Improved security of OptInHandler.

This commit is contained in:
Travis Swientek 2014-01-24 12:32:51 -08:00
parent 6bfebad84d
commit 717cf5faed
2 changed files with 21 additions and 11 deletions

View File

@ -18,18 +18,28 @@ class OptInHandler{
} }
public function generateHash($mailingList, $secretAppId, $recipientAddress){ public function generateHash($mailingList, $secretAppId, $recipientAddress){
$concatStrings = $secretAppId . "" . $recipientAddress; $innerPayload = array('r' => $recipientAddress, 'l' => $mailingList);
return urlencode(base64_encode(json_encode(array('s' => hash('md5', $concatStrings), 'l' => $mailingList, 'r' => $recipientAddress)))); $encodedInnerPayload = base64_encode(json_encode($innerPayload));
$innerHash = hash_hmac("sha1", $encodedInnerPayload, $secretAppId);
$outerPayload = array('h' => $innerHash, 'p' => $encodedInnerPayload);
return urlencode(base64_encode(json_encode($outerPayload)));
} }
public function validateHash($secretAppId, $uniqueHash){ public function validateHash($secretAppId, $uniqueHash){
$urlParameters = json_decode(base64_decode(urldecode($uniqueHash))); $decodedOuterPayload = json_decode(base64_decode(urldecode($uniqueHash)), true);
$concatStrings = $secretAppId . "" . $urlParameters->r;
if($urlParameters->s == hash('md5', $concatStrings)){ $decodedHash = $decodedOuterPayload['h'];
$returnArray = array('recipientAddress' => $urlParameters->r, 'mailingList' => $urlParameters->l); $innerPayload = $decodedOuterPayload['p'];
return $returnArray;
$decodedInnerPayload = json_decode(base64_decode($innerPayload), true);
$computedInnerHash = hash_hmac("sha1", $innerPayload, $secretAppId);
if($computedInnerHash == $decodedHash){
return array('recipientAddress' => $decodedInnerPayload['r'], 'mailingList' => $decodedInnerPayload['l']);
} }
return false; return false;
} }
} }

View File

@ -16,17 +16,17 @@ class OptInHandler extends \Mailgun\Tests\MailgunTestCase{
public function testReturnOfGenerateHash(){ public function testReturnOfGenerateHash(){
$generatedHash = $this->optInHandler->generateHash('mytestlist@example.com', 'mysupersecretappid', 'testrecipient@example.com'); $generatedHash = $this->optInHandler->generateHash('mytestlist@example.com', 'mysupersecretappid', 'testrecipient@example.com');
$knownHash = "eyJzIjoiOGM2NmVmYzYwNzhmNGVkYjFkZGJiY2RhM2M2MmMzMTQiLCJsIjoibXl0ZXN0bGlzdEBleGFtcGxlLmNvbSIsInIiOiJ0ZXN0cmVjaXBpZW50QGV4YW1wbGUuY29tIn0%3D"; $knownHash = "eyJoIjoiMTllODc2YWNkMWRmNzk4NTc0ZTU0YzhjMzIzOTNiYTNjNzdhNGMxOCIsInAiOiJleUp5SWpvaWRHVnpkSEpsWTJsd2FXVnVkRUJsZUdGdGNHeGxMbU52YlNJc0ltd2lPaUp0ZVhSbGMzUnNhWE4wUUdWNFlXMXdiR1V1WTI5dEluMD0ifQ%3D%3D";
$this->assertEquals($generatedHash, $knownHash); $this->assertEquals($generatedHash, $knownHash);
} }
public function testGoodHash(){ public function testGoodHash(){
$validation = $this->optInHandler->validateHash('mysupersecretappid', 'eyJzIjoiOGM2NmVmYzYwNzhmNGVkYjFkZGJiY2RhM2M2MmMzMTQiLCJsIjoibXl0ZXN0bGlzdEBleGFtcGxlLmNvbSIsInIiOiJ0ZXN0cmVjaXBpZW50QGV4YW1wbGUuY29tIn0%3D'); $validation = $this->optInHandler->validateHash('mysupersecretappid', 'eyJoIjoiMTllODc2YWNkMWRmNzk4NTc0ZTU0YzhjMzIzOTNiYTNjNzdhNGMxOCIsInAiOiJleUp5SWpvaWRHVnpkSEpsWTJsd2FXVnVkRUJsZUdGdGNHeGxMbU52YlNJc0ltd2lPaUp0ZVhSbGMzUnNhWE4wUUdWNFlXMXdiR1V1WTI5dEluMD0ifQ%3D%3D');
$this->assertArrayHasKey('recipientAddress', $validation); $this->assertArrayHasKey('recipientAddress', $validation);
$this->assertArrayHasKey('mailingList', $validation); $this->assertArrayHasKey('mailingList', $validation);
} }
public function testBadHash(){ public function testBadHash(){
$validation = $this->optInHandler->validateHash('mybadsecretappid', 'eyJzIjoiOGM2NmVmYzYwNzhmNGVkYjFkZGJiY2RhM2M2MmMzMTQiLCJsIjoibXl0ZXN0bGlzdEBleGFtcGxlLmNvbSIsInIiOiJ0ZXN0cmVjaXBpZW50QGV4YW1wbGUuY29tIn0%3D'); $validation = $this->optInHandler->validateHash('mybadsecretappid', 'eyJoIjoiMTllODc2YWNkMWRmNzk4NTc0ZTU0YzhjMzIzOTNiYTNjNzdhNGMxOCIsInAiOiJleUp5SWpvaWRHVnpkSEpsWTJsd2FXVnVkRUJsZUdGdGNHeGxMbU52YlNJc0ltd2lPaUp0ZVhSbGMzUnNhWE4wUUdWNFlXMXdiR1V1WTI5dEluMD0ifQ%3D%3D');
$this->assertFalse($validation); $this->assertFalse($validation);
} }
} }