search

cloudinary / cloudinary_java

Cloudinary Java Client Library
MIT License
163 stars 110 forks source link

verifyNotificationSignature assumes timestamps in milliseconds #260

Closed daplf closed 2 years ago

daplf commented 2 years ago

Describe the bug in a sentence or two.

Hi, I'm having an issue verifying a webhook notification. After going through the code, it looks to me like the java library is assuming the value of X-Cld-Timestamp is in milliseconds, which is, from my understanding, incorrect. It should be in seconds, right?

This issue was fixed before in the Node SDK: https://github.com/cloudinary/cloudinary_npm/pull/515

I'm happy to provide a fix here if you can confirm this is indeed the issue.

Issue Type (Can be multiple)

Behaviour - Functions aren’t working as expected (Such as generate URL)

Steps to reproduce

Verify a signature using a provided X-Cld-Timestamp and a short secondsValidFor and you should see the problem.

Versions and Libraries (fill in the version numbers)

Cloudinary Java SDK version - 1.30.0 JVM - 11

aleksandar-cloudinary commented 2 years ago

Hi @daplf, Thanks for raising this!

Yes, you're absolutely right - the secondsValidFor will be converted to millisecond but the parsedTimestamp coming from the Webhook headers will be in seconds.

If you'd like to submit a PR for this bug then that would be welcome! If not, please let me know and I'll create a ticket internally and we will update it.

daplf commented 2 years ago

Fixed in https://github.com/cloudinary/cloudinary_java/commit/8f222040921c2f11e9eb343f26784340698dbb12