From 0aa4ec2fffa29753efe7661ef9fe7f8e5f0f4843 Mon Sep 17 00:00:00 2001
From: Alex Kit <alex.kit@atmajs.com>
Date: Wed, 25 Jun 2014 03:06:57 +0200
Subject: [PATCH] Fix #15: use sha1 hashes for double signing

---
 index.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 32419fe..b63bf84 100644
--- a/index.js
+++ b/index.js
@@ -39,5 +39,13 @@ exports.unsign = function(val, secret){
   var str = val.slice(0, val.lastIndexOf('.'))
     , mac = exports.sign(str, secret);
   
-  return exports.sign(mac, secret) == exports.sign(val, secret) ? str : false;
+  return sha1(mac) == sha1(val) ? str : false;
 };
+
+/**
+ * Private
+ */
+
+function sha1(str){
+  return crypto.createHash('sha1').update(str).digest('hex');
+}