search

RideNoCo / drt-tds

0 stars 1 forks source link

HMAC Parameters clarification #8

Closed asiridissa closed 10 months ago

asiridissa commented 11 months ago

HMAC message parameters

Here are some sample values to feed in HMAC signature generation and pseudocode for HMAC function.

var sender_id = "USA.CO.80513.ORG#1";
var receiver_id = "USA.CO.80513.ORG#2";
var timestamp = 1700236238834; 
var nonce = "588841d1-0250-480c-b221-8f6a456ac7e8"; 
var body = '{"tripTicketId":"f66afa6","status":"Cancel","reasonDescription":"string","canceledBy":"OrderingClient"}';

var message = {sender_id}{receiver_id}{timestamp}{nonce}{body};
var key = {Secret Key};
var hmac = HMACFunction(message, key);

Rules about timestamp and body parameter values have some ambiguity. Following two rules will make all of us compatible with each other.

  1. timestamp has to be generated using UTC time.
  2. body has to be the exact request payload. Could be formatted with spaces and line breaks or not.

Appreciate you feedback.

asiridissa commented 11 months ago

This pseudocode subjected to change depending on the outcome of issue #10 and #9

NomeQ commented 11 months ago
  1. Agree wholeheartedly with timestamp formatting.
  2. Yes I think this is the safest way. Rather than trying any particular guarantees on formatting, we know at least that the content of the request body as an un-parsed string will be identical for sender & receiver.
asiridissa commented 10 months ago

Decided to use following points as rules.

  1. timestamp has to be generated using UTC time.
  2. body has to be the exact request payload. Could be formatted with spaces and line breaks or not. Added these rules in swagger 0.5.a3 and closing this issue.