When generating the signature to compare, append a trailing &.
The OAuth spec (http://tools.ietf.org/html/rfc5849#section-3.4.2) states that a & character must be present, even if a token secret is not a part of the request.
This commit is contained in:
parent
1e5d508675
commit
c43f9157c3
|
@ -264,7 +264,8 @@ class WC_API_Authentication {
|
|||
|
||||
$hash_algorithm = strtolower( str_replace( 'HMAC-', '', $params['oauth_signature_method'] ) );
|
||||
|
||||
$signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $keys['consumer_secret'], true ) );
|
||||
$secret = $keys['consumer_secret'] . '&';
|
||||
$signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $secret, true ) );
|
||||
|
||||
if ( ! hash_equals( $signature, $consumer_signature ) ) {
|
||||
throw new Exception( __( 'Invalid Signature - provided signature does not match', 'woocommerce' ), 401 );
|
||||
|
|
Loading…
Reference in New Issue