Skip to content
Permalink
Browse files

Use secret config var consistently.

  • Loading branch information...
markstory committed Nov 22, 2017
1 parent 643295f commit dcd7382c7c71ec86ba772ec83ee471c40e60131c
Showing with 5 additions and 3 deletions.
  1. +5 −3 src/Auth/DigestAuthenticate.php
@@ -71,7 +71,7 @@ class DigestAuthenticate extends BasicAuthenticate
* Besides the keys specified in BaseAuthenticate::$_defaultConfig,
* DigestAuthenticate uses the following extra keys:
*
* - `secret` The secret to use for nonce validation. Defaults to Security.salt.
* - `secret` The secret to use for nonce validation. Defaults to Security::getSalt().
* - `realm` The realm authentication is for, Defaults to the servername.
* - `qop` Defaults to 'auth', no other values are supported at this time.
* - `opaque` A string that must be returned unchanged by clients.
@@ -251,7 +251,8 @@ public function loginHeaders(ServerRequest $request)
protected function generateNonce()
{
$expiryTime = microtime(true) + $this->getConfig('nonceLifetime');
$signatureValue = hash_hmac('sha256', $expiryTime . ':' . $this->getConfig('secret'), Security::getSalt());
$secret = $this->getConfig('secret');
$signatureValue = hash_hmac('sha256', $expiryTime . ':' . $secret, $secret);
$nonceValue = $expiryTime . ':' . $signatureValue;
return base64_encode($nonceValue);
@@ -277,7 +278,8 @@ protected function validNonce($nonce)
if ($expires < microtime(true)) {
return false;
}
$check = hash_hmac('sha256', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));
$secret = $this->getConfig('secret');
$check = hash_hmac('sha256', $expires . ':' . $secret, $secret);
return hash_equals($check, $checksum);
}

0 comments on commit dcd7382

Please sign in to comment.
You can’t perform that action at this time.