Skip to content

Commit 739cf85

Browse files
committed
Fix header regex.
The previous regex would match any number of instances of any of the supported SHA formats, e.g. SHA111. Instead of matching any number, we want to match optionally one. Also added some tests that this rejects invalid digest formats.
1 parent 36692c0 commit 739cf85

2 files changed

Lines changed: 22 additions & 6 deletions

File tree

lib/api_auth/base.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ def generate_secret_key
6969

7070
private
7171

72-
AUTH_HEADER_PATTERN = /APIAuth(?:-HMAC-(MD[245]|SHA(?:1|224|256|384|512)*))? ([^:]+):(.+)$/
72+
AUTH_HEADER_PATTERN = /APIAuth(?:-HMAC-(MD[245]|SHA(?:1|224|256|384|512)?))? ([^:]+):(.+)$/
7373

7474
def request_too_old?(headers)
7575
# 900 seconds is 15 minutes

spec/api_auth_spec.rb

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -127,16 +127,32 @@ def hmac(secret_key, request, canonical_string = nil, digest = 'sha1')
127127
)
128128
canonical_string = ApiAuth::Headers.new(new_request).canonical_string
129129
signature = hmac('123', new_request, canonical_string, 'sha256')
130-
new_request['Authorization'] = "APIAuth-HMAC-SHA256 1044:#{signature}"
130+
new_request['Authorization'] = "APIAuth-HMAC-#{digest} 1044:#{signature}"
131131
new_request
132132
end
133133

134-
it 'validates for sha256 digest' do
135-
expect(ApiAuth.authentic?(request, '123', :digest => 'sha256')).to eq true
134+
context 'valid request digest' do
135+
let(:digest) { 'SHA256' }
136+
137+
context 'matching client digest' do
138+
it 'validates matching digest' do
139+
expect(ApiAuth.authentic?(request, '123', :digest => 'sha256')).to eq true
140+
end
141+
end
142+
143+
context 'different client digest' do
144+
it 'raises an exception' do
145+
expect { ApiAuth.authentic?(request, '123', :digest => 'sha512') }.to raise_error(ApiAuth::InvalidRequestDigest)
146+
end
147+
end
136148
end
137149

138-
it 'validates exception with wrong client digest' do
139-
expect { ApiAuth.authentic?(request, '123', :digest => 'sha512') }.to raise_error(ApiAuth::InvalidRequestDigest)
150+
context 'invalid request digest' do
151+
let(:digest) { 'SHA111' }
152+
153+
it 'fails validation' do
154+
expect(ApiAuth.authentic?(request, '123', :digest => 'sha111')).to eq false
155+
end
140156
end
141157
end
142158
end

0 commit comments

Comments
 (0)