HMAC and multiple-items non functional

phayes
in Bugs & Feature Requests edited April 2014
Hi there,

I've been banging my head against the problem of adding multiple items to a cart in a single link while using HMAC and I've come to the conclusion that it's a bug with foxycart itself.


Functional:||0925cee7d0557a383ffe80ed3050e9e4f314c4e650cfb2bedc568cf59ab95816&name=Negotiating Kingship in France at the Time of the Early Crusades: Suger and the Gesta Ludovici Grossi||8aadb665c904d85bb30bcfd3313696c988322dec2809a0bc675bf624707f180d&price=18.00||8ad091c77a3888a186c5345c0ab54c7ffcb51ee18090a659d98e86d8b58e09d2

Functional:||0d31a4e92ae8bf2dfb65f8143500d37953930f9bdfd0616385c50c4b9acbb223&name=An Unlikely Pair: Satire and Jansenism in the Sarcelades, 1731-1764||a8f5af2239b1c894d3bd825b815caa2026cdbef6e346c1e8f7c6f3da9de15217&price=18.00||0f5e84607e87b7e23910fe0613bf8b3312ac63653d45e4bb08c0cc37c0c9141a

Broken:||0925cee7d0557a383ffe80ed3050e9e4f314c4e650cfb2bedc568cf59ab95816&name=Negotiating Kingship in France at the Time of the Early Crusades: Suger and the Gesta Ludovici Grossi||8aadb665c904d85bb30bcfd3313696c988322dec2809a0bc675bf624707f180d&price=18.00||8ad091c77a3888a186c5345c0ab54c7ffcb51ee18090a659d98e86d8b58e09d2&1:code=/ddfhs/36/4/543.atom||0d31a4e92ae8bf2dfb65f8143500d37953930f9bdfd0616385c50c4b9acbb223&1:name=An Unlikely Pair: Satire and Jansenism in the Sarcelades, 1731-1764||a8f5af2239b1c894d3bd825b815caa2026cdbef6e346c1e8f7c6f3da9de15217&1:price=18.00||0f5e84607e87b7e23910fe0613bf8b3312ac63653d45e4bb08c0cc37c0c9141a

You'll note that this third link is a direct union of the other two and should work, but it doesn't.
  fc_adam

    How exactly are you encrypting the data for those links? As noted on our HMAC wiki page, when doing multiple products in a form (ie: prefixing product attributes with a number) you don't include the number prefix in the hash. So while the name for the second product would be "1:name", you still only encrypt it as "name". Does that help?
  • I got that part - I'm only HMAC'ing the portion of the attribute-name after the colon.

    A co-worker of mine got it working by adding a number in front of *every* attribute:||0925cee7d0557a383ffe80ed3050e9e4f314c4e650cfb2bedc568cf59ab95816&1:name=Negotiating Kingship in France at the Time of the Early Crusades: Suger and the Gesta Ludovici Grossi||8aadb665c904d85bb30bcfd3313696c988322dec2809a0bc675bf624707f180d&1:price=18.00||8ad091c77a3888a186c5345c0ab54c7ffcb51ee18090a659d98e86d8b58e09d2&2:code=/ddfhs/36/4/543.atom||0d31a4e92ae8bf2dfb65f8143500d37953930f9bdfd0616385c50c4b9acbb223&2:name=An Unlikely Pair: Satire and Jansenism in the Sarcelades, 1731-1764||a8f5af2239b1c894d3bd825b815caa2026cdbef6e346c1e8f7c6f3da9de15217&2:price=18.00||0f5e84607e87b7e23910fe0613bf8b3312ac63653d45e4bb08c0cc37c0c9141a

    So this is now resolved on my end, but I would suggest altering your API to be a little more forgiving (or more explicit with your instructions) with the numbering scheme for multiple items. It looks like two formats are allowed:

    1. Numbering every attribute starting at index 1.

    2. Not numbering the attributes for the first item, but numbering attributes for every other item starting at index 2 (this is what tripped me up)

    If I may, I would suggest the following changes in your API:

    1. Start the index at 0. Most programmers are used to zero-indexing by default. 1-based indexing is weird.

    2. When no index is specified, implicitly assign index 0. This would have prevented my particular problem.

    3. To preserve backwards compatibility you'll have detect the case where there is a index-0 item and index-2 item, but no index-1 item.

    Those are my humble suggestions. Regardless, the issue is now fixed for me.

    Thanks so much for the super-quick response!

  fc_adam
    edited April 2014

    Glad you got it sorted!

    Thanks for your suggestions too.

    For what it's worth you can set the first product to be prefixed by 0 if you'd prefer - in fact, they don't even have to be sequential - you could have three products prefixed as 0, 4 and 55 and all three products will still add to the cart just fine. The specific numbers aren't really important - it's more that each individual products attributes are prefixed by the same number.

    I can see the issue you're bumping into though, with the first item that is unprefixed is assigned as product 1, so you prefixing the second product with 1 as well caused follow on issues. For now I'll update our documentation to be clearer in that regard, and we'll discuss the idea of changing to 0 as the base number amongst the team.

    [edit to add] I just checked our docs, and it is noted on our add to cart page that its an assumed 1, but I'll also note that on our HMAC page to make it clear there too.
  • Awesome. Thanks so much! I really appreciate the prompt replies!
