Skip to content

Commit 48c4625

Browse files
bekkerdenji
bekker
authored and
denji
committed
Update README.md: Fix hmac message
You should NOT concat timestamp and expire time without any delimiter in the production environment. For those who use README codes blindly, fixed hmac message.
1 parent 789787f commit 48c4625

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

README.md

+5-5
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ location ^~ /files/ {
5151
secure_link_hmac_secret my_secret_key;
5252
5353
# Message to be verified
54-
secure_link_hmac_message $uri$arg_ts$arg_e;
54+
secure_link_hmac_message $uri|$arg_ts|$arg_e;
5555
5656
# Cryptographic hash function to be used
5757
secure_link_hmac_algorithm sha256;
@@ -88,7 +88,7 @@ perl_set $secure_token '
8888
my $timestamp = strftime("%Y-%m-%dT%H:%M:%S", localtime($now)) . $tz;
8989
my $r = shift;
9090
my $data = $r->uri;
91-
my $digest = hmac_sha256_base64($data . $timestamp . $expire, $key);
91+
my $digest = hmac_sha256_base64($data . "|" . $timestamp . "|" . $expire, $key);
9292
$digest =~ tr(+/)(-_);
9393
$data = "st=" . $digest . "&ts=" . $timestamp . "&e=" . $expire;
9494
return $data;
@@ -103,7 +103,7 @@ $secret = 'my_very_secret_key';
103103
$expire = 60;
104104
$algo = 'sha256';
105105
$timestamp = date('c');
106-
$stringtosign = "/files/top_secret.pdf{$timestamp}{$expire}";
106+
$stringtosign = "/files/top_secret.pdf|{$timestamp}|{$expire}";
107107
$hashmac = base64_encode(hash_hmac($algo, $stringtosign, $secret, true));
108108
$hashmac = strtr($hashmac, '+/', '-_'));
109109
$hashmac = str_replace('=', '', $hashmac);
@@ -118,7 +118,7 @@ const crypto = require("crypto");
118118
const secret = 'my_very_secret_key';
119119
const expire = 60;
120120
const unixTimestamp = Math.round(Date.now() / 1000.);
121-
const stringToSign = `/files/top_secret.pdf${unixTimestamp}${expire}`;
121+
const stringToSign = `/files/top_secret.pdf|${unixTimestamp}|${expire}`;
122122
const hashmac = crypto.createHmac('sha256', secret).update(stringToSign).digest('base64')
123123
.replace(/=/g, '')
124124
.replace(/\+/g, '-')
@@ -134,7 +134,7 @@ The string to be signed is defined in `secure_link_hmac_message`, the `secure_li
134134
location ^~ /backend_location/ {
135135
set $expire 60;
136136
137-
secure_link_hmac_message "$uri$time_iso8601$expire";
137+
secure_link_hmac_message "$uri|$time_iso8601|$expire";
138138
secure_link_hmac_secret "my_very_secret_key";
139139
secure_link_hmac_algorithm sha256;
140140

0 commit comments

Comments
 (0)