Open jbdatko opened 9 years ago
Bumping issue to test notifications.
@jbdatko I forgot to update this issue after I got back to a computer on Friday. It looks like I already handled that here: https://github.com/toddtreece/req_signature_test/blob/master/server.js#L137
The client side version of that is here: https://github.com/toddtreece/req_signature_test/blob/master/client.js#L44
It's currently only demonstrating with query string params, but it will work the same with URL encoded POST params.
Ok. I think I misread this. My understanding is that this will HMAC the URL after removing the '?', correct?
If that is correct, than I recommend you close this issue as then the value is being hmac'd.
However, if that is the case, than I think we have a new issue :)
The new issue would be: A MITM the can regenerate the HMAC key b/c it's appears to me it's only derived from the headers, which is all public data over the wire.
I thought there was some key/hash when an account is generated? Can you point me to that?
On Mon, Oct 27, 2014 at 2:21 PM, Todd Treece notifications@github.com wrote:
@jbdatko https://github.com/jbdatko I forgot to update this issue after I got back to a computer on Friday. It looks like I already handled that here: https://github.com/toddtreece/req_signature_test/blob/master/server.js#L137
— Reply to this email directly or view it on GitHub https://github.com/toddtreece/req_signature_test/issues/1#issuecomment-60662253 .
The publish hash is generated using node's built in pbkdf2 in the new version of phant. I'm just using a placeholder in the example: https://github.com/toddtreece/req_signature_test/blob/master/server.js#L39 that gets used in step 1.
Can we add the HMAC over the path since that contains the actual sensor's data? Otherwise, I could change the sensor data's in transit and it won't affect the HMAC, if I read this correctly.