This repository was archived by the owner on Feb 7, 2024. It is now read-only.
verifySignature method with auth i think it need to change #1099
Uchiha-AhmedSaad
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
`
if (Str::after($payload->auth, ':') !== hash_hmac('sha256', $signature, $connection->app->secret)) {
throw new InvalidSignature();
}
`
i think it's not correct to check if Str::after($payload->auth, ':') equal hash_hmac('sha256', $signature, $connection->app->secret)
we need helper function to check if those the same or not
like that
if(!function_exists('hash_equals')) { function hash_equals($str1, $str2) { $str1_len = strlen($str1); $str2_len = strlen($str2); $diff = $str1_len ^ $str2_len; for($x = 0; $x < $str1_len && $x < $str2_len; $x++) { $diff |= ord($str1[$x]) ^ ord($str2[$x]); } return $diff === 0; } }and then method can be
protected function verifySignature(ConnectionInterface $connection, stdClass $payload) { $signature = "{$connection->socketId}:{$this->channelName}"; if (isset($payload->channel_data)) { $signature .= ":{$payload->channel_data}"; } if (!hash_equals(hash_hmac('sha256', Str::after($payload->auth, ':'), $connection->app->secret),hash_hmac('sha256', $signature, $connection->app->secret)) ) { throw new InvalidSignature(); } }Beta Was this translation helpful? Give feedback.
All reactions