it looks like non oauth_ parameters where being included within the authorization headers

I believe this to be incorrect.

Readme.md

@@ -8,7 +8,8 @@ Also provides rudimentary OAuth2 support, tested against facebook connect and gi
 at express-auth (http://github.com/ciaranj/express-auth) 
 
 Change History
-==============
+============== 
+* 0.7.7 - Looks like non oauth_ parameters where appearing within the Authorization headers, which I believe to be inccorrect.
 * 0.7.6 - Added in oauth_verifier property to getAccessToken required for 1.0A
 * 0.7.5 - Added in a main.js to simplify the require'ing of OAuth
 * 0.7.4 - Minor change to add an error listener to the OAuth client (thanks troyk)

lib/oauth.js

@@ -193,8 +193,12 @@ exports.OAuth.prototype._performSecureRequest= function( oauth_token, oauth_toke
 
   // build request authorization header
   var authHeader="OAuth "; 
-  for( var i= 0 ; i < orderedParameters.length; i++) {
+  for( var i= 0 ; i < orderedParameters.length; i++) { 
+     // Whilst the all the parameters should be included within the signature, only the oauth_ arguments
+     // should appear within the authorization header.
+     if( orderedParameters[i][0].match('^oauth_') != "oauth_") {
       authHeader+= this._encodeData(orderedParameters[i][0])+"=\""+ this._encodeData(orderedParameters[i][1])+"\",";
+     }
   }
   authHeader= authHeader.substring(0, authHeader.length-1);
 

package.json

@@ -1,5 +1,5 @@
 { "name" : "oauth"
-, "version" : "0.7.6"
+, "version" : "0.7.7"
 , "directories" : { "lib" : "./lib" }
 , "main" : "main.js"
 , "author" : "Ciaran Jessup"