Inconsistencies between the libraries

[vilarfg]

I'm currently implementing a signing library for Go.

I read the docs.

Then I looked into the JS, Python, Java, C# and PHP implementations.

The docs state that the hashable base should be:

token_security_key + signed_url + expiration + (optional)remote_ip + (optional)encoded_query_parameters

and give this as an example hashable base 👍

security-key/my-directory/12345192.168.1.1token_countries=SI,GB&width=500&token_path=/my-directory/

JS does this, which looks right 👍

hashable_base = securityKey + signaturePath + expires + ((userIp != null) ? userIp : "") + parameterData;

Python flips the user IP with the parameter data 👎

hashable_base = security_key + signature_path + expires + parameter_data + {1: user_ip, 0: ""}[user_ip != None]

Java flips the user IP with the parameter data 👎

hashableBase = securityKeyIn + signaturePath + expires + parameterData + ((userIp.length() > 0) ? userIp : "")

C# puts the user IP before the expiration 😱:

var hashableBase = $"{config.SecurityKey}{signaturePath}{config.UserIp}{expires}"
                                              + parameterData // with a for loop;

PHP does this, which looks right 👍

  $hashableBase = $securityKey.$signature_path.$expires;

    // If using IP validation
    if(!is_null($user_ip))
    {
        $hashableBase .= $user_ip;
    }

    $hashableBase .= $parameter_data;

So, which library is right?
Is the order of the components of the hashable base not important?
Can you provide a test suite, preferably in JavaScript, so that I can use it to test my Go code? (I'm hesitant to use the C# test suite, as it does not seem to follow the specifications).

Please advise, thanks.

Note: No library implements the limit functionality (I guess the caller can just put it the url search before signing 🤔).

[vilarfg]

@DejanPelzel 👀