`TimestampSigner` not working as expected when I use a `-` as separator

[avinassh]

To produce the error:

from itsdangerous import TimestampSigner
s = TimestampSigner('secret-key', sep='-')
string = s.sign('foo')
s.unsign(string, max_age=50)

When I ran the above code multiple times in loop, I got following exceptions: SignatureExpired or BadTimeSignature.

[davidism]

I can't reproduce either error with the example given. If you got a signature expired, then you waited longer than 50 seconds before unsigning.

[avinassh]

Nope, I am not waiting more than 50 seconds, I am just checking instantly. Here is an video demo where I am just copy pasting repeatedly and you will see both the errors: http://gifyu.com/image/FHN

[avinassh]

I used the same code which I had posted earlier. Now I am not sure why its not generating error in your machine.

[johnlam]

Here's what I think is going on.
The signature will be urlsafe_b64encode()d .
So part of the signature (and/or part of the timestamp) might contain your separator - , which would result in either a wrong timestamp or a wrong signature.

A potential fix could be to check if the separator is part of the base64_urlsafe() charset and/or write that in the docs.

How to reproduce.

for i in xrange(100):
    s = TimestampSigner('secret-key',sep='-')
    mystr = s.sign('foo')
    try:
        s.unsign(mystr,max_age=200)
    except:
        raise
    time.sleep(1)

Example string foo-CmVi_g-pt8iji6JAw61H0EJm-bFJumhEZw (signature will be bFJumhEZw instead of pt8iji6JAw61H0EJm-bFJumhEZw)

[untitaker]

I fixed it exactly as @johnlam described. I'm not considering this API breakage because this sort of usage never worked.