-
Notifications
You must be signed in to change notification settings - Fork 662
verifySignature method with auth i think it need to change #1099
-
`
if (Str::after($payload->auth, ':') !== hash_hmac('sha256', $signature, $connection->app->secret)) {
throw new InvalidSignature();
}
`
i think it's not correct to check if Str::after($payload->auth, ':') equal hash_hmac('sha256', $signature, $connection->app->secret)
we need helper function to check if those the same or not
like that
if(!function_exists('hash_equals')) { function hash_equals($str1, $str2) { $str1_len = strlen($str1); $str2_len = strlen($str2); $diff = $str1_len ^ $str2_len; for($x = 0; $x < $str1_len && $x < $str2_len; $x++) { $diff |= ord($str1[$x]) ^ ord($str2[$x]); } return $diff === 0; } }
and then method can be
protected function verifySignature(ConnectionInterface $connection, stdClass $payload) { $signature = "{$connection->socketId}:{$this->channelName}"; if (isset($payload->channel_data)) { $signature .= ":{$payload->channel_data}"; } if (!hash_equals(hash_hmac('sha256', Str::after($payload->auth, ':'), $connection->app->secret),hash_hmac('sha256', $signature, $connection->app->secret)) ) { throw new InvalidSignature(); } }
Beta Was this translation helpful? Give feedback.