php-rest-api icon indicating copy to clipboard operation
php-rest-api copied to clipboard
verified publisher icon messagebird

Request signature validation fixes

Open chrisminett opened this issue 2 years ago • 1 comments

  • Passing null when the header is missing causes a TypeError, as the signature must be a string.
  • $_SERVER params were being accessed using undefined constants auto-converted to strings. Fix to use regular strings.
  • HTTP headers are usually keyed with HTTP_ prefix, and using all uppercase characters and underscores. The existing check for simply MessageBird-Signature-JWT did not pick up the header when using Apache. Maybe that works on other web servers, so I've left it as a fallback.

chrisminett avatar Apr 29 '23 08:04 chrisminett

@ErikBooijMB is there anything I need to add to get this PR approved? I'm not sure how anyone could use signature validation currently as it seems to be entirely broken for us, and blocking using v3 of this package.

chrisminett avatar Nov 05 '24 14:11 chrisminett