Skip to content

Commit e54a013

Browse files
Reject extra session token segments
1 parent 850cf5e commit e54a013

2 files changed

Lines changed: 6 additions & 2 deletions

File tree

apps/logicsrc-web/contract/logicsrc-web.contract.test.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -377,6 +377,7 @@ describe("session signing", () => {
377377
const token = signSession({ provider: "coinpay", sub: "merchant-123" });
378378
expect(verifySession(token)).toMatchObject({ provider: "coinpay", sub: "merchant-123" });
379379
expect(verifySession(`${token}tampered`)).toBeNull();
380+
expect(verifySession(`${token}.extra`)).toBeNull();
380381
});
381382
});
382383

@@ -408,6 +409,7 @@ describe("POST /api/webhooks/coinpay", () => {
408409
const signature = createHmac("sha256", secret).update(`${timestamp}.${payload}`).digest("hex");
409410

410411
expect(verifyCoinPayWebhook(payload, `t=${timestamp},v1=${signature}`, secret)).toBe(true);
412+
expect(verifyCoinPayWebhook(payload, `t=${timestamp}, v1=${signature}`, secret)).toBe(true);
411413

412414
const response = await coinpayWebhook(
413415
new NextRequest("http://localhost/api/webhooks/coinpay", {

apps/logicsrc-web/src/lib/coinpay.ts

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,7 @@ export function verifyCoinPayWebhook(
114114
}
115115

116116
try {
117-
const parts = signatureHeader.split(",");
117+
const parts = signatureHeader.split(",").map((part) => part.trim());
118118
const timestamp = parts.find((part) => part.startsWith("t="))?.slice(2);
119119
const signature = parts.find((part) => part.startsWith("v1="))?.slice(3);
120120
if (!timestamp || !signature) {
@@ -160,7 +160,9 @@ export function signSession(payload: Record<string, unknown>): string {
160160
}
161161

162162
export function verifySession(value: string): Record<string, unknown> | null {
163-
const [encoded, signature] = value.split(".");
163+
const parts = value.split(".");
164+
if (parts.length !== 2) return null;
165+
const [encoded, signature] = parts;
164166
if (!encoded || !signature) return null;
165167

166168
const expected = createHmac("sha256", getSessionSecret()).update(encoded).digest("base64url");

0 commit comments

Comments
 (0)