Authorization->verify() not matching for refresh endpoint #4
Comments
|
Hi @dbd5. This repository was last updated over 4 years ago now, and there are better more robust solutions now. If you're looking for a couple I'd recommend (in no particular order).
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello;
I am trying to play with the refresh endpoint so I can get a general understanding of how things work.
After a successful login / authentication I use static HMAC::generate() to generate the HMAC authorisation header (V1 - set version = 1 in the call to Authorization) as follows;
Yii::warning(\common\yrc\tests_support\HMAC::generate(
'/v1/user/refresh',
[
"access_token" => "PAX4R4CJPW56UGDOC65EGHH6GQAVWGQ6PD6VERHF6W2XS5EC555Q",
"refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I",
"ikm" => "4rUgb3f0hJVhUcyrw5495VcBC+sCS1biBxL5hoq+WZU=",
"expires_at" => 1716902878,
"secret_sign_kp" => "gVpGYJkATcwgMUbWtZL604VbNB7X6dw6GnSxEaCTqZahM99vqrwMSQWyEwseOsap1rHugbwxXUqn2gX0NnDKqQ==",
],
'post',
new DateTime(),
["refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I",],
));
I then set this as the Authorization header in postman and also set the X-Date header
When I make a postman call to https://api.localhost/v1/user/refresh with the payload "refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I", I always get Your request was made with invalid credentials.
In debugging this, I have set the driftAllowance to an unreasonably high number just to isolate timing in Authorization->verify().
It appears that the $hmac never matches $auth->getHMAC() in the lines;
if (\sodium_memcmp($hmac, $auth->getHMAC()) === 0) {
return true;
}
I'd appreciate your insights per what I could be doing wrong
Thanks
The text was updated successfully, but these errors were encountered: