The current usage of HMAC to generate a link string is a little bit misleading, since ssid.did is not actually meant to be secret. My suggestion would be to replace it with something like a progressive sha-256 hash.
var sha256 = CryptoJS.algo.SHA256.create();
sha256.update(data);
sha256.update(ssid.did);
var hash = sha256.finalize();
This would also result in a string that can be derived by having the ssid and data.
The current usage of HMAC to generate a link string is a little bit misleading, since ssid.did is not actually meant to be secret. My suggestion would be to replace it with something like a progressive sha-256 hash.
This would also result in a string that can be derived by having the ssid and data.