HMAC the path?

[jbdatko]

Can we add the HMAC over the path since that contains the actual sensor's data? Otherwise, I could change the sensor data's in transit and it won't affect the HMAC, if I read this correctly.

[jbdatko]

Bumping issue to test notifications.

[toddtreece]

@jbdatko I forgot to update this issue after I got back to a computer on Friday. It looks like I already handled that here: https://github.com/toddtreece/req_signature_test/blob/master/server.js#L137

The client side version of that is here: https://github.com/toddtreece/req_signature_test/blob/master/client.js#L44

It's currently only demonstrating with query string params, but it will work the same with URL encoded POST params.

[jbdatko]

Ok. I think I misread this. My understanding is that this will HMAC the URL after removing the '?', correct?

If that is correct, than I recommend you close this issue as then the value is being hmac'd.

However, if that is the case, than I think we have a new issue :)

The new issue would be: A MITM the can regenerate the HMAC key b/c it's appears to me it's only derived from the headers, which is all public data over the wire.

I thought there was some key/hash when an account is generated? Can you point me to that?

On Mon, Oct 27, 2014 at 2:21 PM, Todd Treece notifications@github.com wrote:

@jbdatko https://github.com/jbdatko I forgot to update this issue after I got back to a computer on Friday. It looks like I already handled that here: https://github.com/toddtreece/req_signature_test/blob/master/server.js#L137

— Reply to this email directly or view it on GitHub https://github.com/toddtreece/req_signature_test/issues/1#issuecomment-60662253 .

[toddtreece]

The publish hash is generated using node's built in pbkdf2 in the new version of phant. I'm just using a placeholder in the example: https://github.com/toddtreece/req_signature_test/blob/master/server.js#L39 that gets used in step 1.