Authorization->verify() not matching for refresh endpoint

Hello;

I am trying to play with the refresh endpoint so I can get a general understanding of how things work.

After a successful login / authentication I use static HMAC::generate() to generate the HMAC authorisation header (V1 - set version = 1 in the call to Authorization) as follows;

Yii::warning(\common\yrc\tests_support\HMAC::generate( '/v1/user/refresh', [ "access_token" => "PAX4R4CJPW56UGDOC65EGHH6GQAVWGQ6PD6VERHF6W2XS5EC555Q", "refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I", "ikm" => "4rUgb3f0hJVhUcyrw5495VcBC+sCS1biBxL5hoq+WZU=", "expires_at" => 1716902878, "secret_sign_kp" => "gVpGYJkATcwgMUbWtZL604VbNB7X6dw6GnSxEaCTqZahM99vqrwMSQWyEwseOsap1rHugbwxXUqn2gX0NnDKqQ==", ], 'post', new DateTime(), ["refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I",], ));

I then set this as the Authorization header in postman and also set the X-Date header

When I make a postman call to https://api.localhost/v1/user/refresh with the payload "refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I", I always get Your request was made with invalid credentials.

In debugging this, I have set the driftAllowance to an unreasonably high number just to isolate timing in Authorization->verify(). It appears that the $hmac never matches $auth->getHMAC() in the lines;

if (\sodium_memcmp($hmac, $auth->getHMAC()) === 0) { return true; }

I'd appreciate your insights per what I could be doing wrong

Thanks

charlesportwoodii / yii2-api

Authorization->verify() not matching for refresh endpoint #4