I found an issue, when the server (API server) behinds a proxy server, the generated signatures are not equals. It's because the Escher::authenticate() method absolutely not care with the proxy headers.
Scenario:
The client sign the request with host: b.website.com, but this host is a proxy that redirects the request to a.website.com.
In this case the client uses the b.website.com host to signs the request, but the server uses the a.website.com host.
Proposal:
When getting the host from the request, first check if any X-Forwarded-* header are present and use this address as host.
Zolli
commented
6 years ago
Hi,
I found an issue, when the server (API server) behinds a proxy server, the generated signatures are not equals. It's because the Escher::authenticate() method absolutely not care with the proxy headers.
Scenario: The client sign the request with host: b.website.com, but this host is a proxy that redirects the request to a.website.com. In this case the client uses the b.website.com host to signs the request, but the server uses the a.website.com host.
Proposal: When getting the host from the request, first check if any X-Forwarded-* header are present and use this address as host.