How to properly use hash_hmac in php to generate a sha-256 hmac used to verify the H parameter returned during the authentication workflow.
I need to know what the process is, I have followed the process outlined in the sharefile API to complete this task but I am always left with an incorrect hmac.
Here are the below steps from the API:
So I am doing these as stated, laravel has in built functions for gathering only the url path and $request->except('h'); gets me all the params except h. I have tried parsing this to utf 8, array of btes, hex etc and then using hash_hmac with my client secret and tried setting raw data to true and false on that, base64 encoding it after the fact etc can't get it to work. Whats the proper process?
I need to know what the process is, I have followed the process outlined in the sharefile API to complete this task but I am always left with an incorrect hmac.
Here are the below steps from the API:
- Remove the "h" query string parameter from your request URI.
- Parse out just the path and remaining query string parameters. For example, if the request uri is:
https://www.myapp.com/oauth?code=c123&subdomain=mycompany&apicp=sharefile.com&appcp=sharefile.com&h=abcdef1234
then the path and query string you will be validating will be/oauth?code=c123&subdomain=mycompany&apicp=sharefile.com&appcp=sharefile.com
- Convert the path and query string to an array of bytes using UTF-8 encoding.
- Create a digest of the array of bytes using HMAC SHA-256, using your client secret.
- Convert the digest to text using base 64 encoding.
- URL encode the text and compare to the value in the "h" query string parameter. If they match, then you can trust the data was not tampered with. If they don't match you should ignore the values and re-authenticate
So I am doing these as stated, laravel has in built functions for gathering only the url path and $request->except('h'); gets me all the params except h. I have tried parsing this to utf 8, array of btes, hex etc and then using hash_hmac with my client secret and tried setting raw data to true and false on that, base64 encoding it after the fact etc can't get it to work. Whats the proper process?