Commits

Seb Ruiz  committed dbf3d07

First check query, then check body for query string hash

  • Participants
  • Parent commits f68a9e9

Comments (0)

Files changed (1)

File lib/middleware/authentication.js

                 return;
             }
 
-            // On incoming requests, check the body if for query string params
-            var expectedHash = jwt.createQueryStringHash(request, true);
+            // First check query string params
+            var expectedHash = jwt.createQueryStringHash(request, false);
             var signatureHashVerified = verifiedClaims.qsh === expectedHash;
             if (!signatureHashVerified) {
-                sendError(401, 'Query hash does not match. Received: "' + verifiedClaims.qsh + '" but calculated "' + expectedHash + '". ' +
-                               'Canonical query was: "' + jwt.createCanonicalRequest(request) + '".');
-                return;
+                // If that didn't verify, it might be a post/put - check the request body too
+                expectedHash = jwt.createQueryStringHash(request, true);
+                signatureHashVerified = verifiedClaims.qsh === expectedHash;
+                if (!signatureHashVerified) {
+                    sendError(401, 'Query hash does not match. Received: "' + verifiedClaims.qsh + '" but calculated "' + expectedHash + '". ' +
+                                   'Canonical query was: "' + jwt.createCanonicalRequest(request) + '".');
+                    return;
+                }
             }
 
             success(verifiedClaims, remoteBaseUrl);