parameter in the correct sorted position. (It would be simpler to just generate the entire string from scratch)
However my point here is, in order to do the above, the user is required to have the knowledge of URI Encoding and Sorting standard of OAuth protocols.
The use of the library is to abstract away these sophisticated protocol steps so the user can simply throw in everything and the oauth works.

Secondly, for consistency.
The getSignature() or getBaseString() function already accounts for extra parameters included in the oauth_data object, which makes it awkward when passing the same oauth_data object to toHeader() function that doesn't support extra parameters.

An alternative solution instead of using a whitelist is simply to add a new boolean option (such as allowExtraOAuthParams) which disables the
if (sorted[i].key.indexOf('oauth_') !== 0 checking.
I didn't opt for this solution because it seems to dissuade precaution when making the oauth_data.

[ddo]

good point, im still consider about it. ty