From 6d3042f5e58e1adcae355a4f1261f66b8147f875 Mon Sep 17 00:00:00 2001 From: kbynd Date: Sun, 4 Sep 2016 11:36:17 +0530 Subject: [PATCH] RequestURI captures the signature field as well. This in turn results is failure of signature based validation. So what is need is only "/api/resource/action". which is given by ctx.Input.URL() --- plugins/apiauth/apiauth.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/apiauth/apiauth.go b/plugins/apiauth/apiauth.go index 970367c9..10636d1c 100644 --- a/plugins/apiauth/apiauth.go +++ b/plugins/apiauth/apiauth.go @@ -119,7 +119,7 @@ func APISecretAuth(f AppIDToAppSecret, timeout int) beego.FilterFunc { return } if ctx.Input.Query("signature") != - Signature(appsecret, ctx.Input.Method(), ctx.Request.Form, ctx.Input.URI()) { + Signature(appsecret, ctx.Input.Method(), ctx.Request.Form, ctx.Input.URL()) { ctx.ResponseWriter.WriteHeader(403) ctx.WriteString("auth failed") } @@ -127,7 +127,7 @@ func APISecretAuth(f AppIDToAppSecret, timeout int) beego.FilterFunc { } // Signature used to generate signature with the appsecret/method/params/RequestURI -func Signature(appsecret, method string, params url.Values, RequestURI string) (result string) { +func Signature(appsecret, method string, params url.Values, RequestURL string) (result string) { var query string pa := make(map[string]string) for k, v := range params { @@ -143,7 +143,7 @@ func Signature(appsecret, method string, params url.Values, RequestURI string) ( query = fmt.Sprintf("%v%v%v", query, vs.Keys[i], vs.Vals[i]) } } - stringToSign := fmt.Sprintf("%v\n%v\n%v\n", method, query, RequestURI) + stringToSign := fmt.Sprintf("%v\n%v\n%v\n", method, query, RequestURL) sha256 := sha256.New hash := hmac.New(sha256, []byte(appsecret))