From e99826bfa13306dda3897d3490969032b8aa13f5 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Tue, 16 Jan 2018 20:24:49 +0100 Subject: [PATCH] Package fitbit: Don't URL-decode Fitbit's signature. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The documentation states that that should be done, but then the signature may include "+", which URL decode turns into a space … --- fitbit/fitbit.go | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/fitbit/fitbit.go b/fitbit/fitbit.go index f871604..2c0a04a 100644 --- a/fitbit/fitbit.go +++ b/fitbit/fitbit.go @@ -9,7 +9,6 @@ import ( "fmt" "io/ioutil" "net/http" - "net/url" "time" "github.com/octo/gfitsync/app" @@ -46,14 +45,9 @@ func ParseToken(ctx context.Context, r *http.Request, u *app.User) error { } func CheckSignature(ctx context.Context, payload []byte, rawSig string) bool { - base64Sig, err := url.QueryUnescape(rawSig) + signatureGot, err := base64.StdEncoding.DecodeString(rawSig) if err != nil { - log.Errorf(ctx, "QueryUnescape(%q) = %v", rawSig, err) - return false - } - signatureGot, err := base64.StdEncoding.DecodeString(base64Sig) - if err != nil { - log.Errorf(ctx, "base64.StdEncoding.DecodeString(%q) = %v", base64Sig, err) + log.Errorf(ctx, "base64.StdEncoding.DecodeString(%q) = %v", rawSig, err) return false } -- 2.11.0