Merge pull request #17 from tenbits/patch-1

Fix #15: use sha1 hashes for double signing
tj · Jun 25, 2014 · 4cc5e21 · 4cc5e21
2 parents 1d1b25b + 0aa4ec2
commit 4cc5e21
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/index.js b/index.js
@@ -39,5 +39,13 @@ exports.unsign = function(val, secret){
   var str = val.slice(0, val.lastIndexOf('.'))
     , mac = exports.sign(str, secret);
 
-  return exports.sign(mac, secret) == exports.sign(val, secret) ? str : false;
+  return sha1(mac) == sha1(val) ? str : false;
 };
+
+/**
+ * Private
+ */
+
+function sha1(str){
+  return crypto.createHash('sha1').update(str).digest('hex');
+}