Permalink
Browse files

be more forgiving of parameter ordering in SSO

  • Loading branch information...
1 parent 00e8d19 commit b24548e92b6181b5f25da2dd1bdc38d72ec69a84 @jacobo jacobo committed Oct 7, 2011
Showing with 10 additions and 5 deletions.
  1. +1 −1 Gemfile.lock
  2. +9 −4 lib/ey_api_hmac/sso.rb
View
@@ -1,7 +1,7 @@
PATH
remote: .
specs:
- ey_api_hmac (0.0.15.pre)
+ ey_api_hmac (0.0.15)
json
rack-client
View
@@ -9,17 +9,18 @@ def self.sign(url, parameters, auth_id, auth_key)
verify_params!(url, extra_params, parameters)
parameters.merge!(extra_params)
end
- uri.query = parameters.sort_by(&:to_s).map {|e| e.map{|str| CGI.escape(str.to_s)}.join '='}.join '&'
+ uri.query = params_to_string(parameters)
signature = CGI.escape(signature_param(uri.to_s, auth_id, auth_key))
uri.query += "&signature=#{signature}"
uri.to_s
end
def self.authenticated?(url, auth_id, auth_key)
uri = URI.parse(url)
- signature = CGI.unescape(uri.query.match(/&signature=(.*)$/)[1])
- signed_string = uri.to_s.gsub(/&signature=(.*)$/,"")
- signature_param(signed_string.to_s, auth_id, auth_key) == signature
+ query_params = CGI::parse(uri.query)
+ signature = query_params.delete("signature").to_s
+ uri.query = params_to_string(query_params)
+ signature == signature_param(uri.to_s, auth_id, auth_key)
end
def self.signature_param(signed_string, auth_id, auth_key)
@@ -28,6 +29,10 @@ def self.signature_param(signed_string, auth_id, auth_key)
private
+ def self.params_to_string(parameters)
+ parameters.sort_by(&:to_s).map {|e| e.map{|str| CGI.escape(str.to_s)}.join '='}.join '&'
+ end
+
def self.verify_params!(url, extra_params, parameters)
illegal_query_params = parameters.keys.map(&:to_s) + ["signature"]
extra_params.keys.each do |k|

0 comments on commit b24548e

Please sign in to comment.