hi developers
I have to face the problem with load callback (and delete callback by extension extension).
I am trying to verify the authenticity of requests according to the algorithm described in the documentation. https://developer.bigcommerce.com/apps/load#signed-payload
I can decode the json string and the data is correct, but the signatures never match. I did not think about using the correct client secrecy and did not believe other encoding / decoding scripts.
Another problem is related to the code snippet (PHP) that they provide in the example (and in their sample application ). It seems that they return null when the signatures match, and the decoded data when they are not ... ( try secureCompare () )
This means that the security test will pass every time, because in all my attempts the signatures did not match.
Did I miss something?
Edit: Here is an example in the document. I can’t give you sample data, because the client’s secret remains secret ...
function verify($signedRequest, $clientSecret)
{
list($payload, $encodedSignature) = explode('.', $signedRequest, 2);
$signature = base64_decode($encodedSignature);
$data = json_decode(base64_decode($payload), true);
$expectedSignature = hash_hmac('sha256', $payload, $clientSecret, $raw = true);
if (secureCompare($signature, $expectedSignature)) {
error_log('Bad Signed JSON signature!');
return null;
}
return $data;
}
function secureCompare($str1, $str2)
{
$res = $str1 ^ $str2;
$ret = strlen($str1) ^ strlen($str2);
for($i = strlen($res) - 1; $i >= 0; $i--) {
$ret += ord($res[$i]);
}
return !$ret;
}
source
share