retroactively fix client HMAC for special character enpoints (#397)

* fix HMAC for names with spaces * client backwards compatibility * update version
linkedin · Jun 28, 2023 · aa603ff · aa603ff
1 parent 08b94bd
commit aa603ff
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/src/oncall/__init__.py b/src/oncall/__init__.py
@@ -1 +1 @@
-__version__ = '2.0.0'
+__version__ = '2.0.1'
diff --git a/src/oncall/auth/__init__.py b/src/oncall/auth/__init__.py
@@ -7,6 +7,7 @@
 import hashlib
 import base64
 import importlib
+from urllib.parse import quote
 from falcon import HTTPUnauthorized, HTTPForbidden, Request
 from .. import db
 
@@ -127,6 +128,12 @@ def check_calendar_auth_by_id(team_id, req):
 
 
 def is_client_digest_valid(client_digest, api_key, window, method, path, body):
+ # calulate HMAC hash with quoted and unquoted path for legacy client backwards compatibility
+ text = '%s %s %s %s' % (window, method, quote(path), body)
+ HMAC = hmac.new(api_key, text.encode('utf-8'), hashlib.sha512)
+ digest = base64.urlsafe_b64encode(HMAC.digest())
+ if hmac.compare_digest(bytes(client_digest, 'utf-8'), digest):
+ return True
  text = '%s %s %s %s' % (window, method, path, body)
  HMAC = hmac.new(api_key, text.encode('utf-8'), hashlib.sha512)
  digest = base64.urlsafe_b64encode(HMAC.digest())