Digitally Signing URL

ShannonShannon Member
in Help edited June 2013
I am having problems digitally signing the URL:

http://www.tennisrecruiting.net/photos/album.asp?id=11165&photo=3

I have tried generating the HMAC value for:

"http://www.tennisrecruiting.net/photos/album.asp?id=11165&photo=3";
"http://www_tennisrecruiting_net/photos/album_asp?id=11165&photo=3";

Neither work. I have successfully generated the HMAC values for the other variables. Even the online encoder in Step 2 of the Sample Code seems to fail. It turns the following:

<a href="https://tennisrecruiting.foxycart.com/cart?name=Ethan Gardner&code=Photo90414&category=Photo Download&quantity_max=1&price=10&image=http://www.tennisrecruiting.net/photos/img/9/0/4/1/4/t3339.jpg&url=http%3A%2F%2Fwww.tennisrecruiting.net%2Fphotos%2Falbum.asp%3Fid%3D11165%26photo%3D3">Add to Cart</a>

... into ...

<a href="https://tennisrecruiting.foxycart.com/cart?name=Ethan+Gardner||b5c690b28aa9c168e11414c82cc836e2a2416efd8d9f57c4526c233656acf5fa&code=Photo90414||48a9045e6debab47cd37d14756222e3bd6d9a44cbf2159926011f10cf524320b&category=Photo+Download||746ac69e2c9d2a2a1a0078a62148d0a25b12242ff721bee49f042374bdddb349&quantity_max=1||8ee7c643942a1955be5d5daf5ac285fc944e046442def4b8fa769fc7e1746cb7&price=10||3721a2a56c64719e570ecb4b827201148790b179645c0a5287717f0dbb93b6e7&image=http%3A%2F%2Fwww.tennisrecruiting.net%2Fphotos%2Fimg%2F9%2F0%2F4%2F1%2F4%2Ft3339.jpg||0db2004dee24a171a66ddfc1a4deda1d42bf1e83ab8fa74ca7e2d030d2688e53&url=http%3A%2F%2Fwww.tennisrecruiting.net%2Fphotos%2Falbum.asp%3Fid%3D11165||76b4a5ffe127f9e5432b7197fb6b022a2d4e87e08930c7693f7e62963e40e5ac&photo=3||425e66e02f476d7f188ae67b0ebcd6b2c026dc2f6b1ea3dc2997f8fcbbb53ad6">Add to Cart</a>

Note that the "photo" parameter of the URL is split off into a separate parameter.
Tagged:
Comments
  • fc_adamfc_adam FoxyCart Team
    edited April 2017
    @Shannon,

    That does indeed look like a limitation with our link/form validation. I'll discuss this with the team and someone will be in touch shortly.
  • ShannonShannon Member
    edited June 2013
    For some more detail, here is what I have found when trying my own HMAC/SHA-256 encodings.

    1) name=Ethan+Gardner
    I needed to encode "Ethan Gardner" to get a match. "Ethan_Gardner" does not get a match. The documentation on the wiki page says "Spaces and periods are converted to underscores when FoxyCart generates the HMAC against which to verify the submitted hash." This does not seem to be the case here.

    2) code=Photo90414
    Got a match as expected.

    3) category=Photo+Download
    I needed to encode "Photo Download" to get a match, not "Photo_Download". Same as #1.

    4) quantity_max=1
    Got a match as expected.

    5) price=10
    Got a match as expected.

    6) image=http://www.tennisrecruiting.net/photos/img/9/0/4/1/4/t3339.jpg
    I needed to encode "http://www.tennisrecruiting.net/photos/img/9/0/4/1/4/t3339.jpg"; to get a match. If I converted any special characters (such as a ".") to an underscore, I would not get a match. Same as #1 and #3.

    7) url=http://www.tennisrecruiting.net/photos/album.asp?id=11165&photo=3
    This is where I really get stuck. I don't know what string to encode. Like I said above, I have tried "http://www.tennisrecruiting.net/photos/album.asp?id=11165&photo=3". This doesn't work. I converted the periods to underscores. No luck. I am not sure what "other special characters" I should convert to underscores.

    Basically, I have not seen a case where the wiki documentation is right. Converting spaces or periods to underscores results in a failed digital signature. Every return URL will look like #7, though, so I am stuck either not signing the requests or leaving off the return URL.

    None of this is to rush the request, just to provide more information for the team to look at.

  • fc_adamfc_adam FoxyCart Team
    @Shannon,

    Just for one quick clarification - how are you generating your hashes - automatically using the FoxyCart_Helper function available from our GitHub account, or are you manually hashing them using the small function?
  • fc_adamfc_adam FoxyCart Team
    edited April 2017
    @Shannon,

    Just a quick follow up - the docs are indeed incorrect for the section you highlighted. We're not sure where that text comes from, but it could well have come from when we were first developing the link/form validation set up. I'll remove that section from the docs to remove further confusion.

    We're still looking into your number 7 - and how we can work around a URL attribute for a product having ampersands in it for it's own url parameters, but for the instances where you were working with spaces or periods - you can leave the periods as periods, you just need to consistently convert spaces to either "%20" or "+" in your URL's. Check the final dot point under Important Notes on that wiki page for working with spaces in URLs.
  • brettbrett FoxyCart Team
    @Shannon, a few things I think might help in the "now" while we look a bit deeper.

    First:
    The documentation on the wiki page says "Spaces and periods are converted to underscores when FoxyCart generates the HMAC against which to verify the submitted hash." This does not seem to be the case here.
    That bullet on the docs (which @fc_adam actually removed for now while we explore) says this:
    If you need to use **spaces**, **periods**, or **other special characters** in the ''name'' of an input
    The key there is the _name_ of the input, not the _value_. So if you had &foo.bar=hooray, the "foo.bar" is what'd get compared to "foo_bar". The value section (in the name/value pair, in this case "hooray") isn't impacted by the periods/spaces/underscores bit.

    Second: The issue with the ampersand in the value portion definitely isn't behaving properly. I'm still looking into this, but after some initial testing, if you switch this line:
    $qs = '&'.urldecode($qs);
    
    to this:
    $qs = '&'.$qs;
    
    That seems to work in my testing thus far. We're still looking into this, however, but it might take a few days before we can fully explore this issue and run it through QA. In the meantime though, that seems to work for me. (It displays oddly in the cart, since everything else gets URL decoded, but the & stays encoded. That, and I'm not 100% sure there aren't other problems, but it does generate a hash that validates properly.)

    Does that help for now? We'll update further after we've dug in a bit more.
  • @fc_adam, I am generating my content with Delphi, so I generating my hashes with Delphi using a unit named cHash I downloaded from http://fundementals.sourceforge.net. It's a single Pascal file, and without any problem I was able to sucessfully generate hashes using MD-5, SHA-1, SHA-256, HMA/MD-5, HMA/SHA-1, and HMAC/SHA-256 for a bunch of different examples found online. Also I the hashes I generated for #1 through #6 matched what your online form generated, so I feel pretty good about the implementation.

    I understand how you treat spaces and periods in the hash functions now (as I kind of already suspected), and I am putting the right encoding in the URL. Unfortunately when I post some of my examples here with the encoding, the decoded strings are displayed in the post.

    @brett, I'm a little lost by your explanation. I'm not sure what code you are referring to. Can you give me a value and key to hash with my code so I can see if it matches what you generate? Using the key "key" I get the following hash for

    Key: "key"
    Value: "Photo90414urlhttp://www.tennisrecruiting.net/photos/album.asp?id=11165&photo=3";
    HMAC/SHA-256: "793cfcdf59ef7ce5f4dcb837f176ae45be72d0207db407bb07b4c0fd56a8b974"

    Do you get the same?










  • fc_adamfc_adam FoxyCart Team
    @Shannon,

    Brett was referencing our helper PHP file available here: http://github.com/FoxyCart/FoxyCart-Cart-Validation--PHP
  • brettbrett FoxyCart Team
    @Shannon, I'll take another look. I'd assumed you were using the github script. Sorry about that.

    When you say you're lose by my explanation, obviously the "second" bit wouldn't make sense, but did the "first" make sense? I just want to clarify that converting the spaces and periods to underscores is only for the option _name_, not the option _value_. (That said though, that's not the issue you're having with the ampersand, I know. Just want to clarify.)
  • @brett, right. The first part was very clear. I got that.

    I was just lost by your recommendation about the coding change. I though it might be easier to throw out some example keys and values (that have "&" in them) and see if we come up with the same hash.
  • brettbrett FoxyCart Team
    edited June 2013
    Hi again @Shannon, and sorry again this wasn't better documented. Oddly, it'd never come up before. Seems like it should have though. My test files had values with ? and = in them, but not with an ampersand. Sorry about that.

    Here's what you want:
    Key: "key"
    Value: Photo90414http://www.tennisrecruiting.net/photos/album.asp?id=11165&photo=3
    HMAC/SHA-256: af37e6fe4f25c83f7b56b12bf5762365e9cc821266efed0374e6a718004154a5

    EDIT: Ignore that, use this: http://pastie.org/private/1b3br0lv3yqsicivr1tw

    I can't say that I think that's necessarily _right_, and it's certainly not obvious, but that's how it currently works right now. The reason being that the ampersand obviously splits string into a new name/value pair, so you have to URL encode it. But the validation script isn't url decoding first, so it's getting passed to the validation with the url encoded value to hash against.

    Does that work for you? Let me know. We'll improve the documentation, and figure out what we might want to do to improve things in the future.
  • OK. I think I understand what you're saying. I had to view source to see the code, but you're saying to hash the value "&amp;" instead of "&", right?

    Unfortunately, I don't produce the same hashed value. Do you mind confirming the following just to see where things fall apart for me? In these examples, for the key I am actually using the string "key", not my secret API key. So anyone should be able to replicate these results.

    Example #1
    Key: "key"
    Value: "."
    HMAC/SHA-256: "e79781879bd7bc04eb8d3e4abb8e734486c2a0f4d9643ae29fdead53cd551f9a"

    Example #2
    Key: "key"
    Value: "?"
    HMAC/SHA-256: "8fda146687a10a10d3ab901f3f827724467fecaabe3a80a24530e0e1dd13ef10"

    Example #3
    Key: "key"
    Value: "="
    HMAC/SHA-256: "b1d9b621b58c504cc79fb68c1768f123a4f043e554c15c1ca8cf9bff56a5004d"

    Example #4
    Key: "key"
    Value: "&"
    HMAC/SHA-256: "698830043166082dc4ae3899541c9fb7b1affc8561f9f73031eca64184ae1bee"

    Example #5
    Key: "key"
    Value: "&amp;"
    HMAC/SHA-256: "1a7233cfaa5bf62a3e4cb2c0706d9c9be4d427e1bfd7201816d612104c938065"

    Example #6
    Key: "key"
    Value: "%26" (URL encoding for "&")
    HMAC/SHA-256: "ac9bf3e8ba8418deb95fad9a2f31a2e4cca3ba33f1e5ca70bd1f8c9effefe86c"

    Example #7
    Key: "key"
    Value: "Photo90414urlhttp://www.tennisrecruiting.net/photos/album.asp?id=11165&photo=3";
    HMAC/SHA-256: "793cfcdf59ef7ce5f4dcb837f176ae45be72d0207db407bb07b4c0fd56a8b974"

    Example #8
    Key: "key"
    Value: "Photo90414urlhttp://www.tennisrecruiting.net/photos/album.asp?id=11165&amp;photo=3";
    HMAC/SHA-256: "390a64e9209943694feba87bb1c6f52ef9eb67b5d2131bc012b7ff27f85ea1e8"

    Example #9
    Key: "key"
    Value: "Photo90414urlhttp://www.tennisrecruiting.net/photos/album.asp?id=11165%26photo=3&quot;
    HMAC/SHA-256: "af37e6fe4f25c83f7b56b12bf5762365e9cc821266efed0374e6a718004154a5"

    Just to be clear, you are talking about using the values in example #5 and #8, right? If not, which ones should I be using?

    Thanks again for all your help on this. I know it is tedious.
  • brettbrett FoxyCart Team
    Oh geez, sorry @Shannon. It was late and I didn't check to see that what I'd posted wasn't modified. It was.

    What you want to hash is this: …
    Bah, sorry. Now I have to redo my tests :) Just a bit. I'll post again in a few minutes.
  • brettbrett FoxyCart Team
    Ok, what you want to do is #9. URL encode the ampersand. As you can see from your tests (sorry again you've had to go to such trouble here), that gets you the af37e6 hash, which is what our system generates itself when comparing your hash to "ours" (and what I had in my post above; at least that bit didn't get converted by the forum).

    Just to make sure any future forum upgrades don't botch things:
    http://pastie.org/private/1b3br0lv3yqsicivr1tw
    Does that get you what you want?
  • Yes, thanks! I'll run some tests on my links and let you know if I have any more problems.
  • ShannonShannon Member
    edited June 2013
    @brett, No dice. It's still failing.

    So here's where I am. Signing the following URL does work:

    Unsigned URL:
    https://tennisrecruiting.foxycart.com/cart?name=Ethan+Gardner&category=Photo+Download&quantity_max=1&price=0.10&code=Photo90414&image=http://www.tennisrecruiting.net/photos/img/9/0/4/1/4/t3339.jpg

    Signed URL:
    https://tennisrecruiting.foxycart.com/cart?name=Ethan+Gardner||b5c690b28aa9c168e11414c82cc836e2a2416efd8d9f57c4526c233656acf5fa&category=Photo+Download||746ac69e2c9d2a2a1a0078a62148d0a25b12242ff721bee49f042374bdddb349&quantity_max=1||8ee7c643942a1955be5d5daf5ac285fc944e046442def4b8fa769fc7e1746cb7&price=0.10||b61a3bccd1c02c528f0f58a601918136e626f0fe56e11476d979f5bd210444b6&code=Photo90414||48a9045e6debab47cd37d14756222e3bd6d9a44cbf2159926011f10cf524320b&image=http://www.tennisrecruiting.net/photos/img/9/0/4/1/4/t3339.jpg||0db2004dee24a171a66ddfc1a4deda1d42bf1e83ab8fa74ca7e2d030d2688e53

    But signing this URL does NOT work:

    Unsigned URL:
    https://tennisrecruiting.foxycart.com/cart?name=Ethan+Gardner&category=Photo+Download&quantity_max=1&price=0.10&code=Photo90414&image=http://www.tennisrecruiting.net/photos/img/9/0/4/1/4/t3339.jpg&url=http://www.tennisrecruiting.net/photos/album.asp%3Fid%3D11165%26photo%3D3

    Signed URL:
    https://tennisrecruiting.foxycart.com/cart?name=Ethan+Gardner||b5c690b28aa9c168e11414c82cc836e2a2416efd8d9f57c4526c233656acf5fa&category=Photo+Download||746ac69e2c9d2a2a1a0078a62148d0a25b12242ff721bee49f042374bdddb349&quantity_max=1||8ee7c643942a1955be5d5daf5ac285fc944e046442def4b8fa769fc7e1746cb7&price=0.10||b61a3bccd1c02c528f0f58a601918136e626f0fe56e11476d979f5bd210444b6&code=Photo90414||48a9045e6debab47cd37d14756222e3bd6d9a44cbf2159926011f10cf524320b&image=http://www.tennisrecruiting.net/photos/img/9/0/4/1/4/t3339.jpg||0db2004dee24a171a66ddfc1a4deda1d42bf1e83ab8fa74ca7e2d030d2688e53&url=http://www.tennisrecruiting.net/photos/album.asp%3Fid%3D11165%26photo%3D3||6abbda17550428f27e308191b24a3320f025c1044ec156ca1c91fff433c4d67b

    I still get a "Cart Validation Error: url".

    As directed, I am signing the value:
    Photo90414urlhttp://www.tennisrecruiting.net/photos/album.asp?id=11165%26photo=3

    My hash is different than the one listed in the previous post, but that is because I am signing with my secret key instead of "key". But that is the only change. And since my first signed URL works I must be generating the hashes right. Is the visible encoding of the parameter's value causing the problem?

    url=http://www.tennisrecruiting.net/photos/album.asp%3Fid%3D11165%26photo%3D3

    I assumed I should be encoding all the "?", "=", and "&" in the querystring parameters.
  • brettbrett FoxyCart Team
    @Shannon, I'm so sorry for the delayed response. For some reason (real or imagined) I thought I responded to this already. Really sorry about that.

    I think the problem isn't in generating the hash, but rather in how you're passing in the value in the link. Here's a pastie showing what works:
    http://pastie.org/private/rc9bjxficbdbugtubjo3yg

    Does that clarify?
  • @brett, thanks. I'm logged into the room.
Sign In or Register to comment.